Going Passwordless. The Basics of Multi-Factor Authentication

Password 2.0

Now that passwords alone have outlived their usefulness, how do we protect ourselves?  By adding another layer of security. The first layer is still the password. It is something you know. The next layer of security involves something you have;  a tangible item that you carry with you. Perhaps it's your cell phone or your fingerprint or a token or a combination of any of these. Using a combination of tools to authorize access is called Multi-Factor Authorization (MFA) and it's replacing the stand-alone password quickly.

Why MFA?

Multi-Factor Authorization (MFA) means that whatever application you're logging into is double-checking that the request is really coming from you by confirming your login through a different device. If a website or application has ever sent a numeric code to your cell phone for you to enter to gain access, you've experienced MFA.

MFA is crucial to web security because it minimizes the risks associated with compromised or stolen passwords. A password that is stolen, hacked, or even guessed is no longer enough to give an intruder access.

Without approval at the second factor, a password alone is useless

Types of MFA

Typically, multi-factor authentication systems rely on at least one of the following approaches. 

• U2F (Universal Second Factor) devices: Similar to tokens, these are small physical devices used purely to verify logins. They are designed to fit into USB slots and when a user enters their password on a computer it prompts them to tap the U2F device to gain access. These are easy to use but they take up an all-important USB port on your machine.
• Authentication Apps: This is the most basic approach:  Smartphone apps that handle the second-factor approval process. These apps use internet connectivity which is more secure than using phone lines.
• Passcodes: The most common form of MFA. They usually consist of a short string of numbers sent usually by text, to a smartphone. These are different from your Authentication apps because they use phone lines (text) which are less secure. They can be a bother because you have to manually enter the string of numbers to gain access.
• Tokens: Small keychain fobs that generate codes for users to enter as their second factor. They are more secure than phone line delivered codes but you still have to enter the string of numbers. And maybe worse, you can't copy and paste. While they are affordable, they do run on batteries that will need to be replaced and it's tough to predict when the batteries will fail.
• Phone callbacks: The user receives an automated phone call that prompts them to approve or deny the access request. While effective, it's more time-consuming than the other methods of MFA.
• TOTP: Time-based One-Time Passcodes or TOTP.  Similar to passcodes but instead of the service sending a series of numbers, the app generates a one-time-use passcode that will quickly expire. You can still use your smartphone authenticator app and no unsecured phone lines are involved.

The Hidden Advantage of MFA

MFA also does something that is key to maintaining a strong security mindset: it actively involves users in the process of cybersecurity, and it creates an environment where users are actively and knowingly participating in their own online safety. When an MFA notification comes to a user, they have to acknowledge each transaction, which underlines the importance of security continually. While most other web security methods are passive and don't involve end users as collaborators, MFA creates a partnership between users and administrators.

Conclusion

As we head towards a passwordless world, strong web security relies on a utility belt instead of a single shield. It's important never to rely on any single method for comprehensive protection. If you're currently relying on passwords alone, it's time to make a change, and using MFA is the right first step.