The most commonly used method of providing access to business systems and software is still the basic username and password. When the system being accessed is purely internal, with no access to internet or the outside world, that level of simplicity can be enough. As workforces became mostly remote in response to COVID-19, and have continued to be so even as the pandemic wanes, fewer and fewer systems can remain this level of isolated from the broader digital landscape.
The secure improvement over using an easily hackable username/password is to add multiple “factors” of authentication. This is where the term “multi-factor authentication” comes from: you verifying that you are who you claim to be in more than one way.
What are authentication factors?
Multi-factor authentication relies on using multiple factors to prove your identity. Factors equate to variables when it comes to calculating how likely someone is to be who they really say they are. The more variables are known or identifiable about a given person, the more certain you can be of who they are.
The factors used for authentication fall into three categories: something you know, something you are, and something you have.
Knowledge-Based Authentication: This is the term for “something you know” – things like your username/password, birthday, the last three places you lived, or your mother’s maiden name are all knowledge-based authentication (or KBA) questions. KBA works best when used as a second factor for other verification methods, as the answers to knowledge-based questions can be phished or stolen.
Possession Authentication: Another way to describe “something you have”. Archaic methods include things such as signet rings or physical keys that fit into locks. Modern methods of possession-based authentication include token keys or your mobile phone. For example, FIDO relies heavily on mobile phones as an authentication token to replace the use of passwords.
Biometric Authentication: Something you are can also be described as biometrics, and biometrics can be the most accurate factor for verifying identities. This isn’t exclusive to digital verification – you verify your identity with biometrics every time you buy wine or beer at the store and the clerk checks your face against your driver’s license!
Multi-Factor Authentication Requirements
In its simplest form, multi-factor authentication is using more than one factor – so two factor authentication is still a type of multi-factor authentication.
Typically, the term “multi-factor authentication” is used to reference 3 or more factors. The various factors don’t have to be truly separate factors, as in one each from KBA, possession, or biometrics, but instead can reference that there are two biometric factors and one KBA, which would still be multiple.
When there are only 2 factors of authentication, that is usually referred to simply as two-factor authentication, even if both factors are highly secure (such as two forms of biometrics).
Why Your Organization Needs Multi-Factor Authentication
Multiple methods of verifying identity make it significantly more challenging for bad actors to attempt to gain access to your systems. Usernames and passwords are commonly stolen or sold on the dark web, which makes them highly unsuitable for guarding access to systems you care about. Even KBA questions are not as secure as you might think; popular Facebook or social media quizzes often contain questions that are similar to those used to guard your sensitive accounts. While a single quiz is unlikely to have all the questions used by, say, your bank, if you take more than one over several months, you are providing potential hackers with plenty of data about yourself.
The trade-off to keep the ease and convenience of passwords but also improve organizational security is instead to use something much harder to steal or phish: physical tokens or biometrics. Using your mobile phone to accept a push notification is still relying on a physical token of your identity: the phone you’re accepting the notification on.
With multiple factors used to verify your users, whether they are employees or customers, you drastically increase organizational security. Compared to other cybersecurity measures, mandating the use of multi-factor authentication to access business systems across your entire organization is easier and lower cost. Using device-based authenticator tools can be as simple and free as using Google Authenticator, or you can take it a step up where needed and utilize a biometric authenticator like Q5id. When approving high-value financial transactions, verifying new accounts, or guarding access to essential systems such as infrastructure, using biometrics as a security measure makes sense.
Schedule time today to talk with our team about how to implement secure biometric identity proofing and multi-factor authentication throughout your organization by emailing us at firstname.lastname@example.org.