Multi-factor authentication (MFA) is a system designed to safeguard your access to services by asking you for more than one piece of evidence. The most common form of MFA is two-factor authentication (2FA).
In this digital age, passwords are ubiquitous. We use them to access our mail, our social media accounts, and our personal banking platforms.
When the internet was new and online services were few, an easy-to-remember common password was the thing. However, as internet usage exploded, using one password for many services not only became cumbersome, but also vulnerable, given that we share so much of our sensitive personal information online and use financial services. As a result, we started using stronger passwords and preferably different passwords for different services. Regardless of how strong a password is, all it would need is one database leak and your account would be compromised.
Now, if passwords are susceptible to database leaks, what can we do to keep ourselves safe? Well, fortunately, security experts have a solution for this—multi-factor authentication.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is a system designed to safeguard your access to services by asking you for more than one piece of identification or verification, also referred to as evidence. The password you use is one of these pieces of evidence that ‘authenticates’ you. However, as we just discussed, a password is something that can be compromised in the case of a cyberattack. Multi-factor authentication asks you to submit two or more pieces of evidence to confirm your identity. Basically, it’s a two or more-step process in which you verify your identity to the machine (usually remote) by furnishing more evidence (besides a password) for validation.
Two-Factor Authentication (2FA)
The most common form of MFA is two-factor authentication (2FA), in which an additional piece of evidence or ‘factor’ is needed for access. Now, this evidence I am emphasizing is generally categorized into three types: knowledge factor, possession factor, and biometric factor. Let’s look at these factors one at a time.
1. Knowledge factor
The knowledge factor is a factor that only the user knows. Ideally, it’s the factor that he/she should exclusively know. The traditional manner of authentication (one-step) is when you type your name, username, or email ID and then type in the password. It goes without saying that it should be only you who should know this password. Also, this password should never be shared with anyone. So, a ‘password’ is the most common form of a knowledge factor.
PIN and security questions
If not a password, then it could be a numeric PIN (personal identification number), which only consists of numbers (no letter or special characters). Some services maintain a backup layer of an additional knowledge factor on top of a password/PIN. This is in the form of a security question. For example, the platform may ask for your mother’s maiden name, your favorite color, or your date of birth.
2. Possession factor
This is another factor that 2FA authenticators generally rely on as an additional measure to confirm your identity. The possession factor is a factor or piece of evidence that only the user possesses. These possessions could either be in the form of a hardware token or a software token.
Hardware token (physical authenticator)
A hardware token is a physical object (authenticator) supplied by a service provider whose services you would need to access. It is a physical entity, i.e., dedicated hardware. Hardware tokens can come in two types: connected token and disconnected token. A connected token is a piece of hardware you need to connect to a computer or a mobile phone to verify your identity. This could be in the form of a USB stick or a memory card.
A disconnected hardware token is a standalone authenticator. It generally comes with a built-in display that keeps generating verification codes for easy authentication. The best thing about disconnected hardware authenticators is that they don’t require an active internet connection to work. Furthermore, they eliminate the need for connecting them to a computer or mobile device for operation.
Software token (OTP)
A software token is a method of authentication wherein the service provider gives a verification code using a software- or network-based service. This is mostly done by sending a verification code via SMS. A software token is the most widely used second step in 2FA, wherein a time-based one-time password (TOTP or simply OTP) is sent via mobile, which needs to be keyed in (within a stipulated time) for access after the user enters his password. Besides SMS, some service providers send a verification code via email, an app or on a trusted internet-connected device for the second-step authentication of 2FA.
Most of the two-factor authentication or two-step verification that you use to access an account on the internet utilizes a knowledge factor (in the form of a password). Once the knowledge factor is confirmed, the user is prompted to enter a unique code sent via SMS/email/app. If both pieces of information provided by the user is correct, only then can he/she gain access. Besides these two factors, a new type of factor is also beginning to be used in multi-factor authentication systems—the biometric factor.
3. Biometric factor
This is the most recently developed factor for authentication. It authenticates you based on what you are or what you have (inherently). Unlike a hardware authenticator, you as a user do not need to possess something extra or unique to confirm your identity. Instead, the machine (using special sensors) would authenticate whether you are truly the same person that matches the login credentials. This could be implemented through fingerprint recognition, face recognition, or voice recognition. Some tech companies are even working on authentication based on keyword typing pattern or a person’s walking style! Out of all these variations, the fingerprint is the most popular and reliable form of biometric authentication.
Problems with biometric authentication
Apparently, biometric authentication is super cool and eliminates the need to wait for OTPs or possess special hardware, but they have their own set of problems.
Firstly, to implement a biometric form of authentication, specialized hardware (read sensors) would be required. These sensors would be unique to the type of biometric authentication. What this means is that the service provider needs to incorporate separate sensors, like a fingerprint reader, audio recorder, or iris scanner to authenticate users. These added functions lead to additional costs from the service provider’s perspective.
There are also challenges from some users, many of whom are not comfortable sharing their biometric information with the companies. This fear is valid to some extent, as biometrics are increasingly used in surveillance and often trespasses on a personal space that is uncompromisable for many people. Furthermore, unlike your PIN or password, you can’t run around changing your biometric imprint, in case your biometric data is compromised.
How secure is 2FA?
Although multi-factor authentication or two-factor authentication is undeniably more secure than password-only authentication, these systems aren’t invincible.
To hack a system secured by 2FA, a hacker would get access either by acquiring the hardware token needed for login, or they could try to fetch data over an unsecured network through which the verification code is transmitted. This can be done through a phishing attack or by cloning the hardware token. However, there is another way, one that does not require much expertise—an attack via account recovery or account reset.
By leveraging the account recovery option, a hacker can bypass 2FA security if he has access to a user’s email password.
When anyone applies for account recovery, the service provider of that account is likely to mail the user a temporary password. Assuming the hacker somehow knows your email password, he would then get this temporary password and have unauthorized access to other accounts. He does not need to type in an OTP or other security code if account recovery disables 2FA authentication. This is an inherent problem with many account recovery options out there on the internet.
Some experts reckon that to circumvent this problem, an additional biometric factor would be useful, because it’s nearly impossible for an impostor to impersonate your fingerprints or your iris. However, as we discussed earlier, many users are not comfortable sharing their biometrics.
Adoption and future of 2FA
With cyberattacks becoming more and more common and hackers leveraging techniques like brute force attacks, single-step authentication in the form of a password makes online accounts vulnerable. That’s why all the big tech companies like Google, Amazon, Apple, Facebook, Uber, Microsoft, Dropbox, Paypal, etc. provide 2FA to secure your account.
IT (information technology) security and related breaches are like a game of cops and robbers, with the thief always in search of new ways to break into the system. In the future, hackers will almost certainly find new ways to target 2FA-implemented systems, but it will still be much more difficult for cybercriminals to break through two layers of security!