There is a very good chance that you have used multi-factor authentication (sometimes referred to as two-factor authentication) at some stage over the past few years, even if you are not familiar with the term.
You might recognise its hallmarks when having to enter a code into an authentication prompt, either from a small plastic device, a smartphone app or even an SMS. Banks, tax authorities, some e-commerce sites and even employer networks have all been impressively good at introducing multi-factor authentication the masses.
But how well do you know this staple of good security?
Here are three things about multi-factor authentication that you probably didn't know.
1. Not all MFA types are the same
The purpose behind the introduction of multi-factor authentication is to avoid the risks of guessed or stolen usernames and passwords by introducing an input which is both randomised and dynamic. It verifies the intended user through the ownership of the device which receives or generates the dynamic value.
That device could be a smartphone or a plastic token; the value could be received over a network or generated on the device itself.
Crucially, not all permutations are considered equal.
Values sent by SMS, a common alternative to plastic tokens, has been "depreciated" in NIST recommendations due to the growing prevalence of SMS interception technology. That is not to say that it is insecure or should be avoided, but this should factor into any risk assessment related to multi-factor authentication.
2. Smartphone based MFA tokens often follow and open standard
Outside of plastic tokens and the SMS delivered equivalent, some administrators opt for the use of a smartphone app which calculates the MFA value and presents it on the screen.
As a cheaper alternative to both the previously described methods, users must download a smartphone app and pair it with the multi-factor authentication system, usually by scanning a code.
What you probably didn't know is that smartphone app based MFA values are based on the open standards RFC 6238 (Time-Based One-Time Password) and RFC 4226 (HMAC-Based One-Time Passwords).
So what does this mean for you?
It means that you shouldn't need to have multiple smartphone apps for different multi-factor authentication systems. Google Authenticator for example, should be able to store the token values of all.
3. MFA is considered one of the most effective methods for reducing unauthorised access
The reason for MFA's ubiquitous use these days is very simple; it is considered to be the single-most effective security mechanism for reducing unauthorised access; and there are a number of studies and publications which back this up.
By randomising one of the authentication inputs; and crucially taking away the choice of that input value from the user. Authentication becomes immediately more secure. After all, there is also plenty of research which shows that users pick woefully poor passwords.
In addition to the insurmountable benefits, multi-factor authentication is usually very simple to implement; and with more and more MFA in use, highly acceptable to your user base.
If there is one solution you should ensure to have in place, it is MFA.
