Multi-Factor Authentication for the Masses
In the face of ever-increasing attacks on commercially-stored personally identifiable information,i sensitive personal information,ii and protected health information;iii end-user consumers can be left with little more than a password standing between their private data and cybercriminals. Though industry standards, best practices, and government regulations all exist to rule the ways in which our data is collected, stored, and utilized by third-parties, we as users often neglect to take advantage of new layers of security to keep our data safe. Large-scale theft of information is easily seen in the papers, on the six o’clock news, and even talked about on the radio. When it happens to millions of people at a time the media is far more likely to pick up the story, and conversely, the more personal the theft, the less likely we are to hear about it. Multi-factor authentication, specifically two-factor authentication, is a great way to safeguard accounts from these smaller, more frequent, and individualized attacks by preventing cyber criminals from effectively impersonating their would-be victims.
We know we want to secure ourselves against theft, both in the real world, and in the digital realm. In the physical world, theft is comprised of taking something of value that belongs to someone else, often by use of physical force, and using it as one’s own. The motive is generally financial, to steal money from someone and buy things with it. In the digital world, theft has the same motive, but the need to apply physical force is replaced by intellectual and programmatic efforts that force systems into allowing the attacker to impersonate the victim. There are currently two ways to secure accounts, depending on how many of the following categories of information are needed to successfully authenticate; something they know, something they have, or something they are. The first way is single-factor authentication (SFA), where only one of three categories of information is needed to impersonate a victim. For regular Internet accounts two pieces of information are generally needed, a username and a password. Though it may sound counterintuitive, usernames and passwords only add up to a single-factor because both pieces of information fall under the single category of something they know.
Luckily for us, some major industry players are mandating the use of multi-factor authentication (MFA); where the authentication information used must be from two or more of those categories. A popular example of an MFA scenario is a banking customer using an automated teller machine; where to access money, we must present an ATM card, something we have, and a personal identification number, something we know. To add more layers of security when protecting Internet accounts, MFA is also being implemented in the form of two-factor authentication (2FA). Specifically, 2FA requires a user to provide multiple pieces of information from at least two categories. The something they know are usually their username and password. Between the remaining two categories, the something they are option includes biometric solutions which are still under extensive research and development. The something they have option that’s gained the most recommendations among security professionals is a solution known as one-time passwords (OTP).
Let’s take where I work as an example; if I have to login to our webpages and programs from my workstation in the office, I’m presented with a simple username and password prompt. Whenever I need to access work resources from outside the office, such as when I’m at home on-call, a third prompt appears that requires a one-time password. During the new hire on-boarding process, employees are issued a token that generates an OTP. This token makes it nearly impossible to authenticate without having all three parts of the puzzle; username, password, and OTP. This type of token setup is a common scheme for internal versus external access in enterprise environments; using SFA internally while implementing MFA or 2FA externally.
Methods also vary depending on how the OTP is generated; the first invented was HMAC-based one-time passwords (HOTP), also known as event-based OTPs. HOTP schemes from a security perspective have a wider range of successes, known as a validation window. In practice, HOTP represents a lock that can be opened with many keys. Operationally, HOTP schemes are more difficult to support, as tokens may need to be resynchronized periodically. If the user mistakenly requests a code, or requests one and forgets to use it, the token event counter will end up out of sequence with the server-side event counter, and the user will require additional assistance to authenticate.
The next and more common solution is time-based one-time passwords (TOTP). TOTP schemes only accept one securely calculated value at any given time interval. This effectively narrows the validation window to a single possibility of success, making TOTP the more secure of the two methods. TOTP relies on administrative effort to keep all systems synchronized via Network Time Protocol, which is both commonplace and a best practice in environments large and small. Operationally, TOTP also keeps user support incidents to a minimum as administrators can automate policies to mitigate time-drift between authentication servers and end-points. Failures generally arise only if servers and workstations are configured with the wrong time.
Some sites pushing MFA security on its users can also take advantage of TOTP or HOTP sent as text messages to a user’s phone. Text messages became a popular option for MFA in the last decade, only to discover how prone to electronic eavesdropping and spoofing attacks the commercial short message service truly is. These recent discoveries are causing a shift in security strategy among MFA-enabled companies towards dedicated MFA solutions, either hardware-based hard-tokens or software-based soft-tokens. To avoid the cost involved with hard-tokens, free mobile MFA solutions are readily available such as Google’s Authenticator application, or the identically named Authenticator from Microsoft. Microsoft’s version is slightly more user friendly in terms of setup and day-to-day use for logging into Microsoft-based accounts such as Hotmail or Outlook mail services. Microsoft’s Authenticator also allows for a security prompt instead of having to enter a code on Microsoft sites. Personally, I use both applications, storing Microsoft-related accounts in Microsoft Authenticator, and all my other MFA-enabled accounts in Google Authenticator.
I highly suggest that users enable MFA on all their sensitive Internet accounts, from social media to email and bank accounts. Some major providers with MFA account security options include; Google, Amazon, Facebook, Apple (collectively referred to as GAFA), Microsoft, LinkedIn, WhatsApp, Twitter, PayPal, Venmo, and most consumer banking institutions.