Although multi-factor authentication has been repeatedly proven to be a more secure way to protect user accounts from hackers, many common misconceptions still prevail about what counts as strong multi-factor authentication. Some account security measures that by themselves are weak multi-factor authentication, at best, include:
1. Using a pin code in addition to a password: This isn’t another factor of authentication. It is just another password that might be just as easy to acquire as the first one.
2. Using a user’s date of birth or social security number as a second factor: Just as using your name or other personal information in a password can make it less secure, using easily accessed information like a birthday as a password makes it easy to look up. And using a SS# introduces other security risks since the database with the user’s SS# will have to be called each time a user logs in.
3. Using only a security question in addition to a password: The security level of a secret question will vary from person to person. However, even the most secure secret question falls into the same problem as the two above. It is something the user knows.
The problem with this kind of weak multi-factor authentication is that the second factor is of the same ‘type’ as the first–something you know. A good rule of thumb for determining if a system truly offers multi-factor authentication is to think if you could share your login credentials on a single post-it note. For example, it would be easy to write your username, password, and pin code on a single post-it note. It would be impossible to write your username, password, and then receive a text message on that post-it note.
The strongest multi-factor authentication is always a combination: something you know (like a password or pin number), along with something you have (like a phone or USB drive) and/or something you are (like a fingerprint, retina scan, or facial recognition). Multi-factor authentication has been around for a long time. Every ATM you’ve ever visited has used multi-factor authentication before it gives you cash. The first factor is your ATM card identified through its number and the magnetic tape on the back. The card is something you have. The second factor is the pin number you type in to identify yourself. The pin number is something you know.
It is important to enable multi-factor authentication wherever it is practical to do so. It is especially important to use multi-factor authentication on email accounts used for password resets. If an email account is compromised, it could easily be used to reset the passwords for and allow malicious access to many other accounts. Many multi-factor authentication systems only require the user to present the second factor during the first login from a new device or location. This limits the inconvenience of having to pull out your cellphone and enter in the code from the text message each time you login to your account.
To gain the security benefits of true multi-factor authentication, the system should require at least two different types of authentication. A password paired with a cellphone that can receive text message authentication codes is very secure. To hack into an account with this type of authentication, one would have to steal both the user’s password and their phone (as well as bypass any security the user has on their phone).
If you’re interested in trying multi-factor authentication for your organization, sign up to request a free trial of ReACT by ASPG.
Photo Credit: Joanna Poe via: imager.io, cc
