No products in the basket.
Home > News / Guides > What is Multi-Factor Authentication? And, Why We ALL Need it!
News / Guides
What is Multi-Factor Authentication? And, Why We ALL Need it!
Password hacking is still big business in cybercriminal circles. Microsoft’s Digital Defense Report 2022 found that 921 password-based attacks take place every second.
The same report states that 90% of accounts that suffer a hack aren’t protected by strong, additional authentication factors.
Figures like these prove that simple “username and password” logins aren’t enough to protect accounts anymore. Passwords can easily be stolen, phished for, guessed, or otherwise compromised. But what else can be done to verify a user’s identity? How can you make sure that you’re only granting access to authorised users?
Enter multi-factor authentication. Let’s dive in and learn what it is, why it’s important, and how you can use it to secure your organisation.
The Problem with Passwords
Though we’ve grown used to simple “username and password” logins, they are a very basic – and rather insecure – way of verifying a user’s identity. Email addresses are often used as usernames, and company email addresses can easily be found online through tools like LinkedIn; so if a hacker wanted access to your systems, there would only be one “authentication factor” standing in their way – the password.
Criminals can compromise a password surprisingly easily, especially if the password is weak or has been re-used. Social engineering attacks can fool unsuspecting users into sharing surprisingly sensitive information like passwords. Criminals can use automated “password spraying” to force entry into an account. They could even hack into a victim’s email account or cloud drive storage and steal any login credentials stored there in plain text.
Strong password policies are therefore essential, but passwords alone simply can’t do all of the protective heavy lifting anymore. Nowadays, all logins – especially particularly sensitive ones – need one or more extra layers of protection: they need multi-factor authentication.
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) is a computer access control system where the user needs to present two or more personally identifying “factors” at login before access is granted. This further “authenticates” the user, assuring the system that they are definitely who they say they are.</strong>
By adding extra authentication factors at login, you instantly make any login processes more secure. Even if the username and password of an MFA-protected account became compromised, the bad actor would still be unable to access the account without the additional authentication factors.
A user’s identity can be verified using any of the following methods:
- Something the user knows (“Knowledge Factors”), like a password, a security question/answer, or a PIN number.
- Something the user owns (“Ownership Factors”), like a pre-authenticated smartphone, hardware token, pin pad, or by scanning a QR code with a separately authenticated device.
- Something inherent about the user (“Inherence Factors”) such as a fingerprint, retina scan, or voice recognition.
- The user’s location (“Location Factors”), only allowing access to those in certain physical locations, or using specific IP addresses.
- The time of login, only allowing access to those authenticating within a certain time of day or within certain working hours. This would be a kind of behavioural factor.
In theory, you can use any mixture of the examples listed above to robustly authenticate your users. However, there are two points to note here. The first is that the more authentication factors you employ, the more roadblocks you put in the path of hackers, and therefore the more secure you make those logins.
The second is essential, yet often overlooked: it’s that not all authenticating factors are created equal. Some are undoubtedly stronger than others.
MFA: Choosing the Right Authentication Factors
It’s important to understand the strength of each authentication factor before you decide which ones to implement.
Weaker Authentication Factors
Weaker authentication factors still provide some basic added security, but they generally suffer with their own security problems. In our team’s opinion, the following authentication factors should be avoided or backed up with stronger factors.
Knowledge Based Authentication Factors
Passwords, security questions, and PIN numbers are all pretty weak as authentication factors go, especially when they’re being used without any other authentication factors.
Any kind of static, knowledge-based factor can easily be phished for, be the target of spraying attacks, or can be stored in plain text by users (rendering it potentially hackable by criminals).
SMS Text Message Verification
On the surface, authenticating a user by sending them a code via SMS text message may seem like a pretty secure way of doing things. However, it’s actually fraught with issues.
The biggest vulnerability here is SIM-swapping. SIM-swapping is an attack whereby a criminal dupes the relevant mobile phone provider into moving a victim’s mobile number onto a SIM card that the attacker owns. In doing so, they will then have access to any future authenticating texts that get sent to that number.
Alternatively, criminals may be able to hack into a victim’s phone and gain control over it, potentially gaining access to the victim’s texts in the process. And there’s always the possibility of the device itself being stolen. Either way, if the criminal already has access to other relevant login credentials for that individual, they will therefore be able to take over any accounts that are “secured” by SMS text message authentication.
Push Notifications
In order to authenticate a user, apps can send a push notification to the user’s mobile phone simply asking them to confirm whether they have instigated a login action. Android users will likely be familiar with this when logging into their Google account on another device.
Again, this authentication factor isn’t as secure as it first seems. The first fault we can foresee is that a hacker can simply spam the user with login attempts, making their phone figuratively blow up with push notifications. Then, the criminals wait for “notification fatigue” to set in. Ping after ping, the user grows increasingly more likely to simply click “grant access” just for some peace. And with that, the hackers have access to the account.
The second potential issue is that the criminals could hack into a victim’s phone and simply approve the notification themselves. And, as above, theft of the device is also a possibility.
Email Link or Code
We’re also quite wary of authentication factors that work by sending a code or link to an email address. Email accounts are a common target for hackers as they often house a lot of highly sensitive correspondence that could be highly lucrative for a criminal yet devastating for an organisation if it got into the wrong hands.
