Applications of all sorts—whether you use them as part of your job or in other day-to-day activities—give users access to a service through authentication. Depending on the sensitivity of the information filtering through the app, different types of authentication methods are required, each corresponding to different risk levels.
In an era of ever-increasing data breaches, username and password credentials are no longer sufficient for authenticating access. Instead, organizations should stack multiple authentication factors together, while understanding that each factor has its own unique strengths and weaknesses.
Types of Authentication Factors
Each kind of authentication is called a factor. They’re used to verify a user’s identity and block access to anyone who isn’t who they claim they are. These factors are divided into three groups, ranging from those with the lowest assurance level to those with the greatest assurance level.
Knowledge factors: These are things the user knows, such as passwords or answers to security questions.
Possession factors: These are things the user has in their possession or can act on. This includes SMS codes sent to mobile devices, one-time passwords (OTPs) sent via email, and push notifications.
Biometric factors: These are things the user is. Biometrics include fingerprint scanning or facial authentication.
While these factors may feel like they’re secure enough on their own, there are security considerations that must be understood before deciding which to use to secure your organization’s resources and data.
Secure Authentication Across Factors
When implementing a tool for verifying user identity, it’s important to understand that some authentication factors are stronger than others—and the ones you think are the most secure may actually be easy to compromise. Security questions, for instance, are used in applications ranging from email to online government portals. A large study on account recovery at Google showed that answers to security questions are both easy for attackers to guess and difficult for users to remember.
Sending an SMS code is another factor that isn’t as secure as it appears. In fact, the National Institution of Standards and Technology no longer endorses SMS codes as an authentication tool because attackers can very easily intercept a message meant for someone else’s phone. Physical USB keys or mobile devices with an authenticator app can be lost or stolen, and once an attacker has access to a possession factor, the resource’s identity verification is compromised. Though they’re considered to be the strongest, even biometric factors like fingerprints and facial verification also have weaknesses. We’ve all seen the trick to lift fingerprints using a piece of tape, and other biometrics can also be replicated in order to trick applications to verify a user’s identity.
Adaptive Multi-Factor Authentication (MFA)
Part of deploying a secure authentication method means understanding the risks posed by each factor, and combining them effectively to mitigate those risks. An adaptive approach that evaluates varying circumstances like network, geography, IP zone, and others can help align potential authentication factors to the risk level.
For instance, if your organization’s internal database receives an authentication request from a user that is on your network and located within your organization’s city and zip code, a password and medium-to-high assurance authentication factor like a physical key or biometric factor is probably all you need to verify that user’s identity. However, if the request comes from an unknown network, or from a city that’s new for that user, you might consider adding a mobile push request to help prove their identity.
Even though they may sit at different points of the assurance scale, all authentication factors have weaknesses. Organizations looking to better secure their data—and that of their workforce and customers—need to implement an Adaptive MFA approach that assesses the risk of each unique login request, and selects authentication factors accordingly