When you access a protected resource, you authenticate against a data store with your credential information. It consists of a claimed identity and a secret associated with it. Traditionally that's been done with just a simple username and password, and is the most common authentication method today. Unfortunately, username/password authentication has been shown to be quite vulnerable to phishing and credential hacking. Since passwords can be hard to remember, people tend to pick a simple one and reuse it across their various online and cloud services. This means that when a credential is hacked on one service, malevolent outsiders test it across other personal and professional digital services.
Multi-factor authentication (MFA) is designed to protect against these and other kinds of threats by requiring the user to provide two or more methods of verification before they are able to gain access to a specific resource like an application, data storage, or private network.
The term “factor” describes the different authentication types or methods used to verify someone’s claimed identity. The different methods are:
As organizations work to enable their employees and engage securely with customers, multi-factor authentication plays a pivotal role. Learn about emerging forces in play and technical considerations when incorporating MFA in your business.Download PDF
Security and usability requirements dictate the process used to confirm the requester’s identity claim. Multi-factor authentication allows security teams to respond to the context or situation of the requestor (person or programmatic process), removing access being the most common scenario. Beyond determining how many types of authentication should be required, IT also needs to balance the cost of usability requirements with the cost of implementing them.
Single-Factor Authentication (SFA)
SFA has been and still is the default for securing access to mobile, online, and other secured information and facilities. Because it’s so ubiquitous and inexpensive, the most common type of SFA is username and password. Still, passwordless technologies are being adopted at an increasing rate to avoid threats posed by various phishing attacks. For example, the majority of mobile-based apps allow the use of fingerprint or facial recognition in place of the traditional username and password.
Today, online services offered by Microsoft and Yahoo offer a passwordless SFA option, and other vendors such as Apple and Google will deliver the same option this coming year.
Because they are used to verify identities, authentication tokens need to be protected against outsiders. In addition to strong token security, they are often configured to expire fairly frequently, increasing their refresh rate. While implementing short-lived tokens used underneath the passwordless interface raises security, it doesn’t meet the level offered by two-factor authentication.
Two-Factor Authentication (2FA)
2FA strengthens security by requiring the user to provide a second type (know, have, are) for identity verification. One proof of identity might be a physical token, such as an ID card, and the other is something memorized, like a challenge/response, security code, or password. A second factor significantly raises the bar for malfeasant and other outside actors to successfully breach through security.
Here is a common list of popular authentication methods:
Three-Factor Authentication (3FA)
Adds another factor to two-factor for further difficulty in falsifying one claimed identity. A typical scenario might be to add biometrics to an existing username/password plus a proximity card login. Because it adds a notable level of friction, it should be reserved for situations that require a high level of security. Banks may find situations where 3FA makes sense, as would various government agencies. Specific high control areas within a part of an airport or hospital are also areas where security teams have deemed 3FA as necessary.
Although many organizations view user verification as an afterthought, it’s important to note that Verizon’s annual DBIR consistently shows credential hacking as a top breach strategy. It’s simply a matter of time before virtually every organization suffers an event where they lose sensitive information that results in a tangible financial loss and potential loss of customer trust.
What makes these trends notable is that there has never been a time when multi-factor authentication is as convenient and affordable to implement as it is today. Traditionally, organizations have been limiting their MFA implementations to a small subset of specialized users who work with information that poses a higher level of risk to the business. Cost and usability have often been the limiting factors preventing wider deployments of strong authentication technology. Historically, strong authentication methods were expensive to purchase, deploy (including enrolling the users), and administer. But recently, there has been a sweeping set of changes across industries, within the organizations themselves, their customers (or patients, citizens, partners, etc.), and the technology that they have access to.
What are the main business drivers for implementing multi-factor authentication?
While each organization has their own concrete requirements, there are high level business drivers that are frequently common across them:
Which mandates require that organizations use MFA to be in compliance?
IT has access to a few technologies to reduce the friction that MFA can potentially impose on users:
Single Sign-On (SSO)
Single sign-on (SSO) allows a user to authenticate to multiple resources from just a single interaction from the user, meaning that the user enters a single credential from which the infrastructure beneath it authenticates to each of the protected resources on his behalf during that session. The most secure approach to SSO is for the authentication engine to use a unique set of credentials for each resource that is set up for SSO. This builds up security to a high level because:
Low friction authentication options
While the traditional OTPs/TOTPs will continue to be the most common type of 2nd-factor authentication, there may be other options that make more sense for a situation. Out-of-band push mobile apps offer a low friction option to OTP because all the user needs to do is hit the accept button. For higher-risk situations, some push apps have the option Push mobile apps may be configured to require a fingerprint to verify the person’s identity as well as a confirmation of information, such as a number, presented on the desktop to further verify that the user possesses both the desktop and smartphone.
Facial recognition is quickly becoming the biometric authentication of choice. The low friction nature of Windows Hello, noting that it gets better over time, offers a convenient user experience. The biggest challenge is that Windows Hello doesn’t work well with various lighting situations. This failure to recognize faces across lighting can be managed with additional facial registrations. More recently, some mobile apps offer the ability to register a person’s iris patterns in their eyes. Used together (facial, fingerprint, iris), biometric authentication options raise the security bar quite high for an outsider to defeat. Biometric methods are also an excellent option for organizations looking for a low-friction way to protect against phishing attacks.
Voice recognition has gained popularity in the financial services sector. Institutions like it because it’s entirely passive for customers as they speak with a service representative. The representative is notified when the customer’s identity has been verified. They use voice recognition in place of challenge questions with customers who frequently have difficulty remembering the correct responses to them. In this case, security and usability are optimized.
FIDO/FIDO2 are attractive options for where users roam across multiple devices. Part of what makes FIDO an attractive authentication option is its broad vendor support and their focus on usability. FIDO has gained notable traction in universities that deal with a large number of students who use a variety of digital services. FIDO allows the portability of passwordless authentication across different devices and platforms.
The profiling of smartphone gestures is a type of behavioral analytics that performs heuristics on how the owner handles and physically interacts with their device. The output are confidence ratings based on the tracking gesturing patterns. Over time, profiling increases in confidence the builds out gesture fidelity. While initially not strong enough to be the primary form of identity verification, gesture profiling could serve as a suitable method used in conjunction with other authentication types.
Security teams often implement the supporting software that came with the authentication the are adopting. This seems to work well until different devices are purchased that requires a different software implementation, creating yet another silo. In large organizations, it’s quite possible to have multiple silos of passwordless technologies used for either multi-factor authentication or to satisfy some other authentication requirement. The weakness of this situation is that each authentication silo has its own set of policies. Keeping these multiple policy stores up-to-date requires higher administrative overhead and introduces risk of having uneven policies.
The NetIQ Advanced Authentication (AA) framework is designed to serve even the largest organization’s multi-factor authentication needs. It’s standards-based approach provides an open architecture free from the risks of vender lock-in. The framework supports a variety of devices and additional methods out-of-the box but can also be expanded as new technologies are delivered to the market.
Regardless of the platform (web, mobile, client) AA also provides out of the box support for the most common platforms and applications. Beyond serving as the central policy engine corporate wide authentications, AA also offers a risk-based engine to control when MFA is invoked as well as control which authentication types are offered under different risk levels. Beyond its own built-in engine, AA integrates with NetIQ Access Manager that provide a robust set of single sign-on options and risk metrics that can be used as part of an adaptive access management use cases.