What is MFA and why do I need it?
If you work with computers in any capacity, odds are good you have heard the acronym “MFA” frequently. Once relegated to high security enterprises, MFA is becoming more common in the consumer space, but what is it?
MFA is an acronym for Multi-Factor Authentication, a security methodology that requires a user to present two or more distinct proofs to verify their identity. MFA improves security because multiple authentication checks must be passed before an attacker can gain entry.
Types of Authentication
To be considered MFA enabled, a security system must require at least two of the following:
Something you know
Something you have
Something you are
Something you know is the most traditional of the three and includes any form of information fed into a system by a user. This method involves passwords, PIN numbers, and answers to secret questions (such as those required when a password is forgotten).
Something you have requires the user to verify that a specific object is in their possession. The object might be an employee access card, a one-time password token, or a smartphone. If an individual receives a one-time password on their phone, that person is participating in a multi-factor authentication process: the one-time password is being used to verify that the user has the correct smartphone in their possession.
Something you are is usually a type of biometric. It involves verification of an individual’s personal traits such as retina scans, fingerprint scans, or voice recognition. It might also refer to geolocation data, though most consider this a fourth factor.
These authentication mechanisms must be independent. If one mechanism grants access to another, the security system is only as secure as the weakest security measure. Dependent mechanisms reduce MFA to the functionality of single-factor authentication because only one factor matters for the purpose of gaining access to the associated account.
A Classic Example
A classic example of MFA enablement can be seen in ATMs. The ATM card is something you have. Your PIN number is something you know. If the card is stolen, the thief still can’t access your funds without knowing your PIN. By contrast, if the thief has discovered your PIN number, they still need your card to access your account from a machine. The difficulty involved in acquiring both the PIN and the card is excessive enough to deter most potential thieves, making ATMs a prime example of MFA enablement.
The two factors are independent because one cannot be used to access the other. Ownership of the card does not bestow knowledge of or authority over the PIN number, nor does the PIN number enable access to the card. If the PIN number were stored on the card in any way, even on the magnetic strip, thieves would be able to use the card to gain access to the PIN. Fortunately, banks are prepared for these tactics and don’t store the PIN number on ATM cards.
Using the card at a teller additionally requires a user to present their photo ID. This adds an additional factor: something you are. The teller takes your photo ID and compares it to your appearance, effectively enabling the teller to verify your biometrics. Fingerprint and retina scanners are a high-tech extension of this basic method of authentication.
Security Automation Saves Time
In the absence of an automatic security assessment, the best mechanism for ensuring MFA enablement is to manually check all relevant accounts. Manually verifying MFA enablement is a time-consuming and labor-intensive process, but well worth the cost in the absence of automation. Voleer can identify accounts lacking MFA enablement on behalf of an enterprise in minutes with an automatic security assessment, greatly improving efficiency. In either case, MFA is a vital cornerstone of modern IT security. All organizations can benefit from requiring multiple authentication checks for important accounts.