Multi-Factor Authentication – Why We Need It
The History of MFA
Believe it or not, the concept of authenticating with multiple factors didn’t start with computers. It started with electronic access security systems, and if you want to go low-tech…MFA started the first time a smith created a box with multiple keys or locks. 30+ years ago though, hackers were so far ahead of the game, there weren’t even laws to address what was right or wrong in the act of accessing data. Key & Lock manuals were shared via BBS, and most electronic key locks had hard-coded master combinations.
But as data became more valuable, we started taking it more seriously, and passwords became relatively common methods of locking things. Combined with encryption, password-based authentication started upping the ante, and the gap between the advanced knowledge of hackers narrowed, and the legal constraints of accessing data without clear permission closed like a vice, giving rise to what is now the big race, between computer criminals that want all your information – usually to sell it to the highest bidder, and the security professionals tasked with finding, defending against, and stopping them.
How MFA Works
Currently, the single easiest, fastest, and least expensive way to up your security game, is to adopt MFA technology into your infrastructure. “MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.” This transition moves your organization away from what most criminals consider “low-hanging fruit” and thus eliminates a lot of methodologies that are dependent on organizations’ weakest trait…indifference. Additionally, moving to MFA forces your organization to pay more attention to their security posture in general, as most people mistake MFA as being the “last step” in the creation of a secure workspace…when it should usually be the first. When we also consider the broader impact of adopting MFA…it teaches us a security protocol that works at home as easily as it does in the workplace.
MFA gives us a myriad of ways to create second, third, fourth, and even fifth factors to authentication and qualification of access and communication. Who what where when and how, that is inherence, possession, locality, chronology, and knowledge. In the security talks, you will inevitably find when searching on this subject, you will hear the catchier dynamic as:
Something you have
Something you are
Something you know
…to a lesser degree, you have when and where you are.
All of these factors give us a myriad of ways to deter would-be computer criminals, and while they aren’t the final word in securing data, they do tend to be the most effective deterrents in protecting data without dipping really far into the budget.
Something You Have would be a physical key, a USB key, an RF card, or some other device/object uniquely identifying you and qualifying as one factor of access. Yubikey’s are a popular example, as they provide multiple factor services including the physical key. RF cards are usually ID badges or credit card-sized objects that have small radio transmitters in them that can be read by another nearby device.
Something You Are is factoring in biometrics that is unique to you, similarly, providing a unique identifier for authentication. Biometrics has advanced pretty quickly in the last decade. Ocular/Retinal and fingerprint scanners now verify be reading/measuring your blood vessels. More research is already occurring to make it very difficult by combining voice and facial patterns with other biometrics as a viable factor.
Something You Know can be any phrase or combination of letters, numbers, and symbols that hopefully will not be guessed. Password best practices include using upper case, lower case, numbers, and symbols. Passwords should never be less than 12 characters (I recommend at least 16!), and should not include any dictionary terms, and dates, or proper names related to you.
Where You Are is also a less-used factor that uses your location, either by IP/network location or by GPS coordinates that restrict access based on this status. Geolocation works really well, “geofencing” allows for authentication to be restricted to a certain area or network using WIFI or GPS signals.
When You Are is a less-discussed factor, because it is often associated with a key issuance system whereby a security system provides you with an additional password/key/pin that changes based on the time. In other words, some of the other factor systems already integrate a chronological factor into their solution. Remember those old RSA key fobs with the number that changed every hour? Before those, the key was actually an ISA card that went into your computer! Nowadays, time-based factoring is integrated into most SMS and MFA apps, by forcing the additional passkey to change every minute.
Why You Want MFA
If we accept the raw security benefits and look at risk, we will find that more and more often, insurance and finance industries are quickly making MFA a requirement for coverage and compliance/governance with the businesses they are partnered with or service. “In 2019, the global Multi-Factor Authentication (MFA) market size was USD 9054.4 million and it is expected to reach USD 32110 million by the end of 2026, with a CAGR of 19.6% during 2021-2026.” At home, your personal profiles are often considered low-hanging fruit and easy targets because very few people still adopt MFA into their regular online profiles. Additionally, in most security compliance environments, MFA is being not only suggested but required, as more and more insurers will not consider coverage without the organization taking adequate steps to secure their data.
It may seem complicated, but for your IT team or Service Provider, MFA should be on their roadmap to train and implement organization-wide. There are many services and apps out there to help both individuals and businesses to use MFA, both at work and at home.
At Sanapptx, implementing MFA into your infrastructure is considered an immediate necessity regardless of present security status, and we can implement a functional and easy to adopt security stack that includes MFA for both organizations and individuals. Please contact us at firstname.lastname@example.org or 214-447-0244 to get a free consultation with our security team.
Hear From Industry Experts
Read the latest tips, research, best practices, and insights from our community of expert B2B service providers.