Elevating security in today’s increasingly risky digital landscape would not be complete without multi-factor authentication (MFA) — a critical component that helps prevent or mitigate incidents such as account takeover fraud and credential stuffing attacks.
Often interchangeably used with two-factor authentication (2FA), MFA is the layered approach to verifying the identity of users to ensure they have the appropriate permissions to access protected systems (e.g., networks, applications, websites, etc.) or perform certain tasks within them. Implementing MFA requires users to provide multiple identity credentials or authentication factors to secure access clearance into a system and even physical buildings.
The combined use of multiple authentication factors—something you know (passwords), something you have (OTP), something you are (biometrics) factors and more—before gaining access is what makes it much more difficult for unauthorised users to gain access to secured systems. There are several different ways to adopt MFA, and the method(s) used largely depends on the level of security required and the types of systems being accessed. For instance, high-level security systems like healthcare and financial applications may leverage MFA, which uses two or more of the authentication factors mentioned to ensure robust protective measures.
When deciding to implement MFA into certain aspects of your organisation, it is vital to get to know the various approaches available first and learn the strengths and weaknesses associated with each one.
Which MFA is right for your business?
1. One-Time Passcodes (OTP)
OTP requires a user to input the unique numeric or alphanumeric passcode sent to their registered device via SMS text or email in combination with their usual username-password credentials.
Pros
OTP is the most common form of 2FA that is intuitively familiar and easy to use for everyone.
Cons
Although convenient, there are several risks involved with OTP, such as the user’s phone number getting stolen (also known as SIM swapping), which could expose their accounts if they mainly use SMS OTP. Another potential risk is when a user falls for a social engineering attack and willingly passes their OTP code to a threat actor.
2. Time-based OTP (TOTP) and other software authenticators
TOTP requires a user to confirm that they are in control of their device within a given time frame by entering a unique passcode generated through apps such as Microsoft Authenticator, Google Authenticator, Authy, and others.
Pros
By using TOTP applications, users can avoid some of the risks involved in OTP by tying the verification process to an application on their device instead of phone numbers or emails. Moreover, unlike external hardware authenticators like Yubikeys, which come at a cost, users can freely download these applications onto their devices.
Cons
TOTP is only commonly used in many financial applications due to the sensitivity involved, and does not see much use outside of that. The extra steps involved in setting up TOTP (downloading the authenticator app) mean it has higher friction than OTP.
3. Built-in device biometrics
Built-in device biometrics require a user to verify their identity using the same biometric identification technology they use on their phones, laptops, and other devices. Fingerprints, facial, iris, voice, and palm or finger vein patterns are the most popular markers used in biometric identification. This method typically verifies possession of a biometric marker and a user’s device.
Pros
By verifying both a biometric marker and possession of a device, it offers two distinct factors of verification in themselves. Moreover, this approach is an unphishable form of MFA since there is no easy way of sharing verification with a remote attacker.
Cons
The security advantage of biometrics is also one of its shortcomings, particularly in user experience. By being bound to devices, users losing or switching devices will be faced with account recovery issues.
4. Hardware authenticators
Hardware authenticators are cross-platform ‘keys’ that allow a user to use a physical device separate from their phone, laptop, and other devices to verify possession of a unique authentication factor.
Pros
Hardware authenticators are similar to device biometrics in that they are also an unphishable form of MFA. In addition, their cross-platform feature is important since users can use this authentication factor across different devices, from desktop to mobile.
Cons
For some users, hardware authenticators can be too complex on top of the additional cost they require. As such, these devices are generally more popular among expert users.
Step-up authentication and how it balances security and user friction
Step-up authentication is a distinct type of MFA that requires an extra authentication level only when attempting to do any high-risk operations in a system. An example is when a customer uses a banking application on their mobile device. Naturally, they must log in before they can view their profile and check their transaction history, a process they may or may not choose to secure with 2FA. However, should they perform something risky like transferring a large sum to another account, the banking app will enforce a mandatory additional authentication method such as OTP, biometrics, or others before proceeding.
As shown in the previous example, step-up authentication only requires verification for particularly sensitive routes in an application. By asking for additional information, IT administrators can then use various authentication levels depending on the sensitivity of the resources.
A better idea would be to combine step-up authentication with adaptive MFA, another approach that requires further authentication only for certain user characteristics, such as using a suspicious or new IP address. This comprehensive strategy with both step-up authentication and adaptive MFA is more powerful than using the two individually when securing critical access to resources and sensitive actions.
Conclusion
Cybersecurity is something that every organisation can always improve on, and the fast-paced nature of technology only reinforces this need to always stay on top of best practices. Multi-factor authentication and its added security is one such practice that has quickly become one of the cornerstones of security frameworks that protect against all kinds of cyber threats.
Remove the hassle of implementing MFA today with the help of SendQuick, Singapore’s leading provider of enterprise mobility solutions. Easy to implement and with minimal maintenance, SendQuick Security and MFA provides the extra layer of security you need to effectively minimise the risk of a wide range of potential cyber-attacks – it equips clients with secure remote access via MFA using SMS and Email One Time Password (OTP), Mobile Soft Token and SingPass.
Apart from security and MFA, we also offer other industry-leading solutions like business process automation, IT alert management systems, and SMS gateway in Singapore. To learn more about our products, visit our solutions page today or contact us to speak with a SendQuick expert for more details.