Email functions are also commonly included in productivity software like Microsoft 365 and Google Workspaces, which can be an even more tempting target for criminals due to their broad functionality and data-holding capacity. If they were to take control of an email or productivity account, they could easily authenticate themselves by email.
We would recommend steering clear of these weaker authentication factors or backing them up with another, stronger factor like any of those below.
Stronger Authentication Factors
Strong authentication factors create a much more secure login experience, and many can even be used to create highly secure passwordless login experience. Our experts would recommend any of the below factors.
Physical Security Keys
Providing each user with a physical security key is a highly secure means of authentication, and a firm favourite here at Just Firewalls.
These are physical devices that can be plugged in and tapped; or activated within a mobile phone’s NFC field; to assure the login process that you are a real human who wants to log in rather than a remote hacker.
In conjunction with a spot of cyber-awareness training, physical keys can be a highly powerful authenticator. They require both the user to have the device in their possession and for that user to be present in order to activate it within a set timeframe. In fact, one popular hardware key brand, Yubikey, states that their users have experienced zero account takeovers.
QR Code Authentication
QR code authentication effectively turns the user’s smartphone into a hardware security key. Instead of presenting the user that’s logging in with a field to enter a password or PIN, it displays a unique QR code – a square, barcode-like pattern. In order to pass authentication, the user will then need to scan the QR code with their phone using a pre-authenticated security app.
Like hardware keys, this kind of authentication requires the user to both have an item that is unique to them (in this case, the smartphone pre-authenticated with the security app) and to be present in order to scan the QR code with that device. Even if hackers had remote access to the user’s phone and their PC, they wouldn’t be able to physically lift the user’s device to the screen in order to scan the code. Clever, eh?
Biometric Authentication
This is perhaps the most robust authentication factor in this whole article. Biometric data is a strong inherence factor as it relies on something unique and relatively unchanging about the user in question – a fingerprint; a facial scan; voice recognition; or a retina or iris scan; or even vein matching.
Understandably, the only concern here is potentially from users who may feel a little paranoid about sharing their biological data for the purposes of logging in. This is why it’s important to choose a trustworthy service that limits the spread of their biometric data. Windows Hello for Business is our top pick as it fully encrypts each user’s biometric data and only stores that encrypted data on the individual user’s local device; Hello never shares that data across networks or the internet.
Use With Caution: Time-Based One-Time Passcodes (TOTPs)
Time-based one-time passcodes are a widely used authentication method and are far more secure than simply authenticating with a password. They involve retrieving a randomised, login-specific, 6-digit passcode from an authentication app whenever the user wishes to log in. This code renews every 30-60 seconds, meaning that there is only a brief window when each particular code will correctly authenticate the user.
However, we would argue that they are a little less secure than the “stronger” factors listed above. Though any hacker would only have a brief window in which to act, they could still phish for that code in real time over a live chat or a phone call; alternatively, the attacker could gain remote access to the victim’s phone to retrieve the code themselves.
Thankfully, this is a factor that is exponentially strengthened with good cybersecurity training. Inform your team that they aren’t to share the contents of their authentication apps with anyone – even those purporting to be from an IT service provider.
What is the Best MFA Solution Out There?
There are numerous multi-factor authentication solutions on the market, the experts here at Just Firewalls recommend WatchGuard AuthPoint.
Not only is AuthPoint compatible with an array of logins and is remarkably easy to use. It also works seamlessly with WatchGuard’s range of network security products.
How Does WatchGuard AuthPoint Work?
Organisations using AuthPoint are presented with a cloud-based control centre which allows an administrator to create and oversee users, and to view an auditable log of successful logins and unsuccessful attempts.
Each individual user who needs to use MFA will install the free WatchGuard AuthPoint app on their smartphone and securely register. Each user’s mobile device “DNA” is recorded on enrolment, meaning that their device is the only one that can be used to correctly authenticate their accounts.
What Authentication Factors Does AuthPoint Provide?
There are three core authentication factors that the AuthPoint app provides:
- Push Notifications – Can authenticate only while online
- Time-Based One Time Pass Codes (TOTPs) – Can authenticate while offline
- QR Code Authentication – Can authenticate while offline
As discussed above, push notifications are arguably the least secure option, QR codes are the most secure, and TOTPs are somewhere in between, depending on your team’s cyber-preparedness.
WatchGuard also supplies their own hardware keys which are compatible with AuthPoint, but the software is also compatible with a handful of hardware security keys on the market.
What Logins Can AuthPoint Protect?
There are a number of different login use cases where AuthPoint can provide an extra security step: remote access tools; VPN connections; productivity tools like Microsoft 365 and Google Workspaces; CRM tools like SalesForce; and more. If a solution uses the SAML 2.0 authentication protocol, then you can protect it with AuthPoint.
So if you’re interested in adding an extra layer of protection to your cloud logins, databases, and other digital resources, ask us about WatchGuard AuthPoint. Enjoy secure access control for just 8p per user, per day – and if you have more than 50 users, it’s even less!
Speak to our team today on 0808 1644414 to discuss your authentication options and to claim your free cybersecurity health check.
