A SECURITY KEYSTONE
For cyber crooks with the know-how, even the strongest passwords or passphrases are susceptible to brute-force attacks. While you might think that a passphrase like allthegoodpasswordshavegone is as safe as houses, it isn’t. In 2018, hackers successfully compromised it along with almost 12 million others from the Canadian social networking site, Ashley Madison. So how do you make your login credentials impenetrable to bad actors? One solution is to adopt Multi-factor-authentication or MFA. Using MFA, users need to provide two or more pieces of evidence to authenticate themselves. Most businesses and individuals alike consider Multi-factor authentication a security must-have for password and data protection.
BACK IN 1995
Kim Dotcom, the notorious German-Finnish hacker, Internet entrepreneur and political activist, claims to have invented a form of MFA, two-factor authentication (2FA) in 1998. He didn’t. In 1995, the American telecommunications giant, AT&T, filed for a patent for:
“An automated method for alerting a customer that a transaction is being initiated and for authorizing the transaction based on a confirmation/approval by the customer thereto.”
That’s where MFA found its roots. In the 2000s, MFA has few early adopters and Microsoft only began rolling out 2FA for its users in April 2013.
In early 2016, President Obama wrote an editorial for the Wall Street Journal and stated that passwords alone were insufficient to protect consumers and businesses. It was claimed that 9 out of 10 Americans believed they’d lost control of their personal information. As such, Obama announced a new national awareness campaign, #Turnon2FA, to encourage more Americans to protect themselves online. Part of his WSJ article read:
“We’re doing more to help empower Americans to protect themselves online. In partnership with industry, we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords – adding an extra layer of security like a fingerprint or codes sent to your cellphone.”
Soon after, Multi-factor authentication took off in the United States, Europe and Asia with even smartphones supporting biometric authentication techniques. By June 2022, Microsoft enforced MFA for anybody wanting to access the cloud computing Azure platform. Other tech companies haven’t been so keen. 2FA is only an option for Amazon on so-called ‘trusted’ devices and eBay only started using the authentication method in November last year.
WHAT’S THE DIFFERENCE
They are not quite the same thing. 2FA requires you to present two types of authentication whereas with MFA you need two or more. This means that all 2FA is an MFA, but not all MFA is a 2FA. While MFA requires more authentication steps, it does not necessarily make it more secure than 2FA.
KNOWLEDGE | POSSESSION | INHERENCE
MFA works by combining two or more factors from three authentication categories:
- Knowledge – something you know
- Possession – something you have
- Inherence – something you are
One of the most common knowledge factors we use are one-time passwords (OTP). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. You should also be very familiar with personal identification numbers (PINs) used on credit and debit cards. Possession authentication also includes OTPs when they arrive to your mobile device. Inherence verification uses biometrics such as fingerprint scanning, facial recognition or voice authentication.
HOW YOU SCORE
The MFA market is currently valued at $13 billion and is projected to reach $27 billion by 2027. That’s big business so MFA must be important. Why so much money? The primary benefit of MFA is that it provides additional layers of security to your data making it much less vulnerable to being compromised. Put simply, your information is harder for the average criminal to steal – the less enticing your data, the more likely that thieves will choose somebody else to target. Other important benefits include:
- more robust authentication than 2FA
- enhanced security when working remotely, including home
- protecting customer data from identity theft
- compliance with regulatory requirements imposed by the GDPR and other regulators
- compliance with Single-Sign-On (SSO) solutions
MFA also takes the headache out of password management as it is easy to implement. IT teams are often weighed down with password resets that are required by employees to adhere to stringent password policies. MFA makes it easy by securing the environment, the people in it, and the devices they’re using without requiring cumbersome resets or complicated policies.
GET WITH THE PROGRAMME
One of the reasons MFA was slow to take off is that it implies more work for users. Also, when MFA first emerged, it lack mass appeal. Adding MFA software into the IT mix can be costly and inconvenient. Moreover, the end-user is burdened with friction during login as information has to be memorised, tokens accessed, or biometrics scanned. And everybody hates friction, wanting a streamlined, efficient and speedy login especially on mobile. Other disadvantages include:
- the less technical of us may find it difficult to configure and use MFA
- users may become locked out of their accounts if they lose or are unable to use their other factors
- MFA introduces additional complexity into the application
- many MFA solutions add external dependencies to systems, which can introduce security vulnerabilities or single points of failure
- processes implemented to allow users to bypass or reset MFA may be exploitable by attackers
But think about these two facts. Firstly, Verizon Data Breach Investigations found that 81% of all data breaches are caused by weak passwords being compromised or exploited. Secondly, the annual cost of cybercrime will be $11 trillion by 2025. So those who question or doubt the validity of MFA better get with the programme.
MY VIEW ON MFA
As an IT professional with 20+ years in the business, nothing is more important to me than protecting your data. This means protecting your credentials so the bad actors can’t access your IT and your data. MFA is one way of almost guaranteeing that it never happens. Call me today and let’s get your logins in shape with MFA.