May 26, 2022

    Understanding Multi-Factor Authentication 101: Key Insights

    In the IT industry there are many words used when discussing the topic of authentication. Some of those words often used are multi-factor authentication (MFA), two-factor authentication (2FA), time-based one-time password (TOTP), one-time password (OTP) and more. It is important to understand that here are dependencies and differences amongst these terms. For example, two-factor authentication (2FA) is a subset of multi-factor authentication (MFA) because it requires more than 1 form of authentication - i.e 2FA is under the MFA umbrella. Additionally, there are multiple types of 2FA/MFA such as one-time password (OTP). Lastly, there are variations of OTP methods like TOTP, HOTP, etc. Therefore, all of the above would be considered multi-factor authentication. Your authentication method(s) can thwart would be attackers. It seems like all too often we hear about a different company falling victim to a cyberattack (some of which are massive enterprise corporations/conglomerates). In this blog we take a look at the various methods of authentication available to protect your business. 

    What is Authentication?

    Authentication is the process of determining if someone is who they say they are. Servers, phones, tablets, laptops, Software-as-a-Service clients may all use an authentication method. Servers, as an example, use authentication to identify who is accessing the data, and software clients use it to ensure that the connected server is the system intended. This secures systems and information.

    Authentication is typically accomplished by validating one of three factors:

    • What you know: PIN, password, security question answer
    • What you have: a phone or device you can receive a code on such as a hard token
    • Who you are: fingerprint or biometrics

    Authentication is simple but effective - you can control system access by checking if the user credential provided matches what is stored in the database of users or servers. You must prove your identity through unique login information to access information. We use keys to protect our homes and belongings and authentication allows for protection of your personal information (PII), or your organization’s IT systems

    Multi-Factor Authentication (MFA)

    Over 90% of phishing attacks target your users’ credentials. It is important your organization has an authentication solution to prevent these targeted attacks as well as ensure compliance requirements like HIPAA (Health Insurance Portability and Accountability), PCI, NIST (National Institute of Standards and Technology), and more. We wanted to help break this down and make it a little simpler.

    What is Multi-Factor Authentication (MFA)?

    Multi-factor authentication (MFA) has grown in popularity to increase the assurance for web and mobile apps. This adoption has correlated to the increase in threats to password security in recent years.

    MFA requires two or more verification factors for access. This is considered a core tenant of a secure Identify Access Management (IAM) policy. Instead of just asking for a username and password the user is required to provide additional verification factors. This decreases the chances of a successful cybersecurity attack. Usernames and passwords are important but used alone they make your organization vulnerable to attacks. Enforcing MFA adds confidence to your IT team’s ability to keep sensitive data safe.

    Examples of Multi-Factor Authentication (MFA)

    One-time passwords (OTP) are one of the most common MFA factors used. They are used with HTTPS (web applications) and are not available for connections through FTP/FTPS/SFTP due to the automated nature of these protocols. An OTP is a 4 to 8-digit code that you receive via text, e-mail, or an authenticator app. The OTP code is either generated every time a request is made or periodically generated. This code generates based on a seed value that is given to the user when they first register and some other factors that could be a time value or a counter that is incremented. If an OTP code is time based, it is called TOTP which stands for time-based one-time password. This means the code will refresh after a determined period (normally 30 seconds) whether the current code is used or not.

    IT security professionals should always revisit how to provide secure access to their users. One way to protect sensitive company information and user data is to empower users with reliable and simple security. Using one-time passwords (OTP) as a form of multi-factor authentication is a way to make it more difficult for cyber criminals to access sensitive information.

    As mentioned previously, authentication typically involves using a combination of elements to authenticate.

    Knowledge

    • Answers to personal security questions
    • Password
    • OTPs (One-time Password)

    Possession

    • OTPs generated by smartphone apps
    • OTPs sent via text or email
    • Access badges, USB devices, Smart Cards or fobs or security keys
    • Software tokens and certificates

    Inherence

    • Fingerprints, facial recognition, voice, retina, or iris scanning or other Biometrics
    • Behavioral analysis

    Out of the above elements, an OTP code could be considered both Knowledge and Possession because an individual must know the OTP application required, and you must have something in your possession to receive the code, such as your phone or application.

    There are a few other types of MFA that integrate with new frontiers of technology like machine learning and artificial intelligence (AI) – these allow authentication methods to become more sophisticated.

    Location

    This type of MFA uses an IP address and/or geolocation permissions such as country access. You can block access if a user’s location information does not match what is on the whitelist, or it can be used as an additional form of authentication for an SFTP connection. The first check would be the correct username and password or SSH key, and the second check would be the IP address the individual is connecting from.

    Adaptive Authentication or Risk-Based Authentication

    Adaptive authentication analyzes more factors using context and behavior to assign a level of risk of a login attempt, and then may require additional authentication depending on the risk score.

