In the world of data being the most expensive asset someone can own, using just a password to access your devices or log into an application does not provide sufficiently strong and secure identity verification anymore.
Increase password complexity, force the user to change the password, use a Password Manager, etc., are just some of the solutions everyone tried to implement to avoid the security threats by now.
Although we added an additional layer of protection, the users are still falling into the same trap almost every day:
- Using the same username and password on multiple websites and platforms.
- Use our personal details(name, email, date of birth, postcodes, etc) as usernames and passwords
- Store all the accounts written in a notepad which can be easily accessible if someone would have access to our PC/phone.
Note: A good resource to find out if your account was ever compromised as part of a data breach is https://haveibeenpwned.com/
Is MFA the answer?
MFA is an effective measure which protects the users from credential theft or exposure of confidential information during a data breach. Even if someone will gain access to a password you used, they will not be able to confirm your identity and log into that account without the second factor of authentication.
How does MFA work?
The overall authentication process requires at least two of the three methods below:
- Something you know – such as a password or passphrase, PIN, the answers to secret questions (challenge-response).
- Something you have – a specific item a user has in their possession, such as a physical or logical security token, a one-time password (OTP) token, a key fob, an employee access card, or a phone’s SIM card.
- Something you are – such as a biometric, fingerprint scans, facial recognition, voice recognition, etc.
Why do we need MFA?
- Protection from unauthorised access and data breaches
- Reduce fraud and identity theft
- Increase customer trust
What makes a good MFA implementation?
The principle of the MFA is that each factor compensates for the weakness of the others.
Therefore, every authentication mechanism must be independent of each other ensuring that no knowledge of the success or failure of a factor is provided to the individual until all factors have been submitted.
MFA a requirement for International Standards:
- PCI DSS– It mandates stronger security requirements for online transactions through multi-factor authentication (MFA) and it forces banks and other financial institutions to give third-party payment services providers access to consumer bank accounts if account holders give their consent.
- ISO 27001 -MFA should be used to ensure access to the most sensitive network services, information systems, applications, areas, and facilities etc.
- NIST 800-171 – Requirement #3.5.3 – Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts).
What about Passwordless authentication?
While MFA still uses usernames and passwords as the primary authentication factor, Passwordless authentication allows us to just use a biometric or a possessive factor to verify someone`s identity.
There is no doubt both will increase the security but depending on the use case you are experiencing, they do have some limitations.
- User experience
- Level of security
- Expenses and 3rd party offerings
No matter which one best suits for you, don`t forget to consider them both next time you log into/create an account in order to enhance your authentication process and secure the data.