What is multi-factor authentication?
Multi-Factor Authentication (MFA) is a method used to grant access to a computer or application. Of course the access is only granted after the user has provided a username and two types of authentication methods, i.e., a passcode or in the case of biometrics, a fingerprint. For this to be successful the user must retrieve information from at least two sources. The three common sources include knowledge, possession, and inherence.
- Knowledge is something the user knows, such as a secret password or Personal Identification Number (PIN).
- Possession is something the user has, such as a mobile phone or key fob.
- Inherence is something the user is, typically related to biometric methods such as fingerprints, facial recognition, or retina scanning.
How does it work?
Many commercial MFA products require vendor appliances or client software to be deployed. We will use MFA for remote access as an example. Most remote access solutions support Remote Authentication Dial-In User Service (RADIUS), which is an authentication standard, and provide steps to integrate MFA with the remote access solution. Additionally, most recent MFA solutions include a possession factor for authentication. This is typically a hardware key fob or a mobile application.
The MFA solution is configured to communicate with a local user database or directory services. Most implementations tie back to directory services. The vendor solution now has a list of users imported from the directory services. A user will need a key fob or mobile application to retrieve a passcode. Key fobs randomly generate numeric values and then provisioning can occur. Provisioning is the process of assigning key fobs or mobile apps to users. The use of key fobs is a manual process requiring the administrator to assign the key fob to each user, whereas for mobile applications an enrollment email is sent to the user. In the enrollment email is a link to download and install the mobile application. The enrollment process also allows the user to set their PIN. Once the mobile application installed and the PIN is set the user is now ready to use MFA for remote access. The PIN + token code provides two factors.
Why is it important?
Besides the regulations, such as PCI-DSS, that require MFA, using one factor authentication is a high risk authentication method. One example would be the opportunity for various password cracking techniques to be executed against the login prompt. Having directory services exposed to continuous attacks increases the odds of being compromised. MFA also eliminates password sharing among users who have access to critical applications. MFA is not the end all be all solution to identity theft, however, it does put an additional layer of security between the organization and people with nefarious intentions. Security is best implemented in layers.