Why do we need Multi Factor Authentication?
Access to the applications containing sensitive data can never be protected with a password alone. Password is proven to be prone to hacks as it is easily guessable with relatively lighter effort. The chances are your password, and access credentials are sold on the dark web at a much cheaper price as a commodity service. The security industry realized the inherent weakness of password-based protection and came up with additional security measures. Ideally, system access can be protected with three things or factors– what you know, what you have, and who you are. The combination of any two or all of these factors provides the needed security for accessing applications and data. Hence the name multi-factor authentication came in prominence in the dictionary of the security professionals.
Examples of Different Authentication Factors
Passwords remain as one of the top choices for “what you know” factor. Step up knowledge-based authentication also acts as a factor in this category though it is not secure alone. Along with a password or passphrase or PIN, it can be used as a moderately strong authentication mechanism. Answering questions like what was the make and model of your first car or any other personal details ensures the authenticity of the user as the information is expected to be known by the user only. Public key certificates, the hardware or software tokens serve the purpose of “what you have” factor, and biometrics like voice patterns, fingerprints, or retina pattern match will be some of the examples of the “who you are” factor.
Prominent Multifactor Technologies Available in the Industry
Out of Band Techniques like SMS, emails, phone calls
Providing the second- factor over SMS has long been used as an acceptable MFA practice even though it is not fully secure. Hackers have shown to be taking control over the mobile device or highjack the SMS second-factor code to do a fraudulent MFA authentication. As of 2016, NIST denounced the use of SMS based second- factor as SMS can be intercepted or even redirected to make the overall process insecure. Second-factor tokens can be delivered to user’s registered email devices or phone calls to the home or cell phone playing the pin code.
Kind of an old school technology where the token code is in synchronization with the backend server code, users must carry it to provide the second factor during the authentication process. It is also a regulatory ask from PCI and other industry standards to have a second-factor mechanism for accessing data from outside of the network. It is cumbersome to carry a token when the user travels, also an operation intensive work to on-board or off-board users with tokens.
Mobile Application/Software Tokens
Users can have a token application in their mobile phone that receives tokens pushed from the cloud-based token generation service. No longer must they carry a hardware token as the tokens are available in the mobile applications. There are many mobile applications available on IOS and Android devices. Support for multiple accounts, extending the application to a new device in case of lost or stolen device and, restoring from backup will be some of the considerations before selecting a mobile app for the multi-factor authentication.
With the advent of technology, biometric identifiers are no longer that expensive and difficult to implement solutions. Apple or Android phones have built-in biometric sensors to capture the user’s identity and validate their access to a resource. Fingerprint, face ID, voice pattern match or, retina scans are some of the biometric scanning techniques widely used in the industry.
Future Trends in MFA
Today a consumer must register with an application, part of the registration processes either he/she creates an identity in the application ecosystem or integrates existing directory store with the application for authentication validation. As we use many more applications, starting from banking to utility payments to insurance and many more, we create our identities with these service providers. Every month we hear news about the breaches with many big companies, and our identities also become a victim of these breaches. So how to count of these services providers that they will take security seriously to protect our identity and data? The answer is you can not count on any provider that they will ensure your ID is secure. The best option here is NOT to create identities with every single service provider and look for alternate options.
“Ideally, system access can be protected with three things or factors– what you know, what you have, and who you are”
The following technologies are disrupting the MFA and authentication industry. In the next 18-36 months, I believe we can expect more adoption of these technologies across many industries.
FIDO based Password less Authentication
It is gaining a lot of traction after Google’s adoption for its corporate employees. Based on public-key cryptography and coupled with a biometric authentication system, FIDO is gaming true momentum these days. In FIDO-compliant applications, a user registers its device and generates public/private key pair after validating the identity from biometric sensors available in the mobile device like faceID or fingerprint. Then the public key is registered with the service provider application, and private key stays with the mobile phone and never gets shared. This way, the user is safe from identity theft issues. Every time the user tries to login to the external website of the service provider, a challenge is encrypted with the private key stored in the mobile phone or FIDO-compliant external device connected with a mobile phone after verifying with faceID / fingerprint/ PIN. The remote server can decrypt the challenge with the user’s registered public key, and this way user’s identity can be validated. FIDO-compliant hardware devices or mobile applications are getting real traction, and many big Banking corporations have turned on FIDO based password less authentication for their customers in the mobile banking application.
Blockchain for Identity & MFA
Blockchain has come up as an alternate to provide tamperproof MFA. It is extremely difficult and virtually impossible to change identity information in the cryptographic chain of identities using consensus as a protocol to validate integrity. Hydro Raindrop is an example of blockchain-based technology getting extremely popular in providing MFA and authentication for the applications.
In my opinion, more adoption of FIDO and Blockchain in MFA space is likely to be seen in the industry in the next two years. Technology companies and the financial services industry is leading the adoption in this space. Password less authentication riding on FIOD or blockchain will be more prevalent in the coming days. CISOs should prepare their teams with the needed skills and training in this space and a board-level socialization of the upcoming disruptions in Identity & MFA industry.