Passwords are the most common authentication tool used by enterprises, yet passwords are notoriously insecure and easily hackable. End users tend to be careless with passwords, frequently reusing or sharing their passwords. For most enterprises, multi-factor authentication is a much-needed security measure.
- What is multi-factor authentication?
- Rise of multi-factor authentication
- Biometric authentication
- Two-factor authentication
- Multi-factor authentication solutions
This is true even among technologists, with a recent Centrify survey of IT professionals finding 26 percent shared passwords and 78 percent had fallen victim to a phishing email. A separate Forrester study, also sponsored by Centrify, of 203 enterprise IT security decision makers found two-thirds of organizations experienced an average of five or more security breaches in the past two years. The same study found hackers compromised over a billion identities in 2016 alone.
Multi-factor authentication, or MFA, is simply an umbrella term for verifying the identity of end users with a password and at least one other form of authentication. Initially, security vendors only offered two-factor authentication. Two-factor authentication, called dual or 2FA authentication, added another level to a User ID and password. Since then, security vendors introduced new methods for authentication, which can be layered to create a multi-factor authentication solution.
MFA incorporates at least two of three authentication methods, according to the PCI Security Standards Council:
- Something you know
Something you have
Something you are
An MFA security solution may also incorporate additional factors, such as geolocation data or a time component.
There are a number of options for achieving each method of authentication. Typically, “something you know” is simply a user ID and password, but MFA solutions can also require the end user to submit a PIN or the answer to a secret challenge question.
“Something you have” traditionally required the use of tokens. A token acts as an electronic cryptographic key that unlocks the device or application, usually with an encrypted password or biometric data. Tokens are generally referred to as either “connected” or “disconnected.” Connected tokens are stored on hardware that holds a cryptographic certificate, key or biometric data, such as an SD card on a phone, a USB token, tokens kept on smart cards, or an employee key fob. Disconnected tokens are generally only good for one use and can be delivered via RFID, Bluetooth or manually entered into the computer by the end user.
As web sites have adopted MFA, “something you have” has expanded to mean the end user’s credit card or mobile phone, called mobile authentication. In mobile authentication, a one-time password (OTP) or PIN is generated and sent to the end user’s smart phone via text, although an added layer of security can be added by using an OTP app, a certificate or a key stored on the phone. Mobile authentication is often seen as a cheaper and easier alternative to biometric authentication.
In recent years, more companies have turned to multi-factor authentication solutions to address their security and compliance concerns. In 2014, a survey of more than 350 senior IT decision makers worldwide found 37 percent of organizations surveyed used multi-factor authentication for a majority of employees, up from 30 percent in 2013.
Stratistics MRC estimates the global multi-factor authentication market is expected to reach $13.59 billion by 2022, spurred largely by the growth in e-commerce, the increase in online transactions, network security threats and legislative compliance. Banking, financial services and insurance industries constitute the largest share of adopters, with North America leading adoption, according to Orbis Research.
Identification by “something you are,” or biometric authentication, relies on either physical or behavioral characteristics. Physical characteristics include using retina scans, iris scans, facial recognition, fingerprints, voice recognition, hand geometry, earlobe geometric or hand vein patterns. Behavioral characteristics include keystroke dynamics, such as measuring the way a user types, how fast or the amount of pause on a given key. While biometrics can require special equipment, some solutions simply leverage the sensors in smartphones.
Biometrics offer the most secure method of authentication, but there are problems. For example, some people’s fingers don’t always have enough minutia points for the scanner to pick up, as is the case with workers who do heavy manual work with their hands or people with skin diseases. Scanners can also be tricked simply by capturing the fingerprint. For more on the pros and cons of biometric solutions, as well as a list of select Biometric vendors, see Biometric Authentication: How It Works.
Here is a partial list of biometric vendors:
- Early Warning’s Authentify Platform
- Daon’s DaonEngine
- Crossmatch DigitalPersona’s Pro Enterprise system
- M2SYS’ Hybrid Biometric Platform
- Plurilock’s BioTracker
- Precise Biometrics’ Tactivo
- Realtime North America’s Biolock
- Voice Biometrics Group VSP
The most common form of MFA is two-factor identification, sometimes referred to as dual authentication, two-step verification or 2FA. Two-factor authentication combines a user ID, password and at least one of two other methods for ensuring user identification. A common approach to 2FA is to require a one-time password (OTP) sent via SMS to a cell phone or a credit card number. Twitter, Google, Microsoft, Apple, Facebook and Amazon all use SMS to support two-factor authentication. Two-factor authentication is also being deployed for mobile security and by Internet of Things companies such as Nest to secure IoT devices.
Two-factor authentication is not without its flaws. In a 2017 SecureAuth survey, 74 percent of respondents said they received user complaints about 2FA, and nine percent said they outright hated it. It can also be hacked.
MFA isn’t just for e-commerce sites or employees. Before adopting a multi-factor authentication solution, consider these other scenarios and issues:
- B2B vendors: Recently, New York State introduced new financial regulations requiring banks, insurance companies and other financial services companies to establish and maintain cyber security programs that meet specific standards — including examining security at third-party vendors. Yet 32 percent of IT professionals don’t evaluate third-party vendors for security, according to a NAVEX Global survey. Don’t be one of them. Security experts advise IT professionals to protect the entire information pipeline, since even fourth-party vendors can present a security risk. One way to mitigate the risk is to require that vendors include multiple authentication methods. Be sure to outline the restrictive use of access and any repercussions for unauthorized or negligent behavior.
- VPN Authentication: More employees are accessing enterprise applications and data remotely, which poses a security risk even with VPNs. Be sure to include VPNs when evaluating MFA solutions.
- MFA for services: VPNs and traditional log-ins aren’t the only way hackers can access corporate data, of course. That’s why companies should consider two factor authentication for services, advised Veracode co-founder and CTO Chris Wysopal. “If you’ve implemented two-factor authentication for remote access to your company, why aren’t you implementing two-factor authentication with all the services you’re using that also have access to your company’s data?” Wysopal told eSecurity Planet. “Try to keep parity with what you already thought was a good idea to do to yourself.”
- Independence of the authentication: If security is a top concern, then look for a solution that offers out-of-band (OOB) authentication. Out-of-Band authentication means that the authentication methods are delivered through a different network or channel, which adds another layer to the security. That might be as complex as requiring a physical token or as simple as sending a one-time password (OTP) via text to a smartphone. One caveat: If the smartphone is also used to submit the OTP, you’ve lost the benefits of out-of-band, since the network is the same. That’s not a small issue, as many employees now use mobile devices to access corporate data.
Many major IT vendors, including IBM, Apple and Microsoft, offer MFA solutions for their products. There are also vendors that target specific markets, such as government. Below is a sampling of the key vendors offering MFA solutions:
- 3M Company
- CA Technologies
- Cross Match Technologies
- DeepNet Security
- Gemalto/SafeNet Authentication Service
- Hid Global Corporation
- Microsoft Azure MFA
- MitoKen Solutions
- NEC Corporation
- Nok Nok Labs S3 Authentication Suite
- PistolStar PortalGuard
- RSA Security Authentication Manager
- Safran SA
- Swivel Secure
- Symantec VIP
- Vasco Identikey Authorization Server + Digipass for Mobile
- Voice Biometrics Group VSP
- Yubico Yubikey