Multi-Factor Authentication or "MFA", has become ubiquitous as a security standard for many things but even more so for small and medium businesses. But most people don't really understand how it works or what it even means. Today, we're going to look at the idea behind MFA; what it is, how it works and why it's an important security measure to have implemented on your critical business technologies. So lets get started!
What is MFA?
Chances are, you've probably heard of MFA before and, if you're like most folks, you probably associate it with getting those annoying text message "codes" sent to your phone every time you go to log into your email or company line of business app. It's true that's a version of MFA but did you know that there is actually much more to it than that?
You are who we thought you were
To understand what Multi-Factor Authentication really is, we'll first get the easy part out of the way: What is authentication? Authentication is verification that you are actually who you say you are. You may have heard the old saying "you can be anyone on the Internet", that is true in the most literal sense you can imagine it. Computers only process 1s and 0s and you can type in the same pattern of 1s and 0s that I can or an employee or a hacker on the other side of the planet. As a result, we need a way for computer systems to verify who is actually doing the typing, enter authentication.
A matter of factor
Now that we know the meaning and purpose of authentication, we need to know how to actually do it. The most classic way to authenticate has been the infamous "username and password". You go to the website or application, plug in your username and password, and boom you're authenticated. Now you may not realize this but this is known as single-factor authentication.
What is a factor? A factor is a method for identifying yourself. It can generally be broken down into one of three categories: something you know, something you have and something you are.
Something You Know: This first factor is probably the easiest to recognize. Something you know is sometimes called a "shared secret" but is more frequently recognized as: a password. This factor has been around a very long time and almost everyone is used to using it.
Something you have: This factor is a bit different as it can be several different things. Generally, this factor is meant to reference something in your physical possession. This can range from special USB keys or key cards to your phone or even an actual key. The most common version of this factor however is a special one-time-use code which is either texted to your phone or obtained through a special authentication app. These codes changes at regular intervals and upon use and, as long as you're not giving them away to anybody, you'll be the only one who has them.
Something you are: This factor is also known as "biometric security". This is where things like hand or fingerprint readers, iris scanners and voice recognition come into play. The idea is that things like fingerprints are unique to a person so ideally you'd be the only person who has your fingerprints. Unfortunately, this doesn't quite match up with reality so while there's still a place for it, it shouldn't be the only factor used for security.
Go fourth and multi-factor
So now we know what authentication is, and what factors are. When we use just one factor (like just a password) for authenticating to a website or app, we're using what is called Single Factor Authentication because we're only using one of the three primary factors. Multi-factor Authentication is, you guessed it, when we use more than one factor! Enter a password then type in a code texted to your phone? That's multi-factor. Scan your fingerprint and then insert a USB Key? Multi-factor. Insert a keycard, type in a passcode and then speak into a microphone? Still multi-factor. Any combination of two or more factors is multi-factor.
So how does this help with security? Well the answer is simple: the more factors you add during authentication, the more things an attacker is going to have to acquire or know in order to break into your account. The more steps you have to go through when logging into an app or system, the more likely it will be that you really are who you say you are. This provides a substantial increase in security as each additional factor makes a successful account breach much less likely.
Of course, the downside of this is convenience. The more steps you have to take, the more secure things will be but also the longer and more inconvenient logging in is every time you have to do it. Nobody wants to go through a 15 minute song and dance just to log into their computer or line-of-business app every day (and, unless you're working in a nuclear missile silo, you probably don't need the security a 15 minute song/dance would provide!).
As with most things in computer security, it's all about striking a balance. Computer security is a spectrum, with security being on one side, and convenience being on the other. Most of the time, we try to strike a balance between the two. As a result, most apps and websites today require just two factors. Two factors has been proven to provide "good enough" security for most applications when implemented properly while not being too inconvenient that it slows you down.
Hopefully this clears up some of the mystery around MFA and provides a little insight into why it's important to correctly implement it for the important areas of your organization.