Let’s summarize what has been covered in my articles:
- Cybersecurity has many layers like an onion or a parfait.
- Cybersecurity starts when the computer is first powered up. Way before it even hits the firewall.
- Hackers get in because of insecure password management.
- The employee managed passwords is cybersecurity’s weakest link.
- Credential theft is a greater problem than credit card theft.
- Killing passwords is not a solution.
It was in this last article that I began discussing multi-factor authentication (MFA). Sadly, MFA is often misunderstood or wrongly deployed. Before I can demonstrate the ultimate way to secure passwords and password management, I need to first discuss the truth about MFA and dispense with the marketing misconceptions. (You can view part 2 of this article here.)
“Today we are using passwords, and they won’t cut it. We need to move to multi-function authentication. A lot of that will be using a smart-card approach that needs to be built down into the system.”
~ Bill Gates, Microsoft
What is MFA?
All MFA starts with the factors (something I have, something I know, and Something I am). Using only one of the three factors for authentication is called single-factor authentication (SFA). One factor alone is considered very weak authentication. Cards can be cloned, passwords cracked, biometrics fooled, and smartphones cloned. Multi-factor authentication (MFA) happens when the combination of two or more dissimilar factors are presented at the same time.
What makes multi-factor authentication secure is that the odds of a hacker being able to possess all the authentication components at the same time is extremely unlikely. To accomplish this would require more time, money, and sophistication than most hackers are capable of having. Plus, if the hackers are located in a foreign country, then it becomes virtually impossible unless there are inside accomplices.
The combination of two or more of the same factor (like two cards, two passwords, or two biometrics) is not really multi-factor authentication. While this is stronger than only having one single factor, combining two of the same factor is referred to as “multi-single-factor authentication.”
No one combination of factors is necessarily better than another. You have to determine which solution(s) work best in your specific environment(s).
Here are four tips you should consider when choosing which factors to combine:
- User convenience: This is placed first because no matter what any security technology promises, if the solution is cumbersome, users will find ways to circumvent it to make their life easier.
- The value of the data: Not all data is equally valuable. You would not pay $1,000 to secure something that’s worth $5. Similarly, you should not pay $5 to secure something worth $1,000.
- Support, Maintenance, and Training: How much work is required by your IT staff to install, manage, and train for the system? IT convenience is also important.
- Risk/Threat assessment: You need to understand who might want your data and their level of sophistication.
Multi-Factor Authentication Wrongly Marketed
I often come across products that claim to be multi-factor authentication which, in reality, are not. They simply use the same factor multiple times. For example, a system where you type in a password and then type in a code sent to your phone is actually “Double-Single-Factor Authentication.” It’s Something you Know (password) + Something you Know (code). Typing in multiple codes utilizes only one direct interface with only one factor: the person. The smartphone is not entering the code, the person is. Some pundits argue that because the computer made the request to have the code sent to a specific phone that the computer did authenticate it. I respectfully disagree.
Another example of Double-Single-Factor Authentication would be the use of both voice and facial recognition, which again are two Something you Are factors. Some say it’s just semantics, but I truly believe that understanding the finer points and properly implementing them is how you actually prevent a security breach.
No solution is 100% secure. All that any cybersecurity system can do is put up enough barriers and monitors to prevent 98% of attacks. For most companies, that’s good enough.
For more on authentication, check out this follow-up article on two-factor authentication and three-factor authentication.
Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyberattacks, free individual computer users from cumbersome security policies and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).