Authentication is the process of verifying user identities before granting them access to secure accounts, software applications, or network services.
Usernames and secured passwords are the most familiar form of authentication: Employees or customers provide their registered username and chosen password to gain access. The problem? If passwords are stolen, bad actors can easily gain access and lock out legitimate users.
Multifactor authentication (MFA) adds more verification factors to the login process, in turn reducing the risk of unauthorized access. In this piece, we’ll explore the growing impact of MFA security, potential options for implementation, and how companies can make the most of multifactor formats.
Why MFA Matters
Phishing emails and social engineering threats regularly succeed in stealing user credentials. Once this happens, attackers can enter accounts and effectively lock the door behind them — by changing passwords and other account information, they can keep legitimate users out.
If businesses don’t immediately notice the issue, attackers may move laterally through networks, potentially gaining access to protected databases or mission-critical applications. Once there, cybercriminals can choose to exfiltrate and sell critical data, encrypt and hold it for ransom, or simply destroy the information.
For businesses, data loss can lead to significant monetary costs including system remediation, security control replacement, and the long-term impacts of reputation damage. Multifactor solutions make it possible for companies to reduce the risk of both initial and ongoing compromise.
MFA: How Does It Work?
Authentication relies on “factors” to verify user identity. The most common factors include something users know, something they have, and something they are.
Passwords are a type of one-factor authentication: Users know their password and input it to gain access. If malicious actors compromise this password, they gain access.
Two-factor authentication (2FA) became popular to combat password insecurity. This type of authentication typically pairs something users know with something they have, such as a physical USB drive or a one-time passcode.
Consider a user trying to access their bank account online. First, they’re prompted for their account name and password. Then, the bank sends them a one-time code via a secure mobile app or SMS message. If they don’t input the correct code, access is denied. This second factor helps reduce the risk of compromise — even if attackers steal usernames and passwords, they won’t have access to one-time codes.
While two-factor authentication is considered a type of MFA because it uses more than one verification type, most multifactor solutions include three (or more) factors to help increase overall security and authentication accuracy.
Common Types of MFA
2FA offers more protection than its single-factor counterpart but remains vulnerable to compromise. Using what are known as “man-in-the-middle” attacks, malicious actors can eavesdrop on network traffic. If they intercept one-time passcodes, they can gain account access. MFA increases the number of authentication factors to reduce total risk.
Some common multifactor approaches include:
Biometric Authentication
This type of authentication relies on something users inherently have or something they are. Fingerprints, iris scans, and voice recognition are popular types of biometric authentication. Other options include facial recognition, hand geometry analysis, signature verification, and retinal scans.
Behavioral Authentication
Behavior is also an inherent user characteristic that can be used to approve or deny access. For example, behavioral authentication might compare new user login attempts to previous ones. If access is being requested from a new device, such as a smartphone rather than a PC, and is requested at a different time — such as the middle of the night rather than during the workday — the request may be flagged for review or terminated entirely.
Location-Based Authentication
Where users are located can also be used as an additional authentication factor. It typically examines their geographic location and their IP address and combines this data with other authentication types to confirm identity.
Risk-Based Authentication
This approach evaluates potential risk to determine the type of authentication used. A user attempting to access network services from their office during the workday might only be asked to provide their username, password, and one-time passcode. Employees logging on after hours from a new device in a different city, meanwhile, might be asked to provide passwords, passcodes, and biometric data.
Making the Most of Multifactor Authentication
Human-facing access points remain one of the biggest risks to network and data security. Even the most cautious staff and customers may find their passwords compromised if they accidentally click through phishing emails or if their login data is exposed during a cyberattack.
Multifactor solutions make it possible to reduce total risk without significantly increasing the effort required for user access. From USB or app-based possession factors to biometric or location-based options, businesses can boost security by layering one (or more) verification steps to existing login processes.
Ready to get started with MFA security? See it in action with network security solutions from CIO Tech. Let’s talk.