How many types of security systems do you know? Have you ever been asked to verify whether you are human even after successfully inserting the right password when logging into certain sites? Sometimes the verification involves selecting pictures, rewriting figures or letters to prove you are not a robot and a times a code called One Time Password (OTP) is sent to the email or phone number you provided when you registered so as to verify that you are the owner of that account. This is what is called multi factor authentication(MFA). Remember there is also Two-factor Authentication (2FA) which I have written about in the past.
Multi Factor Authentication
MFA is a security system requiring more than one method of authentication from various autonomous groups of credentials to enable verification of your identity so that you can log in or perform a certain transaction. The system does a combination of two or more user’s independent credentials, that is,
- What you know (password)
- What you have (security token)
- What you are (bio metric verification)
The main goal of MFA is to create a tight defense in order to prevent unauthorized persons from accessing some targets like database, buildings, networks and computer systems. If someone breaks one factor authentication, there would be at least one or more more defense barriers to breach before they can enter into the target.
Applications of Multi Factor Authentication
- When you are swiping your card and you are asked to enter the pin. For instance, when paying for purchased items using a debit or credit card, you insert the pin to authorize the transaction. In this scenario, you first need a to have a card and know the correct pin.
- When you want to log into a website like Facebook and you are required to enter an additional OTP sent to your email or phone by that website’s server.
- When you download a Virtual Private Network (VPN) client with a validated digital certificate and you are supposed to log in to the VPN before you can have access to the network.
- In some circumstances, you might find that you swipe your card, then your fingerprints scanned and finally, you have to answer a security question. If you are a fan of movies you might have seen this especially where big transactions are made or when accessing top security areas.
- A times you may have seen people attaching a USB hardware to their desktops in order to generate a one-time pass code and then using that code to log into a VPN client.
Background
One of the biggest challenges of the traditional user ID and password login is maintaining a password database. Whether it is encrypted or not if the database is captured by attackers, it can be cracked over time thanks to the high speed CPUs which favor brute force attacks. The processing speed of CPUs has really increased and this has been to the advantage of hackers together with developments of GPGPU and rainbow tables. For example, GPGPU can crack over 5million passwords per second and therefore the traditional databases alone can’t stand a chance with such methods. Previously, The MFA systems were relying upon two-factor authentication.
Authentication factors
This refers to the class of information that is used to verify your identity. The credentials can be categorized into three common groups;
- Knowledge Factors-This refers to the information that you must provide to log in such as your name, ID, PIN and password
- Possession factors- These includes things that you must have possession of for you to log in such as sim cards, OTP, security tokens, key fob and ID cards.
- Inherence factors- Refers to your biological characteristics that need to be confirmed for your log in such as facial and voice recognition and fingerprints scans.
- Other factors that might be considered include location and time factors.
Technologies that can be used in MFA
- Security tokens – are small hardware devices that users use to gain permission to a network service. They may look like an ordinary ATM card or a USB drive.
- Soft tokens – Are software based security tokens that generate a one time PIN.
- Mobile authentication – includes verification through SMS and phone calls and other smartphone applications that allow user to receive OTP.
- Biometric methods – Include facial recognition, fingerprint scanners, retina scanners and voice recognition.
- GPS can be used as an authentication factor. For example, a bank knows my location is mostly in Chicago, if my card is used from another state or country, there are high chances the transaction will not go through.
- Smart Cards – this includes employee ID and customer royalty cards that can be used for identification.
