Single-Factor Authentication, or SFA, is the simplest form of authentication that most of us are accustomed to. It is when one credential is used to verify oneself online. The most famous example of SFA would be using a password to access an account.
Two-factor authentication(2FA) and Multi-factor Authentication (MFA) are similar to SFA, but require more authentication credentials. For example, entering a code from a text message, answering a secret question, or using an authorization application with a password to access an account. Each additional method of authentication adds more security to an account.
The average person uses over 150 services requiring credentials like passwords. That is a lot to keep track of, and for many users, it leads to reusing passwords or creating easy-to-remember passwords. Things like birth dates, phone numbers, and names of family members or pets are some of the most common passwords people use, but they are often the easiest for social engineers to guess. In addition, once hackers have cracked one password, they likely have access to more than one account if a user uses the same password across multiple accounts.
According to the Verizon Data Breach Investigations Report, compromised passwords are responsible for 81% of hacking-related breaches. One of the many ways services attempt to combat breaches is by requiring passwords that adhere to a firm password policy. A password policy that enforces password minimum length, composition and complexity, expiration dates, storage and individuality can make passwords more resilient to data breaches.
Unfortunately, cybercriminals are more capable, and cybercrime is more profitable than ever, meaning comprised passwords are increasingly common. Without multi-factor authentication, all a malicious attacker needs is a password to compromise an account. A single compromised account could mean bankruptcy for a company, if the compromised account has access to personal information or company information like invoices, credit card numbers, addresses, or identification numbers.
When one of the credentials becomes compromised, two-factor and multi-factor authentication requires users to authenticate with additional credentials. The more layers added to authenticate, the better it is for security. However, the main downside of two-factor or multi-factor authentication can be that it is more tedious to enter multiple credentials for every login attempt. When users face high levels of friction, they may try to find workarounds to avoid using multi-factor authentication. For example, in 2018, Google found that less than 10% of their users had activated optional two-factor authentication.
Luckily, more and more websites and applications offer two-factor and multi-factor forms of authentication, and users are becoming more familiar with them. Multi-factor authentication also has increasing options for ways of providing credentials. Companies wanting to achieve higher security levels may even use three or more authentication methods. Creating a highly secure environment is essential, while considering low-friction ways for users to authenticate.
Below are the different types of authentication factors that can be used for multi-factor authentication. Authentication factors can be summarized into three categories: knowledge, possession or inheritance.
The most common knowledge factor which everyone is familiar with is a password. Things like PINs, security questions and passphrases all count as knowledge factors of authentication. These types of authentication are more vulnerable to phishing and social engineering attacks. Answers to common security questions can often be found from openly shared personal information on social media sites like Twitter or Facebook. Once hackers have a hold of your password, they can also sell it on the dark web.
Possession factors are things that you physically have. The most common factors include smartphones, hard and soft tokens, key fobs or ID cards. Something like a one-time password sent to a smartphone, a unique code generated by a token, or tapping an ID card or key fob onto a device are all methods used by possession authentication factors to verify a user’s identity. While possession factors are generally more secure than knowledge factors, they can be vulnerable to theft or loss.
Inherited factors, also known as biometrics, are unique physical traits individuals possess. Fingerprint scans, voice recognition, facial recognition, and retinal scans are some examples of biometrics that can be used to verify a user’s identity. Biometrics is the more reliable way to verify someone’s identity accurately. Still, the main disadvantage is that the equipment required for biometric identification is typically expensive, and users would need access to the equipment.
Adding a variety of these types of authentication can create additional levels of security for situations in which a user’s credentials become compromised. According to Microsoft, multi-factor authentication can prevent 90 percent of hacks from occurring. Not only does it protect against stolen or brute-forced credentials, but it can also better protect businesses from phishing and social engineering attacks. A Digital Shadows Photon Research Team study found that in 2020, over 15 billion stolen credentials were available on the dark web. The credentials included account details for everything from online banking information to social media accounts to music streaming services. Additionally, data breaches leak account information to the dark web every year. To put it simply, single-factor authentication is not satisfactory when it comes to securing a business.
While single-factor authentication may still have a place for services that reveal little-to-no personal information, two-factor or multi-factor authentication should be the norm whenever personal data is involved. In addition, every business should have a firm password policy in place and consider implementing two or more ways of verifying user identities to protect their environments and data.