In today’s digital world where people need to access multiple IT systems and online services, passwords are often a weak link in the chain. In a report by LastPass, it is estimated that 91% of people understand the risks of reusing passwords, but 61% of people still do it. Passwords can be compromised in other ways. One example is when cyber criminals use phishing and other forms of social engineering to trick a user into divulging their password. The UK Government’s Cyber Security Breaches Survey 2022 shows that phishing is the most common threat, with phishing attempts accounting for 83% of all cyber-attacks.

As part of our Cyber Security Simplified series of articles, we explore multi-factor authentication and how it can mitigate the risk of relying on passwords.

Multi-factor authentication

What is Multi-Factor Authentication?

When you sign into an IT system or an online service you are proving you are who you say you are – this is a process called authentication. Traditionally we have done this with a username and password, but the problem is usernames and passwords are easily discovered. If someone can find a user’s password, they can sign in to IT systems and online services pretending to be that user.

There are different ways of proving your identity. This could be something you know such as a password, something you have such as your smartphone or something unique about you such as your fingerprint. When you bring two distinct authentication factors together like a password and smartphone to prove your identity you have multi-factor authentication.

Consider how much harder it would be for an attacker to find a user’s password and steal something in their possession or forge something unique about that user like their fingerprint. Anyone who tries to sign in without both means proving their identity is unable to sign in.

Why is Multi-Factor Authentication important?

Multi-factor authentication is a great way to add another layer of protection to the sign-in process and can make it much harder for cybercriminals to steal your valuable information or commit identify theft.

If the IT systems and online services have implemented multi-factor authentication, then a cybercriminal armed with only a username and password will get stuck very quickly. That’s not to say that multi-factor authentication is a silver bullet and will stop all cyber-attacks. Instead, multi-factor authentication should be part of your company’s overall cyber security strategy.

What is an authentication factor?

An authentication factor is something that proves the user’s identity, and most authentication factors fall into one of three categories:

  1. Knowledge – Something you know – examples include passwords and answers to security questions.
  2. Possession – Something you have – examples include a smartphone or hardware device such as a Smartcard or Token.
  3. Inherence – Something you are – examples include biometrics such as fingerprints, facial and voice recognition

One limitation of Inherence factors is that they are difficult (if not impossible) to replace when compromised. If an attacker can forge a user’s biometrics, then the only solution is to either stop using that particular factor or change the system so that it can detect the forgery.

MFA vs 2FA vs 2SV – What’s the difference?

Multi-Factor Authentication (MFA), Two-Factor Authentication (2FA) and Two-Step Verification (2SV) are all terms that describe the same process – Using multiple “things” to prove your identity.

  • MFA requires two or more distinct factors to prove the user’s identity
  • 2FA uses exactly two distinct factors to prove the user’s identity
  • 2SV uses exactly two factors to prove the user’s identity.

Notice that MFA and 2FA require distinct factors which means that the factors must be different. This contrasts with 2SV which doesn’t have this requirement and could use two factors of the same type such as a password and the answer to a security question.

It’s worth highlighting that using relying on two factors of the same type is inherently weak from a cyber security perspective. If an attacker has found a user’s password, then it’s highly likely they can also find the answer to their security question. Although security questions have been used by many organisations including banks, they are a poor substitute for other factors. With a little bit of ingenuity, someone could easily find your mother’s maiden name or your first pet.

Technically 2FA and 2SV are a subset of MFA, but regardless of the name, the idea behind them is the same. Although some vendors use the term MFA that doesn’t always mean they support the use of more than two factors. Equally just because a vendor uses the term 2SV doesn’t mean they only use factors of the same type. Sometimes it’s just the term picked by the vendor and they’ve stuck with it as their product has evolved.

You might ask if MFA is more secure than 2FA. After all, if two is good then three must be better, right? The answer is it depends – theoretically, yes, requiring three factors should be more secure, but it’s important to balance the need for greater security against a good user experience. If we make the login process unnecessarily difficult for our users, they are more likely to look for shortcuts which could comprise security.

The term used by software vendors and online services varies. Microsoft calls it Multi-Factor Authentication, Google calls it 2-Step Verification, and Twitter calls it Two-Factor Authentication.

In this article, we’ll use the term Multi-Factor Authentication.

How Does Multi-Factor Authentication Work?

Imagine you are signing into your online banking and entering your username and password. How can your bank determine if the sign-in attempt is from a genuine user or a cybercriminal trying to steal money? The answer is they can’t – if both the cybercriminal and the user know the username and password then from the bank’s perspective there is no way to tell them apart.

If the online banking is using multi-factor authentication, then after entering the password you are prompted to verify your identity using an additional factor. This could be an SMS text message sent to your phone containing a code that needs to be entered. As the cybercriminal doesn’t have access to your phone, they can’t provide the code and are unable to sign in to the online banking website.

Where should Multi-Factor Authentication be used?

Ideally, multi-factor authentication will be used as part of a risk-based authentication strategy. This is sometimes called adaptive authentication. This approach analyses the context of the sign-in attempt and presents the most appropriate level of authentication to the user based on the perceived level of risk.

Using a risk-based authentication strategy we can consider factors such as the user’s location, time of day, and device being used to determine the level of risk. A user signing in using a company-owned laptop in the office during the working day is likely to be considered low risk, whereas a user signing in using a phone from a coffee shop on a weekend might be considered medium risk. Taking this one step further, if a sign-in attempt was made from multiple countries in a short time frame this might be considered high risk.

  • If the level of risk is determined to be low, the user may only be prompted to enter their password.
  • If the level of risk is determined to be medium, the user may need to enter their password and accept a push notification on their phone.
  • If the level of risk is determined to be high, the sign-in attempt can be blocked.

Is Multi-Factor Authentication complicated to use?

If implemented correctly multi-factor authentication should strike the right balance between ease of use and cyber security. Ultimately the goal is to create as little friction as possible for a genuine user while being prohibitively difficult for a cybercriminal attempting to impersonate a legitimate user.

Many multi-factor authentication solutions will remember if a user has already logged in from the same device before and won’t prompt them to use an extra factor for a few days. Even though the user might not realise it, they are still using multi-factor authentication – the second authentication factor becomes a key that is cached on their device.

Important considerations when implementing Multi-Factor Authentication

When implementing Multi-Factor Authentication it’s important to consider what happens if a user loses their extra factor – for example their phone is lost or stolen. You’ll need to make sure there is a process for reporting the loss so that an attacker can’t use this device to impersonate the user and bypass the multi-factor authentication. Some services provide a backup method so that a user can still log in if they lose their phone – this could be for example using an alternative phone number to send an SMS text message.

Another scenario you’ll need to plan for is how IT support staff can gain access to the IT systems they manage if the multi-factor authentication service is unavailable. One solution is an “emergency” or “break glass” account that uses a single authentication factor and only works when then the multi-factor authentication service is unavailable. This account should be subject to increased monitoring so that misuse can be detected.

Does Multi-Factor Authentication mean I won’t be hacked?

Unfortunately – no. Whilst Multi-Factor Authentication can significantly reduce the likelihood of an account being compromised, it should never be the only thing standing between your IT systems and a determined attacker. Instead, IT managers and business owners should use Multi-Factor Authentication as part of an overall strategy to defend against cyber-attacks from multiple perspectives.

What Next?

We hope this article helped you understand the importance of multi-factor authentication and how it can be part of an overall cyber security strategy. If you would like to learn more about cyber security, be sure to check out the other articles in our Cyber Security Simplified series.

If you want to improve cyber security in your business, speak to IT security consultant Ripley Solutions today.