What is Multi Factor Authentication (MFA / 2FA)?? and Why does it matter??

 TLDR; Don't have time to read this? - Here is a good video that gives an overview of what MFA is


Why is it important ? - Watch this video https://www.youtube.com/watch?v=hGRii5f_uSc

Multifactor Authentication (MFA) or Two Factor Authentication (2FA) 

You may have already seen this recently with your banking, or in your company, more and more online applications are requiring an additional verification option when you try to login. For example, if you try to log into your gmail from a remote computer, you may have seen a pop up on your phone asking you to confirm the login  



Usernames and passwords are inherently 'broken' to 'prove' who you are - Why?  Well if you forget your password, or you give your password to someone else, or someone else steals your password, the app, machine, phone, cannot tell the difference between the 'real' you and the 'fake' you that has your password. To further complicate matters, as computer grow increasing faster, it becomes increasingly easier for 'the bad guys' to brute force your password by trying hundreds of thousands of passwords at your account per second, giving them the ability to impersonate you for all kinds of evil, nefarious reasons.

MFA/2FA means having more then one "thing" (ie: factor) that identifies you as 'the real you'.  Generally the available factors are

1) Something you know

    For example, you know your password to your email or your PIN to your credit card, others don't know this (or should not know this), so it is one factor that verifies (authenticates) who you are

2) Something you are

  For example, bio-metrics, fingerprints, facial recognition, retina scans. These are things that uniquely identify you because they are part of you, and no one else has the same (fingerprint, face, retina, etc)

3) Something you have

This is some type of second device (eg: phone, smart card, usb key, app, soft-token), something you carry on your person, such that 'using' it can prove it is you, because only you have that specific 'device'

Typically, when you login to an app/service, you are requested for just your password, this means that it is only using the one 'factor' "Something you know" to identify you. Two Factor Authentication (2FA) means the system will need at least 2 factors (eg: Something you know AND Something you are), and MFA means using 2 or more methods to identify you (Something you know, Something you are AND Something you have)

What MFA is NOT

MFA/2FA require different factors. Using the same 'something you know' (ie: requiring 2 passwords) is not MFA, it's still single factor authentication, just using the same 'factor' twice'. Some apps may ask a 'secret question' and require a 'secret answer'. in addition to a password This is also not MFA. The secret question/answer is still just two types of the same 'something you know'

Some apps, after logging in may ask if you would like to use 'fingerprint' recognition the next time you log in.  This is also NOT MFA. This just means the app swapped one authentication method (password) for another (fingerprint).  If every time you login, you need to provide BOTH a password and a fingerprint this would be MFA. 

"Remember me later" - Some apps after accepting your password and fingerprint, may give an option "trust this device for X days". This means that after the first time of providing 2 factors, the system will be fine with just accepting one factor for the next 10, 30, 90 days, etc. This is still MFA because the system stores a second factor (usually in the form of a 'cookie') and it is the cookie plus your password (or fingerprint) that identifies you on that specific machine. If you login to a different machine, you again need to provide both factors. This method can save your time at each login, but carries the risk of your data being stolen if your device is stolen.

Tokens and Authenticate Apps VS 'email/text me a one time code'

There are multiple method to solve the 'something you have' factor. A 'hardware" token is a device you carry around with you. It is constantly generating a set of pseudo-random numbers. When you login you have to type the password PLUS the number on the token. They usually look something like this:

Software Tokens are apps (usually that you download to your phone). Two popular apps are "Google Authenticator" and "Microsoft Authenticator" they both work the same way.  The system you are trying to login to (the first time) will display a quick response (QR Code). You hold your phone to the app and scan it. This 'syncs' the two apps, and now the authenticator will start generating 'random' codes just like the hardware token did. Unlike Hardware tokens these software tokens are typically 'free' and have no maintenance or expiry date.

Alternatively some apps can 'text' or 'email' you a one time code. After you successfully enter the correct password, the app sends the code to your phone/email. You then enter the code. 

Of the above, I prefer the soft-token the best, and the 'text'/'sms' code the least. With text/sms it is possible for someone to "sniff" the code as it travels over the network.

You may wonder how the software/hardware tokens BOTH "know" the same random number. This is because random numbers in computers are not truly random..they can be predicted!

Most apps allow you to choose your authentication method, you can pick Microsoft Authenticator, Google Authenticator, or some other 3rd party tool, or TEXT/SMS/EMAIL. Whatever works best for your situation.

What MFA doesn't solve

MFA provides you a significantly increased level of security when it comes to logging into your favorite apps. Both Facebook and Google support MFA, you can even add it to one of my favorite password apps "Last Pass" which also includes it's own authenticator

BUT if you loose your device, phone, hardware token, or they are stolen.. or you get kidnapped , MFA is likely not going to help - I'd give my password and code up pretty fast if my life depended on it.

MFA also won't help you if you check the "remember me next time", and you are sitting on a public computer when you check that option in the box.

MFA has technically been around for a long time. Perhaps even before computers were just a spark in Steve Job's mind as can be seen by this story






If you liked this post please consider sharing via your favorite social networks!!

and ..if you like my blogging, video, audio, and programming - please consider becoming a patron and get exclusive access @ Patreon.com/GeekWisdom

Comments

Post a Comment

Popular posts from this blog

There's a bug in the keyboard driver...(dear liza)

Password Security Challenge - Last Pass & 1Password

About the Book - Geek Wisdom

The Programmer's Dilemma

Despite of how it looks - I'm not part of a coup d'etat

Brad's Weekend of Coding - Day 1 - Summary

The Most Dangerous Software on the Internet!

Eco Cycle Planning Resources, Toastmasters & Unicorns

IT Security Myths & Legends