Implementing Multi-Factor Authentication is a great way to improve the security of your business and sign-in processes – here’s how it works:
Multi-Factor Authentication (sometimes called Two-Factor Authentication or 2FA) is a security protocol that requires users to provide two or more forms of identification before accessing a system or network. This method of authentication provides an additional layer of security beyond a traditional username and password, making it more difficult for hackers to gain access to sensitive information.
Passwordless solutions are more secure still, removing the need for a user reliant password entirely, however, the increased security carries additional cost and complexity and, as such, is something I’ll discuss in a future article.
Short Message Service (SMS) Authentication
Probably the easiest to implement is the SMS authentication. When the user attempts to sign into a service, the system generates a One-Time Password (OTP) and sends it, via text message, to the user’s phone. Passwords created this way can be time-based (typically up to 240 seconds) or hash-based algorithms, in which the password remains valid until a new one is requested. I will go into both algorithms shortly.
SMS authentication is better than just a password and will deter most attacks, however, it is vulnerable to several sophisticated attacks from a determined bad actor. For example, SIM swapping (convincing the carrier to assign a new phone to a number) or Signalling System 7 (SS7) attach to intercept the code.
Time-Based One-Time Passwords (TOTP)
TOTP generates a unique password every 30 seconds using a shared secret key between the user and the system (typically via an Authenticator app on the user’s mobile phone).
TOTP security uses a variant of the HMAC-based One-Time Password (HOTP) algorithm, developed by the Initiative for Open Authentication (OATH). The HOTP algorithm uses an incremental counter to generate the HMAC (Hash-based Message Authentication Code algorithm), generating a code which is valid until you actively request a new one. TOTP replaces the counter with a time-based value and generates a new password every 30 seconds.
TOTP is considered reasonably secure, but there are a couple of considerations. You must keep the shared secret key secured as it could be used to generate identical passwords on several mobile Apps. It’s also susceptible to time-drift, where the time on authenticating server and the mobile App are sufficiently different to invalidate the password.
Push-based authentication also requires a mobile device to authenticate a user. It’s a slicker process when compared to TOTP, as it replaces the need for a one-time password and instead simply requests the user’s approval for the access request.
The security of push-based authentication is based on the use of a secure communication channel between the system and the user’s mobile device. The communication channel is typically established using a secure protocol such as Transport Layer Security (TLS) or Secure Sockets Layer (SSL). This ensures that the push notification is sent to the correct device and prevents man-in-the-middle attacks. It also utilises a unique identifier, such as a device token (generated during the registration process) tied to the specific device, ensuring that only the registered device can receive and approve the login request.
It is also worth considering certain things when looking into implementing multi-factor authentication.
All these authentication methods take advantage of the users’ mobile device (probably their phone) as it provides additional security benefits and risks. The mobile devices may be secured with a PIN or biometric authentication (improving protection) but are also subject to being lost, broken, or stolen, making it tricky to regain access to the account again. Ultimately recovery options often “work around” the MFA process making the account susceptible to attack, but if the recovery options are disabled then regaining access to the account may be very time consuming.
Almost because of the advice about length and complexity, people tend to use the same password everywhere, appended with an increasing number for enforced changes. This means a successful phishing attack (the most likely cause of a password discovery) even at an unrelated service (Facebook, for example) could lead to compromising your corporate network. MFA significantly improves your systems security posture and should be considered the minimum for keeping your business safe. So if you aren’t currently, implementing multi-factor authentication should be explored in your business.
How to implement multi factor authentication?
How to implement Multi-Factor Authentication (sometimes called Two-Factor Authentication or 2FA) depends on the needs and options you have as a business. It is a security protocol that requires users to provide two or more forms of identification before accessing a system or network. Find out more ...