Multifactor authentication goes to extra lengths to improve security.
Hackers don’t usually try to force their way into corporate networks by defeating cyber defenses. Instead, they’re more likely to gain entry using legitimate user credentials.
According to the Verizon 2021 Data Breach Investigations Report, 61 percent of security breaches involved credential abuse. Not surprisingly, credentials are among the most sought-after pieces of information for hackers, because they allow them virtually unfettered access to an organization’s systems and data and the breach can be difficult to detect.
Multifactor authentication (MFA) can help prevent hackers from taking advantage of weak, default or stolen credentials. In fact, studies by Microsoft have shown that MFA can prevent 99.9 percent of credential-based attacks.
As the name implies, MFA involves the use of two or more factors to validate a user’s identity. It’s important to recognize that a username isn’t a factor — it merely identifies the user attempting to gain access. Having a username and a password — even if they’re both secret — is a one-factor authentication system.
To achieve MFA, a system must require at least two of the three universally recognized methods by which people authenticate themselves to digital systems:
- Something you know. Passwords and personal identification numbers (PINs) fall into this category.
- Something you have. This could be a security token or verification code sent via text message to a mobile phone.
- Something you are. This category generally refers to biometrics, such as fingerprints or retinal scans.
Most organizations that have implemented MFA use two-factor authentication, but there is growing support for requiring all three. Security experts are also recommending passwordless solutions that eliminate the traditional password from the process.
The Password Problem
The shift to remote work has made MFA a security imperative. With many employees accessing corporate IT resources remotely, hackers have stepped up their efforts to steal credentials. Additionally, if a password is the only method for authenticating user accounts, they are not protected against credential stuffing, in which hackers try to access accounts using passwords stolen from other attacks. Credential stuffing works because users are likely to reuse the same passwords across multiple accounts.
Weak, easily guessed passwords are another problem. For years, various studies have ranked “123456” and “password” as the most commonly used passwords. Many organizations try to force users to come up with long, complex passwords, but this only increases user frustration — and calls to the help desk.
User education can help, but all too often users will sacrifice security for convenience. Relying on passwords alone puts too much of the security burden on the user. MFA removes that burden.
Until recently, adoption of MFA has been hindered by cost and complexity issues. Traditional MFA solutions use security tokens — small hardware devices such as key fobs that contain encrypted information to prove the user’s identity. A single token might cost $100 or more, and there is significant management overhead for IT departments, which must distribute tokens each time a new user is added or when a token is lost.
These issues can be largely resolved through the use of mobile devices for authentication. Lightweight and inexpensive apps enable users to get a one-time password or PIN sent to their smartphone via text message. Most users have their smartphones handy and don’t have to keep track of additional devices.
By combining something you know (a passcode) and something you have (the smartphone itself), mobile device authentication makes it relatively easy to implement two-factor authentication. In addition, smartphones can enable the jump to three-factor authentication with the addition of something you are — biometrics. Fingerprint sensors became common in smartphones after the introduction of Apple Touch ID in 2014, and newer devices support voice and facial recognition. Software developers can often add biometrics to their apps with just a few lines of code.
MFA has seen increasing use in recent years due to the rise in security breaches related to credential theft and weak passwords. According to a new study by Osterman Research, 70 percent of employees and 40 percent of customers must use MFA to access certain applications and data. However, 85 percent of organizations still use passwords for employee access and 78 percent for customer access, although only 26 percent believe passwords provide highly secure authentication.
MFA adoption is most prevalent in the healthcare and financial services sectors, and in May 2021 President Biden issued an Executive Order requiring federal agencies to implement MFA. The Payment Card Industry (PCI) Data Security Standard (DSS), which is mandatory for any business that stores, processes or transmits credit card data, requires MFA for remote access to the cardholder data environment.
The shift to remote work models and growing use of cloud technologies has amplified the nature of credential-related threats, creating demand for stronger authentication capabilities. Multifactor authentication goes beyond traditional username and password combinations, providing an extra layer of security that greatly reduces the threat of unauthorized access.