Demystifying Multi-Factor Authentication
Multi-Factor Authentication is critical for protecting against the weaknesses of passwords. But not all MFA is created the same, and it can be a confusing thing to do well.
Passwords suck. They're complicated. They need to be unique for every system, but that's very difficult given the vast number of systems we log into every day. They need to meet complexity requirements (primarily length requirements as years of data has taught us) and become nearly impossible to deal with without a password manager. Yet we still use passwords (and sometimes a PIN, which is even weaker) for authentication and access purposes.
We've known how bad passwords are for decades. We've tried all sorts of fixes:
- Rotate your password every 90 days
- Use symbols, numbers, upper-case, and lower-case characters in every password
- No "dictionary words"
- No keyboard patterns (Yes, "Qwerty1@3" and other similar patterns still show up in password breach data)
But these all have drawbacks of their own, like the fact that complex passwords are hard to remember, and so we tend to reuse just a couple of them across multiple sites, which is extremely bad practice.
Fortunately there are other means of authentication at our disposal. While they each have their own problems, when they're combined together they are very useful and do a far better job of providing authentication than just using any one of them by itself.
The Multiple Factors That Make Up Multi-Factor Authentication
In the 1990's some bright sparks recognized that there were more ways than just passwords to authenticate someone and came up with a basic framework of factors that could be used for authentication. Depending on who you ask there are three or four basic factors, each of which has one or more methods, that can be used to authenticate someone:
- Something you know/Knowledge - This is how we've "always" authenticated people - based on knowing a secret of some sort. This category covers things like passwords, PINs, and answers to "security questions" about who was your first grade's crush's teacher's cousin.
- Something you have/Possession - This factor focuses on things you have access to that you keep safe from other people. This can include things like an ATM card, an old-school MFA token that had a 6 digit display of continuously changing numbers (if you're over 30 you've at least seen one of these if not used one), a USB, NFC, or other security token like those from Yubico, and even a physical key like you use to get in your car or home. But this category also includes software, things like access to your email, and authentication apps like the Google Authenticator, or a private key like those used to authenticate to SSH sessions. This category even includes SMS based authentication activities, as they depend on the idea that only you have access to your phone number and the messages sent to it.
- Something you are/Inherent - This is the category of biometrics such as fingerprints, palm-prints, photo ID's, and the like. This category has expanded recently to include behavioral metrics like keystroke dynamics - the concept that only you type like you.
- Where you are/Geographic - There is considerable disagreement over using this as a reliable factor for authentication. In the traditional sense, this factor cannot be used by itself but only as a supporting factor, where the other three factors can each be used without any of the others. I would suggest that this really isn't a factor of authentication at all, but more an indicator of concern - why is your CFO logging in from a different continent when you know he works in Boston and vacations in Vail?
Factor Weaknesses
Part of the reason that multi-factor is so important is that each of the factors by themselves have inherent weaknesses: passwords are relatively easily stolen, brute-forced, and guessed. Objects in your possession are easily lost or broken. The good news is that each factor helps cover for the weakness of another factor when used together.
Multi-Factor Authentication Examples
Combining two or more of these factors provides significantly better security than any one factor could by itself.
- A password + an emailed link uses the Knowledge and Possession factors
- An ATM card and a PIN uses the Possession and Knowledge factors
- A fingerprint and a token-code uses the Inherent and Possession factors
- A palm-print and a security question answer uses the Inherent and Knowledge factors
- A pin and an access card and a fingerprint uses all three of the primary factors
Examples That Are NOT Multi-Factor
Just because there are multiple hoops does not mean there are multiple factors. The following examples are not generally considered to add security that matches using multiple factors:
A password and the answer to a security question
This is an example of two steps from the same factor - in this case the Knowledge factor, and is therefore not multi-factor even though it it multi-step. This doesn't add much to the security of the authentication because it is generally assumed that if someone can gain access to your passwords they're likely to have access to answer your security questions as well.
A fingerprint and an picture ID
Like the previous example these are both from the same factor, but in this case they are from the Inherent factor. As with the previous example, multiple steps from the same factor are not considered to add nearly as much authentication security as using multiple factors.
Using a PIN -or- a fingerprint
This is an example of two different single-factor authentication methods, and actually means that an attacker needs only one of these things to gain access to your system, such as unlocking your phone. (the "or" is important) This is something people commonly do with devices like their cell phones, and it may add convenience but it actually lowers security because there are now two authentication methods that can be attacked and if either is compromised the authentication is compromised, as opposed to needing to compromise both.
Some Methods Are More Secure Than Others
Not all options with a particular factor are as secure as each other. In fact there's a fairly direct continuum of less to most secure in each of the factors that is worth looking at. This is the way of all things, but it is instructive to recognize when connecting MFA factors together that choosing two low value options in two factors leads to lower overall security. Here are a few examples:
Knowledge Factor
| Lowest Security | Better Security | Best Security |
|---|---|---|
| PIN (numeric, short) |
Password (8-14 characters mixed symbols, numbers, and letters) |
Passphrase (20+ characters may include spaces) |
This example identifies three common examples from the Knowledge factor that most people are familiar with - if not each links to a relevant Wikipedia article. A PIN with a short, numeric only code is far less secure than a 20+ character passphrase and should therefore be used either for low security purposes or when paired to a high security second factor, like a hardware token from the Possession factor. (This is, in fact, how "chip and pin" transactions work for credit and debit cards across Europe and other areas - the chip on the card is a hardware security token)
Possession Factor
| Lowest Security | Better Security | Good Security | Best Security |
|---|---|---|---|
| SMS Message Phone Message |
Email Message | Software or Hardware Code Token | Hardware Token PKI Certificate and Key |
Inherent Factor
This factor is most heavily dependent not on the unique attributes that can be measured, but by the quality of the sensors for reading, analyzing, and ultimately approving those attributes as properly met. Or said another way: facial recognition stinks, and so do many fingerprint readers. Or, said another way: On a laptop that cost you $500, how much money do you believe was spent on adding the best possible webcam and software for your Windows Hello login, or the fingerprint reader that's part of the screen on your phone?
Most consumer-level biometric authentication options are there for your convenience, not your security.
Read that sentence again for clarity. And yes, I can already hear the Apple fans shouting that their favorite device is better at not unlocking with a photo because it does 3D mapping of the face, to which I say: that's cool, but that still means I can unlock your phone without your consent and without needing to know a password.
Until and unless there is some sort of standard for the efficacy of these biometric readers, faith in them as a security measure needs to be low.
The Power of Multi-Factor Authentication
It really is magic that all these different and vulnerable authentication methodologies can be brought together to create very strong authentication security. When used together they are much more powerful than single factor authentication is. In your personal life, look to these guidelines to help you securely authenticate to solutions and services you work with:
- Enable MFA whenever and wherever you are able to.
- When given a choice in MFA options, choose the most secure one that is easy enough for you to use. Ease of use is greatly improved with a password manager!
- Avoid biometric authentication when possible.
- Avoid SMS authentication when possible.