Multifactor Authentication (MFA)
(OBJ 4.6)
Multi-factor Authentication (MFA)
- A security system requiring multiple methods of authentication from independent categories of credentials
- Enhances security by creating a layered defense against unauthorized access
- Combine at least 2 different credentials from among 5 types of authentications
Five Categories of Authentication for MFA
- Something You Know (Knowledge-Based Factor)
- Authentication based on information the user knows, like a password, PIN, or answers to secret questions
- Something You Have (Possession-Based Factor)
- Authentication based on physical possession of an item
- Smart card
- An ID card with an integrated circuit that can process data to authenticate a user.
- Can also be used for clock-in function or logging in to a system
- Hardware token (key fob)
- Physical device used for securing access by generating a unique code that is then typically used within a multifactor authentication system.
- Create a rapidly changing code that is sent to the user every 30 to 60 seconds during the authentication process
- USB-based hardware token that contains a digital private key certificate that can be sued during the authentication process
- Just need to have to connected to the device you are authentication to
- Physical device used for securing access by generating a unique code that is then typically used within a multifactor authentication system.
- Software token on a device
- Does the same job as a hard token without needing specific hasrdware
- Also called "soft tokens"
- Application on smartphones, tablets, laptops, etc.
- When logging in, the software token produces a one-time passcode for user authentication
- Generally take two forms:
- Authentication app
- Apps like Google Authenticator or Microsoft Authentication generate time-based, one-time passcodes
- Same as a hard token
- SMS-based one-time-use token
- The smartphone receives a one-time passcode sent to the user's registered phone or email
- Lasts about 2-3 minutes
- Authentication app
- Smart card
- Authentication based on physical possession of an item
- Something You Are (Inherence-Based Factor)
- Authentication based on biometric characteristics unique to individuals
- Fingerprints
- Example: Apple's Touch ID
- Facial recognition
- Example: Apple's Face ID
- Collisions occur one in a million
- Voice recognition
- Iris scans
- Fingerprints
- Recently more used for MFA
- Authentication based on biometric characteristics unique to individuals
- Somewhere You Are (Location-Based Factor)
- Authentication based on the user's location, determined through IP address, GPS, or network connection
- Geographical location restrictions can be applied
- Something You Do (Behavior-Based Factor)
- Authentication based on recognizing unique patterns associated with user behavior
- Keystroke patterns
- Mouse movement
- Device interaction
- Holding a device
- Swiping
- The way you walk down the hallway
- Rarely used as a primary factor but can provide an additional layer of security
- Authentication based on recognizing unique patterns associated with user behavior
Authentication Types
- Single Factor Authentication
- Uses one authentication factor to access a user account
- Example:
- Only using a username and password to log in
- Even when adding a security question it will still be considered a 1-factor authentication since all of them are something you know
- Two Factor Authentication (2FA)
- Requires two different authentication factors to gain access
- Exampe:
- Using a password and then a soft token to log in
- Multi-factor Authentication (MFA)
- Uses two or more factors to authenticate a user
- MFA can involve 2, 3, 4, or 5 factors depending on the chosen configuration
- Generally, using more authentication types makes a system safer, but is less convenient for the end user
- Knowledge-based factors like passwords and PINs are the most common authentication methods
- Often post challenges for our users and managers
- Password managers can generate different long, strong, and complex passwords for each website or application. Stores passwords safely.
- Bit Warden
- Google Password Manager
- Passkeys (Passwordless Authentication)
- An alternative to traditional passwords for authentication
- Users can create and access online accounts without needing to input a password
- Involves creating a passkey secured by device authentication methods like fingerprint or facial recognition
- Browser or OS prompts users to create a passkey
- When logging in, users unlock their device using their chosen authentication, such as a facial scan or fingerprint
- Provides a more secure and user-friendly authentication method
- Passkeys utilize public key cryptography
- An alternative to traditional passwords for authentication