<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

3 Things you probably didn't know about Multi-Factor Authentication (MFA)

Topics: Authentication, MFA, Two-Factor Authentication, Network Security

Posted: 23 January 2019

3 Things you probably didn't know about multi-factor authentication MFA

There is a very good chance that you have used multi-factor authentication (sometimes referred to as two-factor authentication) at some stage over the past few years, even if you are not familiar with the term.

You might recognise its hallmarks when having to enter a code into an authentication prompt, either from a small plastic device, a smartphone app or even an SMS. Banks, tax authorities, some e-commerce sites and even employer networks have all been impressively good at introducing multi-factor authentication the masses.

But how well do you know this staple of good security?

Here are three things about multi-factor authentication that you probably didn't know.

1. Not all MFA types are the same

The purpose behind the introduction of multi-factor authentication is to avoid the risks of guessed or stolen usernames and passwords by introducing an input which is both randomised and dynamic. It verifies the intended user through the ownership of the device which receives or generates the dynamic value.

That device could be a smartphone or a plastic token; the value could be received over a network or generated on the device itself.

Crucially, not all permutations are considered equal.

Values sent by SMS, a common alternative to plastic tokens, has been "depreciated" in NIST recommendations due to the growing prevalence of SMS interception technology. That is not to say that it is insecure or should be avoided, but this should factor into any risk assessment related to multi-factor authentication.

2. Smartphone based MFA tokens often follow and open standard

Outside of plastic tokens and the SMS delivered equivalent, some administrators opt for the use of a smartphone app which calculates the MFA value and presents it on the screen.

As a cheaper alternative to both the previously described methods, users must download a smartphone app and pair it with the multi-factor authentication system, usually by scanning a code.

What you probably didn't know is that smartphone app based MFA values are based on the open standards RFC 6238 (Time-Based One-Time Password) and RFC 4226 (HMAC-Based One-Time Passwords).

So what does this mean for you?

It means that you shouldn't need to have multiple smartphone apps for different multi-factor authentication systems. Google Authenticator for example, should be able to store the token values of all.

3. MFA is considered one of the most effective methods for reducing unauthorised access

The reason for MFA's ubiquitous use these days is very simple; it is considered to be the single-most effective security mechanism for reducing unauthorised access; and there are a number of studies and publications which back this up.

By randomising one of the authentication inputs; and crucially taking away the choice of that input value from the user. Authentication becomes immediately more secure. After all, there is also plenty of research which shows that users pick woefully poor passwords.

In addition to the insurmountable benefits, multi-factor authentication is usually very simple to implement; and with more and more MFA in use, highly acceptable to your user base.

If there is one solution you should ensure to have in place, it is MFA.

New call-to-action

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts