What is it?
A combination of two or more dissimilar authentication modes, called factors (possession, knowledge, inherence, location, or habit), that must be presented together as part of the process of authenticating the identity of a person or device requesting access.
Why is it important?
When properly implemented, multi-factor authentication (MFA) makes it harder for someone to impersonate an authorized user, giving you a higher level of confidence about the identity of a person or entity attempting to access your system.
Why does a business professional need to know this?
Many data breaches start with the theft of user credentials. At the 2017 Black Hat Conference, a survey question asked: Which of the following is most responsible for security breaches? The choices were: humans, not enough security software, unpatched software, or other. Eighty-five percent (85%) of the hackers surveyed said humans.(blackhat 2017)
When the same group was asked what was the strongest barrier to stealing credentials, sixty-eight percent (68%) said it was the combination of multi-factor authentication and data encryption.
Business professionals need to know about multi-factor authentication so they can adapt authentication to meet their needs while balancing expense with security.
Authentication factors include the following:
- Physical things such as key cards
- Biometric factors such as fingerprints/iris scans
- Knowledge such as a password or PIN that the user knows
MFA happens when a combination of two or more of these methods is presented at the same time. What makes MFA more secure than single-factor authentication is that the odds of a hacker possessing two or more of the authentication factors at the same time are very low.
One factor alone is weak authentication. Cards can be cloned, passwords cracked, biometrics fooled, and smartphones stolen. The combination of two or more of the same factor (like two cards, two passwords, or two biometrics) is not true multi-factor authentication. While stronger than having only a single factor, combining two of the same factor is double single-factor authentication.
The first step to hacking into many networks is to bypass the logon authentication by stealing a legitimate user credential. Cybersecurity starts by first knowing who is knocking on the virtual front door. That knowing begins with multi-factor authentication.
References
- (Bonnett 2016) Making Passwords Secure - Fixing the Weakest Link in Cybersecurity : Bonnett, Dovell (2016). Access Smart Media. Book. Debunks many of the myths of infallibility surrounding multi-factor authentication and other high-technology solutions in favor of a pragmatic approach to password management.
- (Stelmakowich 2017) Multi-factor authentication central to helping reduce data breaches: Ostertag: Angela Stelmakowich (2017).
- (Pahuja 2017) No passwords please: The need of a strong authentication protocol in the digital age: Pahuja, Anupam (2017). Moneycontrol. Discusses the importance of strong authentication to prevent identity theft and fraud.
- (Lilliestam 2016) Practical IT Security for Everyone: Lilliestam, Emma (2016). YouTube. Video. Conference talk that provides security tips that are easy to install and use.
- (blackhat 2017) 2017 BlackHat Hacker Survey: Thycotic (2017). Survey of attendees at the 2017 Black Hat Conference in Las Vegas.
- (Keeper 2017) Password Management Evaluation Guide for Businesses: Keeper Security, Inc. (2017). PDF.
About Dovell Bonnett
Dovell Bonnett has been creating computer security solutions for over 20 years. In 2005, he founded Access Smart to provide cyber-access control solutions to government and small-to-medium-sized businesses in areas such as healthcare. His premier product, Power LogOn, is a multi-factor authentication, enterprise password manager.
Dovell is a frequent speaker and consultant on the topic of passwords, cybersecurity, and multi-factor authentication. His most recent book is Making Passwords Secure: How to Fix the Weakest Link in Cybersecurity.
Term: Multi-factor Authentication
Email: Dovell@access-smart.com
Website: access-smart.com
Twitter: @AccessSmart
LinkedIn: linkedin.com/in/accesssmart
Facebook: facebook.com/AccessSmart