Multifactor Authentication (MFA)
Recent improvements in technology have raised the bar for IT managers to keep corporate systems secure. In fact, security administrators are known to deploy all of the critical sources to protect their systems from hackers. These security steps include installing anti-virus software, raising firewalls, running vulnerability test, and encrypting data.
Despite the awareness, IT managers often forget that MFA, multifactor authentication can often fulfill all their requirements without busting the budget. Implementing MFA is a simple but highly effective method to ward off potential threats to IT security. This brief guide offers explanation and usage of MFA in today's dynamic security environment.
What is Multifactor authentication?
Multifactor authentication ensures that a user is who they say they are. The more factors are used to determine the identity of a person, the greater the reliability of the authenticity.
MFA can be achieved using a combination of the following factors:
- Something you know - password or PIN
- Something you have - token or smart card (two-factor authentication)
- Something you are - biometrics like a fingerprint (three-factor authentication)
Since multifactor authentication requires multiple means of identification at the start of a session, it is widely recognized as the most secure method of authenticating access to data and applications.
Other common names include mfa app, multi step verification, mfa device, mfa authentication, mfa security.
Why Multifactor Authentication is Critical to Modern IT Infrastructure?
In April 2016, significant changes in version 3.2 of the PCI DSS standard were implemented which proposed the expansion of requirement 8.3 to include the use of multi-factor authentication for any non-console connection.
The concept of "multifactor authentication" replaces the concept of "two-factor authentication " used in previous versions of the standard. However, there are still many questions related to this topic and the concept has not been entirely clear despite the great benefits it brings to the organization. Considering the positive impact of its successful implementation, it is widely believed that MFA could have minimized the impact on the theft of cards in well-known hacking attacks around the globe.
The Difference between MFA and Two-Factor Authentication
In simple terms, two-factor authentication is a process where two security steps are involved in the verification process. In contrast, multifactor authentication involves at least two steps or more to be credible. For instance, MFA can either use two, three or four steps to complete the verification procedure.
As suggested in the previous section, MFA can be achieved using a combination of more than one factor. These factors can include password protection, token integration, and biometrics.
If only one of the factors is used, a potential attacker who has access to that information could access a system by pretending to be a legitimate user. Therefore, multi-user authentication also reinforces security in the authentication process by implementing the concept of "non-repudiation ". Non-repudiation is a verification concept where the authenticated user cannot deny that they have not been the one who has executed that action. The use of non-repudiation is made by the combination of two or more of security features, as suggested above.
The term multifactor authentication (MFA) came to replace all occurrences of the concept of two-factor authentication (2FA) in requirements 8.3, 8.3.1, 8.3.2 and 8.5.1. Despite the name change, the concept remains the same: the use of two or more factors in the authentication process.
The main argument of the name change of the concept is found in the extension of the concept so as not to limit it only to "two factors" but to "two or more factors", considering that currently, the use of two factors may contain security weaknesses if it's not implemented correctly.
Two Step Authentication 2SA and Multifactor Authentication MFA
Sometimes, two-step authentication is used synonymously with multifactor authentication. However, 2SA, "two-step authentication, is only used as a variant of MFA, if it complies with PCI SSC standards.
The concept of two-step authentication allows the presentation of a second authentication screen only if the first has been successful. Some examples of this model have been implemented by tech companies such as Facebook, Google and Microsoft Azure in response to the massive theft of authentication credentials in recent months.
For a 2SA implementation to be aligned with PCI DSS, the following premises must be met:
- For authentication, a combination of at least two of the three authentication factors must be used.
- The authentication factors used must be independent of each other. This implies that access to the second authentication factor should not depend on the first authentication feature.
When is it Mandatory to use Multifactor Authentication?
It will not be an overstatement to suggest that multifactor authentication has become indispensable in certain situations. If your company wants to comply with the latest PCI DSS codes, it will need to implement MFA to adhere to "clause 8.3" of PCI DSS standards.
Before describing the different scenarios where companies will require MFA authentication, it seems pertinent to provide information about the three important terms used to describe such scenarios. These three terms are:
- Non-console access: Non-console access is described by logical access to a component of the system through a network interface instead of a direct physical line to the component. In this case, the user who connects is not physically present in front of the system console and cannot interact directly with the screen and the local keyboard. Examples of non-console access are RDP (Remote Desktop Protocol) services or web-based administration interfaces (GUI).
- Administrative Access: It is a privilege granted to a particular account, which allows the user to perform privileged actions in a system. System or application accounts that perform automated functions and user accounts with limited access to system resources are excluded from this definition.
- Remote Access: The term defines access to a computer or computer network from outside the network. These accesses can be generated from within the company network such as from another VLAN or from a remote location outside the company network, such as VPN.
