Cryptonomics: Multi-Factor Authentication Explained

In today's online world, Cybercriminals are becoming more sophisticated and daring. There is a need for more secure authentication systems to safeguard users' online accounts. The Multi-factor authentication (MFA) system provides a high level of data security and is vital for all to adopt.

By
Utulu Hope
on
May 4, 2021
Category:
Cryptonomics

Introduction 

A massive chunk of our day to day lives passes through gadgets such as laptops, smartphones etc. These devices ultimately end up containing valuable digital information about us. It is therefore not surprising how our online accounts have become attractive to criminals. Presently, cyber attacks against the government, companies, and even individuals are rampant because these criminals need access to private/personal information for their nefarious activities. From the look of things, these criminals will not relent any time soon.

However, it is very easy for individuals and organisations to improve the security of their private information using multi-factor authentication, commonly called MFA. 

 

What Is Multi-Factor Authentication? 

MFA is a security system that needs several authentication methods from independent categories of credentials to verify a user's identity for a login or any form of transaction. The technique combines at least two of these types of credentials: the user's knowledge (password), the user's possession (security token), and who the user is (biometric verification).

MFA aims at creating multiple layers of defence against any form of attack. It means that multi-factor authentication will make it hard for any unauthorised person to access a valid user's data like location, device, network, or database. With the MFA, when the attacker bypasses one layer, he/she still has other layers of defence to breach before obtaining full access to the user's asset. One popular form of MFA is "two-factor authentication", also known as 2FA. Let us now describe it in detail.

 

2FA Explained 

Two-factor authentication, also called 2FA, adds an extra layer of security to verify whether a person who tries to access an online account is the rightful owner. The aim is to complicate access for a cyber-criminal. Any person who wants to gain access must provide another piece of information: the second factor. The information can be any of the following,

  • A user's knowledge: This may be in the form of a PIN (Personal identification number), a password, an answer(s) to secret question(s), or a drafted pattern.  
  • A user's possession: This is something only the user has. It can be a credit card, a small hardware token, or a smartphone. 
  • Who a user is: This involves more advanced forms such as a fingerprint's biometric pattern, voice print, or even an iris scan.

2FA is a form of insurance for a user in the sense that if the user's phone is faulty, gets stolen, or the user's password is compromised, another party's chances of knowing the second-factor information are slim.

 

What Are The Common Types Of 2FA? 

Any website that doesn't offer 2FA has the potential to be hacked easily. In other words, there is no insurance for your account once someone else knows your password. Some websites, however, offer different kinds of 2FA; some may be complex, others easy to understand by the user. The bottom line is, they offer protection other than just passwords. The following are common types of 2FA,

  • Hardware Tokens

This is the oldest form of 2FA. They are small hardware devices that generate a temporary numeric code every 30 seconds. When users want to access their accounts, they glimpse their device and enter the numeric code into the website or application. 

One major disadvantage of this is the cost. Businesses, for example, find it costly to provide a large number of employees with hardware tokens. The small size of the device makes it prone to easy misplacement. It is also worthy to note that hardware tokens are not entirely safe from getting hacked. 

 

Text-Message And Voice Verification

This type works directly with a user's mobile device. Upon the successful input of the username and password, a user gets a one-time password (OTP) in the form of a text message. When the user receives the OTP, s/he inputs it into the website or application. 

Voice verification works similarly: the user's number is automatically dialled, and the password disclosed verbally. Voice verification is uncommon. It is mainly used in countries with poor cell service or where smartphones are expensive. 

It is unwise to use this type of security on a website that stores your personal information because it is the lowest-level security. Private information like bank account details, email accounts, etc., need a more secure form of authentication. Therefore, this type of 2FA is predominantly for low-risk online activities. 

 

Software Tokens

This is the most widely used type of 2FA. For many, it is a better alternative to text message and voice verification. It makes use of a software-generated, time-based one-time password, commonly referred to as TOTP, or soft token. 

To use this method, users have to download and install a free 2FA application on their mobile or PC. The application can be used on any website that supports this authentication type. When users log onto the website with their respective username and password, they receive a code on the application and subsequently input it. Similar to the hardware tokens, software tokens are temporary and last for less than a minute. 

What makes software tokens less susceptible to attacks is because the code is generated on the same device, unlike the text message and voice verification — There is every tendency that a user's registered number may be on another device. Most importantly, the 2FA applications are available for mobile, wearables, or PCs and can work offline. Therefore, it is possible to use them anywhere. 

 

Push Notification 

This type of authentication doesn't need a 2FA token. All the user needs to do is to verify that a login attempt is about to take place. Whenever an attempt is made to log into an account, the website will send a notification to the account owner's smartphone, and with just a single touch, the account owner can approve or deny access.

This method eradicates any form of attack from a third party. The direct relationship between the user and the website ensures that the user receives a notification upon any login attempt. However, it can only work on an internet-connected device. Hence, it may be difficult to use in an area with a poor network. 

 

Other Forms Of  MFA

  • Swiping a card and entering a PIN.
  • Using a VPN with a valid digital certificate to access a network. 
  • Scanning a fingerprint and answering security questions before gaining access to a website. 

 

What Does The Future Hold For MFA?

Presently, the United States has adopted the use of MFA. The Federal Financial Institutions Examination Council (FFIEC) has issued a directive that the MFA should be used for internet banking operations. With the world's largest economic and financial superpower declaring its interest in multifactor authentication, there is no doubt it will be used worldwide shortly. 

 

Closing Thoughts

Reports indicate that stolen, misplaced, and weak passwords are the primary cause of security infringements. Before now, passwords were the only way to keep one's account safe from cybercrime. Thankfully, MFA came on board when the rate of cybercrime was growing fast. With MFA, many companies and individuals can now increase their security level. MFA is vital to keep one's account safe and necessary for everyone in this digital age.

Tags:
No items found.
Utulu Hope

UC Hope is a passionate fan of crypto who could weave the latest event into sparks of inspiration and information. He leaves no stone unturned to get to the core of a story. Aside from writing, he spends his hours poring over algorithms and protocols, preparing for a future career as a computer programmer.