What You Need To Know About Multi-Factor Authentication (Part 2)

Let’s summarize what has been covered in my articles: 

  1. Cybersecurity has many layers like an onion or a parfait.
  2. Cybersecurity starts when the computer is first powered up. Way before it even hits the firewall.
  3. Hackers get in because of insecure password management.
  4. The employee managed passwords is cybersecurity’s weakest link.
  5. Credential theft is a greater problem than credit card theft.
  6. Killing passwords is not a solution.
  7. The truth about multi-factor authentication.

In this post, we’ll delve into two-factor authentication (2FA) and three-factor authentication (3FA)

Two-Factor Authentication

Two-factor authentication is the combination of any two of the different factors.

Something you have + Something you know:

This is the most common of all the two-factor systems. It is relatively inexpensive to deploy and manage. It uses much of a company’s existing infrastructure and is the least cumbersome for employees. The typical solution is an employee’s badge plus a password. The employee presents his card via a reader connected to the computer and types in a Personal identification number (PIN).

The system will read the unique identifiers of both the card and the PIN. Stronger systems will encode this information in ways that make it very difficult to fool. The data will also be encrypted using SSL protocols before any data are transmitted to prevent data capture and playbacks.

  • Advantages – The card technology can be magnetic stripe, contactless card, or even a contact smartcard that is also used for a number of other functions, including employee identification, physical access control, time and attendance record-keeping, payment, and/or any other applications available that the company deems necessary.

The PIN can be fairly short to make it less burdensome for the user to type and remember.

Smartcards actually allow the match to occur within the card, so the user’s known information is never stored in some offsite data center or server.

  • Disadvantages – The biggest threat to this particular 2FA is the disgruntled employee or insider. They can watch an employee type his or her PIN and later, steal the card.

Magnetic stripe ATM, credit, and debit cards face frequent and common attacks. Thieves place a second card reader called a skimmer inside the point of sale terminal and a small camera pointed at the keypad. When a card is swiped, the skimmer copies data from the card while the camera records the PIN entry. Then, the thief clones the magnetic stripe onto a blank card, which he can use or sell along with the PIN.

To prevent these attacks, the industry has moved to smartcards that are more difficult to clone. You have probably already received your new credit card with a shiny gold chip on it. I’ll write a separate article about how banking regulators really messed this up.

Something you have + Something you are:

This is similar to the Have + Know authentication, but instead of typing a PIN, you use your fingerprint, face, voice or any other biometric. The user simply presents his card, then puts his finger on a scanner, looks into a camera, or speaks into a microphone.

With a smartcard, the biometric template can be stored on the card itself, not in some remote data center that hackers can target. Having a match-on-card solution ties the user to a specific card.

  • Advantages – Again, similar to the Have + Know advantages, but now the person doesn’t need to remember anything. The person is the second factor.
  • Disadvantages – Biometrics exist as templates, so where the information is stored and how securely it is stored must be a consideration. Reader costs can be high, depending on quality. Low-quality readers may have higher false acceptance/false rejection (FAFR) ratios.

Something you are + Something you know:

With this solution, a user presents his fingerprint, then types the PIN. Everything resides within the individual. There is no need to carry anything extra.

  • Advantages – With all the smartphones, tablets, kiosks, and other mobile devices we have today, the convenience of not having to plug in something more or worry that you forgot to bring your token is a big convenience advantage.

Extra devices can be lost, stolen, or forgotten. When employees come to work without their device, IT would have to offer the employee a recovery system allowing them to work when they are not in possession of their credentials, or have a policy that they must return home and get their card or dongle. That is not a problem with this solution.

  • Disadvantages – Authentication information has to be stored in a central server somewhere. Whenever data is stored remotely, it is at risk of being stolen. If there is no central storage, then every terminal will require its own storage capability. This too is a weakness if the terminal itself is hacked and the biometric data is exposed.

Wrapping up of 2FA

As you can see, every environment has different circumstances creating different requirements to optimize MFA. There is no one size fits all solution. Recognizing those different situations means you can save money deploying only what’s necessary for each environment, instead of trying to make a single solution that works for everyone.

Three-Factor Authentication (3FA)

As the name implies, 3FA occurs when the Have, Know, and Are factors are all combined to produce the ultimate assurance of authentication. The odds of a hacker having all three factors at once are significantly more remote than requiring just two. With this higher security comes a greater cost, so before you implement 3FA, it is a good idea to first perform a risk and threat evaluation to ascertain the value of the data you are trying to protect.

Layers of Assurances

Layering multi-factor authentication also increases security. These layers of assurances look like this: The first layer consists of the user applying one set of multi-factor authentication, a card (Something you have) + a PIN (Something you know) which authenticates to the computer that the card is paired with the right user. The next layer happens between the card and the computer as the card authenticates itself to the computer’s operating system with different information that the user does not even know, like the smartchip’s unique ID (Something the card is) and a symmetric key (Something the card knows).

Wrap up

It is possible for you to create a password authentication infrastructure (PAI) with seven levels of assurance, without breaking the bank. When it comes to building the chain of trust, every single node and device should go through a separate layer of multi-factor authentication. I will discuss the PAI solution in a future article.

Network security must begin with authentication so you can know who is trying to get past your firewall. The more obstacles you can put up, the better. If you need more convincing, check out my next article for a comprehensive review of exactly how hackers go after your personal information, your company’s proprietary information, your financials, and everything else you are storing on your servers!

Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyberattacks, free individual computer users from cumbersome security policies and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).

Leave a Comment

Leave a comment

Leave a Reply