Weird Security Term of the Week: “Multi-Factor Authentication”

The Problem:

Restricting access is not a new concept by any means. Guards and gatekeepers have been around for millennia, and allowing only those that truly need access – whether to a facility or to information- is just as old a problem.

In the connected world, falsifying credentials has never been easier. A stolen user id and password can allow someone to gain access to bank accounts, company records, restricted communications, etc. In the physical world as well, this problem still exists with the same basic problems- falsifying identification, using stolen credentials, and other less well known methods.

While there are countless variations to prove the person is who they say they are, it all comes back to basically 3 core concepts:

  1. something that the user knows,
  2. something that the user has, or
  3. something that the user is.

The Solution:

Multi-Factor Authentication is the combination of at least 2 of these 3 elements used in concert. While it is relatively easy to get one set of credentials, adding on a second element can drastically improve the security of even a poorly configured setup.

Solution the First: Something that the user knows

Passwords normally are the first thing that springs to mind when talking about security, however they are only one particular idea in something that a user knows. PIN numbers also count, as do captcha responses, birth dates, mothers’ maiden names, credit card numbers, challenge/response answers, the list is nearly endless. While this is one of the easiest methods to use in security, it is also one of the easiest to get around. The number of users that have ‘password books’ tucked into their desk drawer is unbelievable, along with users that share credentials because they can’t get into the office that day, because they’re locked out of their own account or they just want to watch somebody else’s Netflix queue.

Solution the Second: Something that the user has

This particular element can be boiled down to an element as simple as a door key, but go far far beyond that. RSA-style Tokens, Google Authenticator Codes, Common Access Cards, ATM Cards, Key Cards, Speed Passes, USB Sticks, RFID Badges, and other items that can be issued to a user physically to gain access. This element is usually used when access to the information can be more difficult to control- especially on the web where logins can occur anywhere on the globe. In the physical realm, users are actually more used to this idea than most people think. The idea of having an ATM card and a PIN is one of the most typical multi-factor authentication methods that a user can be issued, yet almost nobody ever thinks about it as such.

Solution the Third: Something that the user is

Biometrics have become a lot more ubiquitous in recent years, but again they have been around for a very long time. In some of the more darker times of human history, tattoos were used to identify people at a glance and in certain cases are still used to this day- but this still doesn’t go quite as far as we’re talking about. Fingerprints, footprints, retina scanning, retina blood vessel scanning, bio-electric signatures, heart monitors, blood samples, hair and pretty much anything that ends up on an episode of CSI counts in this category to identify a person via an element that cannot be easily changed or compromised. The problem in this case lies not with what’s being measured, but rather with what is doing the measurements. Typical thumbprint scanners on laptops for instance normally scan only a handful of reference points. On an episode of Mythbusters, they were testing out a series of devices that in the end could be fooled by something as simple as a photocopy of someone’s thumb.

Multi-factor authentication requires the effective use of at least 2 of these elements – the key word as always is EFFECTIVE, and cannot be over-stressed. While adding on additional factors to security can easily increase the security of a given situation, they also need to be configured correctly and not be something that the user feels is an extra burden otherwise they will simply be ignored.