By now, we should all be aware of the inadequacies of passwords. Breach after breach, it's been made painfully clear that single-factor authentication is not enough. But when the traditional means of authentication are so clearly flawed, what’s the next step?
Generally speaking, the best practice is to step-up your security with either two-factor or multi-factor authentication. As these standards have quickly become essential parts of the information security toolkit, they've also become top-of-mind considerations for many IT and security pros.
In fact, during our recent webinar Forrester’s Andras Cser and our very own Greg Pearson and Greg Salyards, fielded an interesting question from a viewer looking to add additional strong authentication steps. The viewer wanted to know: which approaches or methods are recommended? Which are most popular? And, is two-factor authentication enough? You can check out Andras and Greg’s great answers starting around the 48-minute mark.
These questions got me thinking—how can we clarify the difference between the two options and the specific needs that each one addresses?
What's the Difference?
Let's start by getting a few pesky definitions out of the way.
An authentication factor, according to SearchSecurity.com, is an "independent category of credential used for identity verification." In plain English, that means something that proves that you are who you say you are.
In Single-Factor Authentication (SFA) scenarios, that proof is commonly referred to as a knowledge factor, i.e., something you know, such as a password. This is by far the most common authentication method, but as mentioned above, it's remarkably easy for hackers to get ahold of that "something you know."
So, for anything requiring more than nominal security, we need Two-Factor Authentication (2FA), which ups the ante a bit by adding another authentication factor, typically a possession factor, i.e., ‘something you have,' such as a cell phone or a hard token.
For most use cases, 2FA is enough, but in special cases, we can take things a step further with multi-factor authentication. As you've probably surmised, this requires yet another separate authentication factor. Most often this is an inherence factor, which is something you are. This could mean anything from biometrics, such as fingerprinting or facial recognition, to your physical location.
However, having three authentication methods does not necessarily mean you're using true MFA. If your third method is simply another knowledge factor, such as a soft token, text code, or secret question, you are simply adding another layer to your second factor.
So, What's Best?
The answer isn’t as straightforward as it may seem. It’s important to consider the needs of your environment and your employees, as well as your compliance requirements before jumping in with a solution. What works for remote or virtual project managers will probably not work for an ER doctor or a police officer.
Yes, MFA offers the strongest authentication, but it can be a bear to implement, costly to maintain, and may be overkill for your situation.
For secure, low-cost implementations, you may want to leverage technology that is already in place and integrate with your standard infrastructure. Select the authentication method that is right for your users.
Enterprises or SMBs, with moderate security needs, looking for a low-cost option might be best served by a one-time password delivered via SMS or google authenticator, while those concerned about having the highest level of security may want to implement digital certificates with contact smart cards or tokens.
For example, public safety organizations need strong authentication to be CIJS compliant, but also need highly adaptable solutions for highly mobile officers. Police departments looking for a secure and convenient MFA solution for their officers may opt to use existing building access badges for tap in-and-out convenience.
But for organizations without such pre-existing infrastructure, smart card-based systems can be expensive to produce and implement and a burden to maintain. Not to mention the headache they cause when an employee loses his or her token. Therefore, they are not ideal for organizations who don’t truly need them.
Tokens sent via SMS or Google Authenticator, using the user’s cell phone as the delivery platform, on the other hand, aren’t so easy to lose. This approach removes the hassle of maintaining a separate and dedicated token system and doesn’t require the user to carry and keep track of an additional piece of equipment, improving business agility and lessening worker hassle.
Less Can Be More
It’s easy to be dazzled by the latest in MFA trends—biometrics, such as facial recognition, fingerprinting and retinal scans, behavioral analytics, even biostamps—can feel very futuristic, and it can be tempting to try to use such solutions to turn your enterprise into the Starship Enterprise.
And, while organizational security is of the utmost importance, it's also key to understand that even though your users may recognize the importance of security, they can also resent the inconvenience it can cause. Employees can't be expected to go along with a burdensome, overly obtrusive user experience. The more you get in their way, the more likely your users are to find risky workarounds. It may be necessary to choose the solution that is most apt to keep user resentment low.
Less intrusive methods, such as push-notifications, are more familiar to your users, as most of us have first-hand experience with them. Let’s say you want to transfer money from your bank account online. Instead of simply requiring a password, your bank probably sends a push notification to your phone to establish the required additional assurance.
This familiarity factor can result in increased buy-in from your users, as well as fewer headaches and less time spent implementing complex MFA standards.
It's important to balance usability and security to increase user buy-in or else, at best, you’ll have frustrated workers, constantly locked out of key systems, developing a first-name-basis relationship with the help desk. At worst, you'll have employees compromising your systems with workarounds.
However, MFA might be mandated—whether your users want it or not. Many security policies, guidelines, or forced regulations, such as NIST and DFARS, are now requiring 2FA for privileged accounts and remote access.
In conclusion, while MFA may be the more secure solution, there’s no one-size-fits-all ‘best’ option, only what’s best for your specific organization and users. So, take the time to examine all of the options available. If possible, you should go with a solution that supports many different authentication methods and flexible deployment options, including the ability to institute granular access controls and risk-based and contextual authentication.