When a user ‘logs on’ to a system or application with a username and password, they are going through the process of authentication – literally verifying that the login is ‘authentic’.
Unfortunately, an authentication system based on two pieces of text (username and password) is only as strong as the security of the pieces of text. People reusing the same credentials, writing them down or using guessable or common passwords undermine such a system.
What is MFA?
Enter Multifactor Authentication (or MFA). When using a username/password combination, you are using only one factor – something you know. If we want to make the system more secure, we need to take advantage of more than one authentication factor, the full list being:
- Something you know (username, password, etc.)
- Something you are (biometrics – fingerprint, facial recognition, etc.)
- Something you have (security fobs, authenticator apps, etc.)
While not one of the authentication factors per se, it is also common to restrict authentication based one Somewhere you are (either identifying a network or geograpahic location).
What MFA Isn’t
We have heard ‘security experts’ claiming that by introducing MFA to protect accounts, all of a sudden these accounts are impenetrable unless an attacker as able to gain access to your additional factor (e.g. your finger, your phone, your iris). While it would be wonderful if this was the case, unfortunately its not that simple.
The every evolving game of ‘cat and mouse’ that is cyber security means that criminals have already found both methods to avoid MFA (even when ‘enforced’) and also ways to engage it, with phished users logging in to a fake website while in the background, attackers are logging in ‘live’ to the legitimate website with these credentials.
When the attackers are prompted for an MFA token on the legitimate website, they request one from the user via the fake website – the user unknowlingly facilitates the attacker logging and will be presented with an error message or similar on the fake website.
In summary, MFA should absolutely be used wherever possible but it should only be part of a layered approach to defence, including other authentication / access controls such as geographical restrictions, time-based restrictions, least privilege and seperation of duties.