    Example:

    • First Check: From where the user is when trying to access information?
    • Second Check (if first check fails): When are your users trying to access company information? During your normal hours or during "off hours"?
    • Third Check (if second check fails): What kind of device is used? Is it the same one used yesterday?
    • Additional Check Possibility: Is the connection via private network or a public network?

    The risk is calculated based on the answers to these questions and can determine if any progressive authentication will be required or not. If you have a user attempting to login from somewhere late at night, which is unusual, there may be a prompt to enter a code that was sent via text in conjunction with their username and password. However, when they are logging in from the office during normal business hours, they are only required to provide their username and password.

    Advantages of MFA

    User accounts can be easily compromised through weak password controls required by organizations, or through social engineering (the stealing of passwords by pretending to be someone else, say a member of your organization’s help desk). Additionally, even if your organization has implemented strong technical controls (requiring passwords to be of a certain length, the use of numbers, symbols, uppercase and lowercase), overcoming the human element of choosing passwords that are easy to remember because they use the same password on other applications is difficult to overcome. Unfortunately, a strong security posture in today’s age means administrators should assume your users’ password will be compromised at some point, and you must be able to defend against it.

    MFA is widely regarded as the best defense against password-related attacks, and this includes several distinct types of attacks including:

    • Brute Force – Testing multiple passwords from a dictionary which are automatically entered over and over
    • Credential Stuffing – testing username/password combinations found or purchased on the dark web from other hacks
    • Password Spraying – Testing a common, single password against many of your users’ accounts

    An analysis from Microsoft suggests that MFA would have stopped 99.9% of account compromises!

    Disadvantages of MFA

    Although the advantages of using MFA are evident, there are some disadvantages your organization should consider before implementing. If you decide to implement MFA anyway, then you should have a plan in place for overcoming these objections:

    • MFA adds additional complexity for all users of a system, whether an administrator or everyday user. It adds an extra layer to the login process and can be difficult to use for some users who have never configured it. This might add additional workload to your helpdesk and support.
    • If you implement an MFA application, such as RSA, it might require your organization to buy and provision expensive hardware.
    • If you decide to have a process that excludes certain users from MFA, then you have opened the application to exploitation by bad actors, or a disgruntled employee.
    • MFA could be a single point of failure for your organization if the application you are using goes down. This could prevent your users from accessing applications needed to perform their duties until you’re back up and running.
    • Although rare today, if the application you choose only works through a mobile device, any users without one will be left without access to perform their duties.

    MFA Best Practices

    Here are several best practices an organization can take to overcome some of the disadvantages of MFA, implement strong security practices, and lighten the load on your users. Even though these tips might be helpful, we encourage you to conduct your own research to decide what works best for your organization:

    • Your organization should require OTP for all users regardless of job title or position. As discussed, a compromised email and password can wreak havoc on anyone, and especially an administrator who has provided themselves with the right to bypass MFA.
    • If your users are connecting through FTP/FTPS/SFTP protocols, then it’s important to implement a second factor of authentication such as an allowed IP address range for login.
    • An MFA system using OTP/TOTP should give a new code no more than every 60 seconds and should be valid for no more than 60 seconds.
    • Give your employees options for MFA such as the choice between text, email, or app. Sharetru allows an administrator to pick for users, or to give users the option to pick which method they prefer (there are advantages and disadvantages to each!).
    • If your organization is currently using or has discussed implementing Single Sign-on (SSO), then couple it with MFA. When you implement SSO for your users who access Sharetru’s application, then your MFA implementation completely replaces ours for those users.
    • If you are an administrator, do not, (I repeat – DO NOT) give up at the first sign of resistance or push-back. MFA is a valuable tool in your cybersecurity arsenal that can save you the pain of a compromised system down the road.

    Conclusion

    Many tech platforms, software, tools, etc. today commonly use multi-factor authentication along with a password plus a push notification via an app, a time-based token, or even biometrics. As you can see the different approaches to MFA vary widely and present different tradeoffs.

    Before you select a secure file-sharing or file transfer solution, consider your authentication needs carefully. If you need the heightened security to protect your data, make sure to choose an FTP solution that features these authentication methods, or can integrate with an MFA application that supports them. When you choose an industry-best secure file-sharing or transfer solution with support for MFA, you will have peace of mind knowing you have implemented another step in effectively protecting your organization’s data by ensuring every user accessing your server is whom they claim to be.

    To keep your company data safe, it is essential to verify that someone is who they say they are. In the past, a single, unique password might have been enough protection to keep potential digital thieves at bay, but hackers’ methods have become more sophisticated with each passing day. Contact our team to learn more about the authentication methods that Sharetru offers to ensure you can share with confidence.

     

    Arvind Mistry

    Arvind, Sharetru's Director of Compliance, brings 11+ years' experience in cloud solutions for Federal Govt. & public sector from esteemed companies.

    Other posts you might be interested in

    View All Posts