Multi-Factor Authentication – Are you using it?

There are many challenges that we face today in terms of technology, especially with multi-factor authentication. One of the more difficult things for people to embrace is the use of multi-factor authentication (MFA) to help secure their data.  Multi-factor authentication is a method of verifying your claimed identity by using two of three possible options: 

1. What you know such as a password
2. Something you have such as a USB dongle or smartcard, or another type of token that is used in this process
3. Something you are, utilizing a biometric feature such as a fingerprint or retinal scan

Many people are hesitant to embrace change in their daily routines. You may not want to be required to perform multiple tasks to login to your applications. It’s easy to get overwhelmed when you must keep up with several passwords. You also may not like having to change your password periodically to remain in compliance with an organization’s standards. 

When you must present either a smart card, USB token, key fob or use an SMS text to help verify your identity, it requires a completely different mindset in understanding risks. Multi-factor authentication is a definite step in the right direction for you to provide a defense in-depth approach to securing your data.  Additionally, when the process is understood and maintained properly, you can greatly decrease your risk of compromised data.

The Need for Multi-Factor Authentication

Single factor authentication, such as a username and password, is the most popular and well-known technology for protecting your data.  A survey shows that 90% of user authentication systems rely on a username and password to provide user verification.  However, there are some very serious drawbacks with this system though.  Most people have no idea how to create a complex password or understand the need for security.  These issues make the data unprotected and vulnerable.  (Roy, Dusgupta, 2017)

A limitation to the traditional password-only mechanism is that an authentication server has to store a sensitive verifier that contains either the passwords or the passwords in a salted hash of all of the registered users.  If the authentication server is compromised, then all of your passwords are exposed to the attacker.  If a password is stored in a salted-hash, there is not much of a challenge for the attacker. 

By utilizing modern probabilistic cracking techniques and common hardware like GPU’s, an attacker can most likely gain access to the passwords by an overwhelming percentage.  There have been demonstrations that have shown utilizing 25 GPU’s in a fabricated device can test up to 350 billion guesses per second in an offline dictionary attack against traditional hash functions.  It has been reported that 43-51% of people tend to utilize the same password or variations of it, and a compromise of one authentication server can lead to a domino effect of other servers because of password reuse.   (Wang, 2016)

Next Generation Multi-Factor Authentication

There are several different trends in future MFA methods. The one that is most attractive to me is the utilization of the Bluetooth functionality of a smartphone.  This new multi-factor authentication scheme will require a user identification token, a user password, and an instance id of the Android/Chrome App on the smartphone. 

Unlike other schemes where you enter your username and login manually on a system, the Android/Chrome App used in the proposed scheme fetches the Bluetooth address of the smartphone automatically and uses it as the user’s login username.  This not only makes it more difficult and increases the complexity of obtaining the Bluetooth address during a phishing attack, but it makes it nearly impossible for the attackers to obtain this information from users that are replying to an email.  (Varshney, 2018)

With the ever-increasing utilization of smart phones and mobile devices being used to manage everything, there is movement to implement 3 factor authentication on applications such as healthcare and banking.  This could be anything from a facial scan using the built-in camera, thumb print and password to access a site that contains personal health information.  (Bissada, 2017)

For more information, check out some of the links below that were my references used in this post.

References Cited

1. D’costa-Alphonso, M., & Lane, M. (2010). The adoption of single sign-on and Multi-Factor authentication in organizations: A critical evaluation using TOE framework. Issues in Informing Science and Information Technology, 7, 161-189. doi:10.28945/1199
2.  Roy, A., & Dasgupta, D. (2018). A fuzzy decision support system for Multi-Factor authentication. Soft Computing, 22(12), 3959-3981. doi:10.1007/s00500-017-2607-6
3. Reno, J. (2013). Multi-Factor authentication: Its time has come. Technology Innovation Management Review, 3(8), 51-58. doi:10.22215/timreview716 ******
4.  Varshney, G., Misra, M., & Atrey, P. (2018). Secure authentication scheme to thwart RT MITM, CR MITM and malicious browser extension based phishing attacks. Journal of Information Security and Applications, 42, 1-17. doi:10.1016/j.jisa.2018.07.001
5. Mobilepaymentstoday.com: Companies aim to strengthen Multi-Factor mobile authentication: 1(2016). . Chatham: Newstex.
6. Exostar Enhances Security and Promotes Compliance with New Multi-Factor Authentication Solution.” Obesity, Fitness & Wellness Week, 23 Dec. 2017, p. 638. Academic OneFile,  
7. Ding, W., Ping, W.: Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans. Depend. Secur. Comput. PP(99), 1 (2016)
8.  A More Multi-Factor Secure Authentication Scheme Based on Graphical Authentication Ashish Joshi ; Sonu Kumar ; R.H. Goudar 2012 International Conference on Advances in Computing and Communications
9. NFC Unlock: Secure Two-Factor Computer Authentication Using NFC Walter Austin Hufstetler ; Maria Jose Hito Ramos ; Shuangbao Wang 2017 IEEE 14th International Conference on Mobile Ad Hoc and Sensor Systems (MASS) Year: 2017 Page s: 507 – 510
10. Mobile multi-factor authentication Andrew Bissada ; Aspen Olmsted, 2017 12th International Conference for Internet Technology and Secured                       Transactions (ICITST) Year: 2017 Page s: 210 – 211

Check out some of my other posts at http://topfortips.com.