Big companies like Apple, Microsoft, and Bank of America have already started using multifactor authentication. If you’re not sure what MFA is and whether it would be good for your business, read on!
According to IBM, a single data breach costs companies an average of $4.24 million. For a startup or even a small or medium-size business (SMB), such a huge cost could cripple your business. Unauthorized access to key accounts, hacking, brute-force attacks and so on are some of the main contributors to data breaches. One of the ways you can protect your company from such cyber attacks is by using multifactor authentication (MFA).
But what is multi-factor authentication and how does multifactor authentication work? In this article we’ll explore the answers to both of those questions, how it differs from other IAM (identity and access management) concepts, and the factors you should consider while choosing an MFA method for your business.
What Is Multifactor Authentication?
With multifactor authentication, anyone trying to access digital assets must verify their identity by providing at least two verification methods. Just like in the real world where you need your driving license, state ID, or passport to authenticate yourself, in the virtual world, you need your password, one-time password/PIN (OTP), fingerprint, facial scan or retinal scan to prove you are who you claim to be.
With multifactor authentication, you need two or more “factors” to verify your identity. The core idea behind the MFA is that even if one factor of authentication is compromised, there is another layer of security to protect digital assets from unauthorized access.
These identity verification factors can be divided into three main categories:
Knowledge factor (i.e., – something you know): This is one of the oldest forms of authentication. Although the knowledge factor is easy to breach, it is still widely used. Examples of a knowledge factor include:
- A password,
- The answer to a security question,
- An ATM PIN, or
- A secret code.
Possession factor (i.e., – something you have): This category includes something you have in your possession. For example:
- A mobile app on your device that generates a PIN
- A smart card (such as a common access card [CAC]) and reader
- A company device on which personal authentication certificate is installed or a
- A USB token.
Although this verification type is more robust than the knowledge factor, it can be expensive for companies to implement.
Inherence factor (i.e., – something you are): This category of factors represents something that’s intrinsic to you that is difficult to steal or copy. Of course, there are ways to even breach even this method, but it is still one of the most secure factors. Examples of inherent factors include biometrics such as:
- Facial recognition scans,
- Voice samples, and
- Retinal scans.
How Does Multifactor Authentication Work?
As we mentioned earlier, with MFA, two or all three verification factors are used. Only after the user authenticates themselves in both or all the factors, they get access to the system. Otherwise, their entry is denied.
A basic visual representation of how multifactor authentication works
Multifactor authentication uses a combination of at least two of the three factors; knowledge, possession, and inherence. Let’s explore a few quick examples:
Example of Authenticating Using Knowledge + Possession Factors
Let’s say you want to access your Amazon account. First, you need to log in with your user ID and regular password. Then, Amazon’s system generates an OTP and sends it to your registered cellphone. You can only access your Amazon account after providing that OTP.
Example of Authenticating Using Knowledge + Inherence Factors
Suppose you have enabled facial recognition to unlock your phone. Once you authenticate yourself via that method, in order to access your bank’s app, you still need to provide a password to log in to your account.
In fact, some banks send an OTP to complete the transaction on your registered mobile even after you have already authenticated yourself earlier. It is a classic example of using all three authentication methods: inherence + knowledge + possession.
Example of Authenticating Using Possession + Inherence Factors
Let’s say your company has provided you a common access card (CAC). You can enter your office premises only after putting your card on the CAD reader. Now, there is a retina scan enabled on your office computer to access some resources. So, once you enter the office, you still need to authenticate yourself through the retina scan process in order to access some confidential resources.
MFA Vs. 2FA Vs. 2SA Vs. SFA
If you found the above title like a foreign language, you are not alone. When it comes to identity and access management (IAM), there are concepts and technologies in use that can confuse even tech-savvy people. These are the four main concepts used in IAM:
- Multifactor authentication (MFA): Two or more different authentication factors are used. The factors are knowledge, possession, and inherence.
- Two-factor authentication (2FA): Two different authentication factors are used. So, in a way, all 2FA methods are MFA, but not all MFA methods are 2FA. It’s like all types of M&Ms candies are chocolate but not all chocolates are M&Ms. MFA authentication can have more than two verification factors.
- Two-step authentication (2SA): Here, two authentication steps are used, but these steps can typically involve the same factor. For example, two knowledge-based steps could be entering a password then answering a security question. Or there could be two inherent steps; a fingerprint scanner at the entrance of your office, then a retina scan to access the office PC. So, 2SA may or may not be MFA.
- Single-factor authentication (SFA): As the name suggests, here only one factor is used for identity verification. It should be obvious that this is the least secure of all the methods. If your company is determined to use only one factor of authentication, it’s preferable to use the inherence factor as it is less likely to be compromised.
So now you know the terms, but out of these four authentication concepts, which one is the most suitable for your organization?
3 Things to Consider When Deciding Whether MFA is Right for Your Business
As a business owner, you need to make some tough decisions. Choosing the right authentication method is one of them. There is no one-size-fits-all solution here as a verification method that works for one business might not be the best choice for another.
Here are three main aspects to consider when deciding whether you need MFA in your business.
Some MFA tools are free while some are very expensive. Some free tools include:
- Google Authenticator,
- UNLOQ Two-Factor Authentication, and
- WordPress 2-Step Verification.
Freemium MFA/2FA tools include:
You could also write your own MFA code, as suggested here. But only do this if you’re extremely familiar with this technology and are a highly experienced programmer — this isn’t something you want to risk messing up.
Of course, there are paid commercial options available, too. Apps that generate OTPs/magic links for your business can charge you per user, per OTP, or a fixed price per month. Hardware security tokens generally start from $25 and can range up to $1,000 per piece. Fingerprint scanners cost less than $100 and are easily available online.
Example prices of fingerprint scanners on Amazon.com
According to Verizon’s 2020 data, 80% of hacking-related data breaches involve brute force attacks or lost or stolen credentials. MFA provides a stronger layer of protection against unauthorized access to digital assets through credential phishing attacks and other methods of credential-based attacks. Single-factor authentication is the weakest link in the security chain because people often don’t use strong passwords and reuse the same passwords for multiple accounts. That’s why giants like Google have moved towards two-step verification.
Another huge risk is brute force attacks. In this type of attack, hackers use automated scripts and bots to input numerous user IDs and passwords in a targeted login field until they find the right combination. But with MFA, hackers can’t access the targeted account without providing the other verification factors.
Does your business store users’ sensitive information? If so, how many security “hoops” would your users tolerate having to jump through to keep their data secure? This is something you must decide when choosing an IAM method.
For example, a user might not hesitate to go through an extra layer of security to access their bank account, but the same user will feel annoyed having to provide a password and then OTP to a website that doesn’t store any sensitive information. They might even abandon the website if they find the authentication process cumbersome.
Wrapping Up Multifactor Authentication
Multifactor authentication is here to stay, just like cybercrimes and cybercriminals. If you consider MFA “too much hassle”, consider this: according to Centrify, 65% of UK consumers lose trust in an organization after their data is involved in a data breach. Imagine the trouble you’ll face trying to regain customers’ trust if your organization experiences a data breach or hacking incident.
Or if you think multifactor authentication is an “unnecessary cost”, the costs associated with a cyber attack could be much higher. Consider the costs associated with legal battles, dealing with unauthorized fund transfers, loss of trade secrets and so on. Therefore, it’s crucial to implement a robust authentication method to protect your business and your users, and MFA is a great option.