August 7, 2016 by

Weird Security Term of the Week: “Multi-Factor Authentication”

The Problem:

Restricting access is not a new concept by any means. Guards and gatekeepers have been around for millennia, and allowing only those that truly need access – whether to a facility or to information- is just as old a problem.

In the connected world, falsifying credentials has never been easier. A stolen user id and password can allow someone to gain access to bank accounts, company records, restricted communications, etc. In the physical world as well, this problem still exists with the same basic problems- falsifying identification, using stolen credentials, and other less well known methods.

While there are countless variations to prove the person is who they say they are, it all comes back to basically 3 core concepts:

  1. something that the user knows,
  2. something that the user has, or
  3. something that the user is.

The Solution:

Multi-Factor Authentication is the combination of at least 2 of these 3 elements used in concert. While it is relatively easy to get one set of credentials, adding on a second element can drastically improve the security of even a poorly configured setup.

Solution the First: Something that the user knows

Passwords normally are the first thing that springs to mind when talking about security, however they are only one particular idea in something that a user knows. PIN numbers also count, as do captcha responses, birth dates, mothers’ maiden names, credit card numbers, challenge/response answers, the list is nearly endless. While this is one of the easiest methods to use in security, it is also one of the easiest to get around. The number of users that have ‘password books’ tucked into their desk drawer is unbelievable, along with users that share credentials because they can’t get into the office that day, because they’re locked out of their own account or they just want to watch somebody else’s Netflix queue.

Solution the Second: Something that the user has

This particular element can be boiled down to an element as simple as a door key, but go far far beyond that. RSA-style Tokens, Google Authenticator Codes, Common Access Cards, ATM Cards, Key Cards, Speed Passes, USB Sticks, RFID Badges, and other items that can be issued to a user physically to gain access. This element is usually used when access to the information can be more difficult to control- especially on the web where logins can occur anywhere on the globe. In the physical realm, users are actually more used to this idea than most people think. The idea of having an ATM card and a PIN is one of the most typical multi-factor authentication methods that a user can be issued, yet almost nobody ever thinks about it as such.

Solution the Third: Something that the user is

Biometrics have become a lot more ubiquitous in recent years, but again they have been around for a very long time. In some of the more darker times of human history, tattoos were used to identify people at a glance and in certain cases are still used to this day- but this still doesn’t go quite as far as we’re talking about. Fingerprints, footprints, retina scanning, retina blood vessel scanning, bio-electric signatures, heart monitors, blood samples, hair and pretty much anything that ends up on an episode of CSI counts in this category to identify a person via an element that cannot be easily changed or compromised. The problem in this case lies not with what’s being measured, but rather with what is doing the measurements. Typical thumbprint scanners on laptops for instance normally scan only a handful of reference points. On an episode of Mythbusters, they were testing out a series of devices that in the end could be fooled by something as simple as a photocopy of someone’s thumb.

Multi-factor authentication requires the effective use of at least 2 of these elements – the key word as always is EFFECTIVE, and cannot be over-stressed. While adding on additional factors to security can easily increase the security of a given situation, they also need to be configured correctly and not be something that the user feels is an extra burden otherwise they will simply be ignored.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Reddit [Finally] Offers Two-Factor Authentication to All Users

One of the most popular, most-visited and most-populated websites in the world is switching on 2FA...

Read more arrow_forward

Google Plans 2FA Upgrade with Hardware Replacements

Google is reportedly close to rolling out a new hardware-based replacement solution as an upgrade...

Read more arrow_forward

Twitter Turns on Support for Two-Factor Authentication Apps

Beyond offering its own added layer of security in enabling SMS-based two-factor authentication...

Read more arrow_forward