Strong authentication is a gateway to confirming a user’s identity, creating a foundation for securing information and access and ensuring only the right people get access to it. The username and password combination has been the standard authentication mechanism ever since applications needed some form of identity verification.
However, if we look at the systems we have in place today — systems that run every part of our lives and contain confidential, personally identifiable information — it becomes clear that passwords alone are not enough to protect us. After all, the only security measure standing in the way of total compromise is a string of input characters. Today’s security threats require much more robust protection measures.
Multiple Factors = Strong Authentication
Multi-factor authentication (MFA) adds an additional layer to the authentication process to enhance the security of applications and services. Taking something you know (a password) and adding something you have (a smartphone) or something you are (biometrics) strengthens security by providing a multi-layer authentication gateway.
MFA provides a variety of factors to choose from, ranging from asking a security question to capturing and confirming biometric data. However, not all factors are created equal — different factors have varying degrees of assurance and practical usability. Let’s look at six common ones.
Security questions have traditionally been used for password resets, but there is nothing stopping you from adding a security questions as an additional authentication factor. They’re easy for end users to remember, and simple to set up, but they rank very low on the assurance scale.
The answers to security questions can be compromised by simply guessing the answer or doing some research on the target.
One-Time Passwords (OTPs)
Traditional One-Time Passwords that use an SMS, voice or email service are popular for implementing MFA. OTPs are a more secure form of MFA implementation than security questions as they use a secondary authentication category ensuring the user has a device (something they have) over and above their password (something they know). Verification codes or OTPs sent via SMS are also convenient, but there are risks to using traditional OTPs as tokens have been intercepted and compromised.
An app generated code is in essence a software-based OTP which uses the Time-based One-time Password Algorithm (TOTP) and presents this via a third-party app.
App generated OTPs are built with security in mind. This increases the assurance over traditional OTPs which use communication channels such as SMS and cover a wider spectrum of non-security use cases. The drawback to using this MFA factor is the end user needs a smartphone to authenticate. Smartphone penetration would therefore be a key consideration in deciding if this is a viable MFA option.
Specialized Authentication Apps
A specialized authentication app is the next evolution of the software-based OTP MFA solution. Instead of providing the user with an OTP, this MFA factor requests the user to verify their identity by interacting with the app on their smartphone, such as Okta’s Verify by Push app. The authentication token is then sent to the service directly, strengthening security by eliminating the need for a user-entered OTP.
Physical Authentication Keys
Physical MFA devices like Universal 2nd Factor (U2F) tokens take authentication assurance to the next level. The authentication process is secured by an asymmetric encryption algorithm where the private key never leaves the device. This ensures the second factor authentication token can never be compromised. Examples of this include USBs (that are plugged in when prompted) or smart cards that users swipe. U2F is a standard maintained by the FIDO Alliance and is supported by Chrome, Firefox, and Opera.
Biometric MFA creates strong authentication as it is reinforced by something you are over and above something you know and something you have. The major benefit — of course — is that this factor is the most difficult to hack. However, no MFA factor is perfect and biometrics do come with their set of challenges and privacy concerns. Like passwords, biometric data needs to be stored in some form of database, which could be compromised. And unlike a password, you cannot change your fingerprint, iris or retina once this happens. Furthermore, implementing this MFA factor requires investment in specialized biometric hardware devices.
Taking Strong Authentication One Step Further
MFA creates strong authentication but the addition of contextualization strengthens this even further. Adaptive MFA adapts to contextual risk by assessing user information such as geolocation, device, and time of day, alongside the specific access requested. With this information, an adaptive MFA solution can adjust the requirement for an additional factor of authentication, or step-up authentication. This creates a security solution that is both secure and usable — capitalizing on the right factor at the right time.