As careers, banking, and healthcare move online, the need for more secure authentication has become increasingly urgent. While passwords have been adopted as the most common form of authentication, they pose many problems in terms of cyber security.
In recent years, especially since the rise of remote work in 2019, the adoption of multi-factor authentication (MFA) has steadily risen to over 60% of workplaces. While this is a good sign, not all MFA methods are the same, and advanced hackers have easily circumvented some of them.
This article will explain the different types of multi-factor authentication, why it’s an important security measure, its limitations, and the best practices to implement it within your organization.
What is Multi-Factor Authentication?
Multi-factor authentication is a security measure that requires users to use multiple authentication methods to log into an app, platform, or account. These methods can range from software methods like passwords and temporary codes to physical methods like access cards and face recognition technology.
A crucial aspect of MFA is that methods used combine two of the three classes of authentication:
- Knowledge (password or security question)
- Owned device or account
- Biometric data
Two methods of the same type, like a password and a security question, do not meet the requirements of MFA.
Why Use Multi-Factor Authentication
MFA has existed for a long time, but its greater adoption has only happened recently as remote work has become commonplace. If this method is well implemented, it boasts an impressive 96% efficiency rate at stopping cyber threats like phishing.
With numbers like this, it’s no wonder why MFA has gained popularity as a cyber security method. Not only does it significantly reduce the risk of data breaches, but it’s also a versatile solution that can be adapted to several situations.
Types of Multi-Factor Authentication
One of the greater strengths of MFA is the number of options for authentication methods. While they don’t all boast the same level of added security, all authentication methods still have their place and are being used today. Here are the most common ones:
SMS and email temporary codes
The most common type of MFA and the simplest to implement for IT departments, this method is also the one with the most pitfalls.
In this case, once users enter their password, they are sent a temporary code to the phone number or email address linked to their account to confirm their identity. If a hacker manages to guess the password via social engineering but doesn’t have phone or email access, the cyber attack will be thwarted.
This method is increasingly becoming considered unsafe because of its vulnerability to phishing attacks, either by convincing a victim to give the hacker their code or via SIM swapping if a code is sent to a smartphone.
This authentication method relies on a lightweight app downloaded on a user’s phone that is fully insulated from an internet connection. This app then generates numerical codes every 20 to 30 seconds based on an algorithm shared with the software linked to the account being authenticated.
While these apps are virtually impossible to crack, they are far more complex than traditional email or SMS-based MFA. They also constitute a single point of failure in the event of losing or destroying the linked smartphone.
Physical authenticator devices
Items like access cards, RFID tokens, and security keys offer a very high level of security and are nearly impossible to circumvent. While they can be tedious to implement at first, users end up integrating them into their workflows and making them second nature.
The main issue with these measures is the physical nature of these items. They can be lost, stolen, or destroyed inadvertently. Replacing them is a complicated and potentially costly process.
This method relies on advanced technologies like fingerprint and retinal or facial recognition scans. Until recently, the prohibitive cost of these technologies kept them reserved for highly secure facilities like laboratories and military sites.
However, in the last ten years, they’ve been integrated into common devices such as smartphones and laptops.
Biometric authentication is very secure when included in an MFA process. However, low-quality facial recognition can be fooled by high-resolution pictures. Additionally, facial recognition isn’t suitable for all situations since factors like direct sunlight can cause it to fail.
Security questions and codes
While these are more often used when a password is forgotten or an app fails, they are still technically an authentication method.
Security questions are increasingly not considered a secure method since they can easily be guessed with information gleaned from social media. Security codes are much safer, but only if kept in a password manager.
Multi-Factor Authentication Best Practices
MFA adoption and integration into business practices is only bound to grow and be used by most companies worldwide. However, users can easily find the MFA process tedious if it isn’t implemented properly.
Remember that the more steps you add to the MFA process, the more you decrease the user experience. Complicated processes can easily lead to users trying to circumvent the safety measures to make usage more convenient.
Third-party risk assessment
Companies that provide MFA software are generally highly focused on cyber security. However, running a full audit of their processes is still a good idea before selecting a partner to implement your solution.
Cyber security awareness training
MFA is an excellent addition to any company’s cyber security program, but it must not be seen as an end-all-be-all. To be efficient, MFA must be paired with a robust cyber security awareness solution to keep your users informed and updated with the most recent cyber threats.
Since certain types of phishing can affect the security level of MFA, it’s essential to keep your users trained on the signs of this type of cyber threat.
Is MFA As Secure as It Used to Be?
The answer to this question is a matter of perception. Of course, MFA was at its most secure when it was first introduced with temporary email codes. Since then, hackers have found ways to weaken it, but it’s still an extremely powerful cyber security method if used correctly.
MFA is quickly becoming an essential part of any good cyber security program. With a growing number of technology providers simplifying and supporting MFA, this process also doesn’t have to feel like a chore anymore.
Ready to put your defenses to the test?
When combined with a proper cyber security awareness program, MFA is the best option to keep your network and software safe. Click here for a free 30-day phishing simulation to test your users’ knowledge against phishing.