The Multiple Options for Multi-Factor Authentication

How do you prove you are you? In the physical world, we have birth certificates and driver’s licenses to prove we are who we say we are. Yet this question becomes more difficult when you are trying prove yourself to a computer system. Thankfully, Multi-Factor Authentication (MFA) can help in a variety of ways.

MFA is a method of authorizing a user’s claimed identity and granting that user access to a system. MFA is achieved after a user has provided two or more factors to an authenticating mechanism, such as something the user knows, has, or is. MFA factors can be derived from any of the three.

A common example of a factor would be your username and password. Both are a form of something you know. Stemming from MFA is Two-Factor Authentication (2FA). This is an MFA protocol that requires a user to present a unique factor from two separate mechanisms, as often comes into play with an ATM card. You are only able to use your ATM card if 1) you have the card, and 2) you know the PIN associated with the card.

Finally, we have Two-Step Authentication (2SA). Two types of 2SA are a disconnected token (such as hard tokens and Keyfobs), and a soft token, which is an application that will generate a unique number combination. While both serve the same function, each has its own advantages and disadvantages. For instance, hard tokens cannot be duplicated. However hard tokens are costly to acquire and have to be physically handed to each and every user, creating an administrative burden. Soft tokens, on the other hand, can be widely disseminated, ensuring the likelihood that it is an authorized user requesting access to the system. Yet soft tokens are more susceptible to outside attacks than a hard token.

Whether you use a soft or hard token, you are still limiting the application to either a physical device that a user must always retain and not lose, or an app on a person’s phone. Both tokens can be lost, eaten by the family dog, broken, or otherwise rendered useless. What then? You can use something you have, something you know, and more importantly, something you are. Biometrics, the use of physical characteristics, such as an eye scan, fingerprint readers, and facial recognition, can potentially eliminate passwords, thus removing the password recovery requirement, a key vulnerability of MFA/2FA/2SA. Biometrics are instant, require no keys, and are unique to each individual.

While biometrics seem promising, there are some potential challenges. If a user relies on facial recognition software and gets a tattoo or a facial injury, will that prevent him or her from using the feature? Some users may have damaged fingerprints, rendering that option useless. Further, the use of biometrics implies that every user has a smartphone or tool capable of reading and comparing the data to a table for reference and approval.

Be it hard or soft token, or biometrics, each MFA option has its benefits and its costs. Which one you or your company choose will be based on the size of your company, the scope of users requiring a token, and what level of risk your company is willing to accept.

Cory Missimore, Assistant Manager, Information Security Compliance, Bloomberg BNA

[ISACA Now Blog]