Types of Multifactor Authentication Scenarios
Based on these definitions, the implementation of MFA is required under these scenarios:
- Requirement 8.3.1: MFA is required to access any account with administrative privileges originating from trusted networks. Trusted networks are internal networks that allow access to the CDE, Cardholder Data Environment. This requirement is a best practice and becomes mandatory as of January 31, 2018.
- Requirement 8.3.2: MFA is required to remotely access CDE or any network that allows access to the CDE of users, administrators, and third parties. The networks described here are providers offering support or maintenance services from outside the entity's network. These outside networks can be an Internet or any un-trusted network including third-party networks.
- Requirement 8.5.1: In the case of service providers, if you have access to client networks, you must use an exclusive authentication credential for each client. Example of such access includes support of POS systems.
Phishing Tactics and Examples of MFA
Despite the complexity of computer models, it is interesting to note that hackers often deploy simple methods to penetrate computers and systems of multinational corporations. In fact, many large companies were hostage to hackers because hackers could so easily access a personal computer of an employee who used the computer to access a wider network.
Phishing attacks have become very effective and widespread in recent years. It does not require high technical knowledge of systems, networks or programming to carry out this kind of attack. The attacker only has to make sure to design an e-mail and website that resembles as much as possible to the identity that he wants to impersonate: banks, public bodies, email providers, and social networks.
This false website usually includes a login form, in which the victim is expected to fill in the field with his or her actual credentials. These credentials, "user and password" of the victim, are immediately sent to the attacker, or stored in a database along with the credentials of other victims, without the knowledge of victims.
Since every internet service such as social network accounts and online stores is linked to our email, accessing email account makes it easier for the hacker to hack social networks and bank information. To prevent such occurrences, multi-factor authentication can also be implemented in modern personal computers.
Examples of Multifactor Authentication
Nowadays, various smartphone applications are increasingly using MFA authentication. Apple and Google add fingerprint sensors to their phones as an added authentication process. The recognition of the digital copy of a user's fingerprint through a built-in scanner is the first step before another password screen asks the user to validate the account. The security feature is followed by various other security protocols built into individual applications.
Modern smartphones and mobile devices are using MFA to access SMS text messages, emails, and cameras. CAPTCHA with image recognition and scannable QR code are also used widely before making a transaction.
The proliferation of Web services based on SaaS, Software as a Service, and the number of passwords used in a single day have expanded the appeal of MFA for SMEs. In addition, large companies such as Facebook, LinkedIn, Twitter, Gmail, and Apple have adapted MFA as an important tool to protect their own networks. Almost all of these services offer a method to ensure verification from at least 2-steps.
Looking from a broader perspective, when a user logs on a personal computer using fingerprints and passwords, and then taps into the added security features of Google, they may be using 4-step authentication.
Commercial Use of Multifactor Authentication
Multifactor authentication is not restricted to personal use; in fact, corporations are also using MFA to protect themselves from unauthorized access. When selecting a multi-factor authentication system, these organizations may use following MFA techniques, depending on their respective requirements:
- Protecting the internal network from unauthorized access: In this case, organizations implement two-factor authentication (2FA) solutions that allow access to the secure, flexible and comprehensive network, both inside the office and outdoors, wherever necessary.
- Connecting Users from remote locations: In this scenario, portable solutions ensure a secure VPN and web access for remote users allowing employees to protect their laptops and data while on the road.
- Accessing multiple applications protected by passwords: Under the circumstance, cybersecurity professionals consider solutions that provide unique authentication functionality to store user credentials in the token. They can also integrate the system with external unique authentication systems.
- Digitally signing and encrypting confidential data or transactions: Smart card solutions are a preferred choice for digital signing. Companies are using smart card-based solutions that can provide PKI key generation and secure built-in cryptographic operations.
- Protecting data installed on the PCs and laptops of users: In this case, token solutions are used for PC security products. These security solutions often include boot protection and disk encryption applications, which require the use of a token to start a computer or decrypt protected data.
- Implementing a secure physical access solution: To protect physical properties, multi-authentication token solutions are integrated with physical access systems.
Despite Google introducing its 2-step authentication system seven years earlier, its usage remains low. Despite the ease of implementation, research indicates that only 10 percent of Google accounts use 2-step verification process.
As phishing attacks are targeted towards SaaS providers and these attackers mostly use email accounts, it is imperative that companies make use of MFA to protect their assets. Research also indicates that hackers have become more sophisticated and hacking attacks will continue to evolve in the future; therefore, you can prevent a costly mishap by implementing MFA in the workplace before it's too late.
Ready for the next step?
Provide your good customers with a sleek, speedy and secure login experience. Choose invisible device-based authentication or multifactor methods that adapt based on a perceived threat.
See More Resources