Multi-factor authentication, or MFA, is a way to log in to your services requiring at least two different types of authentication. This is much more secure than simply using a password, as someone would need to know what your second (or third) factor is, and have access to it in order to log in. MFA is divided into three broad categories, and when used will combine at least two of the categories. Within each category, there are a number of authentication methods, which we’ll discuss below.
Something You Know
This is the most familiar authentication method that we’re all aware of – passwords. The first factor is something that you (and hopefully you alone) know. This could be a password, a passphrase, or a text-based ‘key’ that you use to authenticate with. Another example of this kind of authentication is entering the key to join a wireless network. This is the most basic of authentication methods, and is often combined with the next categories for MFA. I say ‘often’, because the other methods can, in some instances, be used to gain password-less access to services.
Something You Have
This factor has become more prevalent in recent years in terms of receiving text messages with codes, having an app like Authy or Microsoft Authenticator, or a physical security key like a Yubikey. This is something that you and you alone are in possession of, made simple nowadays given the prevalence of mobile phones. The most commonly used approach here is that of a six or seven digit code that is sent to your phone or generated in an app that you are in possession of. Once your password has been entered, the code is requested. This is the most effective way to mitigate a phishing attack – and everyone should have at least 2-factor authentication on all of their online services!
A newer approach to “something you have”, is that of physical security keys. These devices plug into the USB port on a computer, or support NFC ‘tap’ on a phone, to validate that you are in fact present when your password has been entered. I have a Yubikey 5, and love the fact that I don’t have to fiddle for a six digit code! I simply insert the key when prompted (after my password) and press the gold button on it to log in. You can find out more about Yubikey over at their website and to purchase in South Africa you can head to my friends over at Cyber Connect.
Something You Are
The last aspect in MFA is something that is unique to you as a person. This could be biometrics like a fingerprint or facial recognition, or even voice recognition. It can, however, also come in the form of more surprising methods such as keystroke identification. This is where your particular typing style is ‘learned’ by a machine and is matched up. Think of it as the next generation of handwriting analysis!
A Fourth Factor
Something that is rising in popularity is a fourth factor of geographic and physical location. This relies on your location as a means of authentication. It could be that you need to be present in a particular office branch in order to access a service, or that you cannot administer a website without being in the same country as that site. I see this quite frequently in the Software-as-a-Service space, where administrators cannot log in to servers unless they are physically present in the office.
I use a wide range of these factors depending on the service and I would advise you to use MFA as much as possible. Your digital identity is a part of you, and losing access to any of it due to phishing and other methods of attack can be devastating in the real world as well as virtually. I use combinations of fingerprints, NFC taps, USB keys, codes sent to my phone, and app-based authentication in addition to my passwords. In some cases, I have even done away with passwords (hallelujah) and rely on other methods to authenticate. This saves me having to remember passwords, though for that I do still use 1Password. To help you on your journey, here are links to some of the most popular services’ security pages where you can enable and configure MFA or 2FA (two-factor authentication).
Ross G Saunders Consulting is a niche data protection, privacy, and InfoSec consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation and good practice. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.