You Have Choices When It Comes to Multi-Factor Authentication. How do They Stack Up?
by Joe McDonald
Multi-factor authentication has long been agreed upon by security experts as the best option for keeping hackers out. There’s no question among experts, including federal security advisers and tech industry giants, that multi-factor is more secure than traditional username and password combos.
All too often, what’s lost in the conversation about multi-factor authentication (MFA, for short) is that not every method of multi-factor is equally secure. Some methods are far stronger than others. Worse yet, some of what’s referred to as MFA is actually two-step authentication, which is different and can be much more vulnerable.
So how do you know which methods of multi-factor are the most secure — or the real deal? We’ll walk you through the options, explaining why some are better than others.
What Is Multi-Factor Authentication?
To start, we should clearly define MFA. Multi-factor authentication involves two or more methods of authenticating the user, including:
- Something you know, like a password or PIN
- Something you have, like an e-token or mobile phone app
- And/or something you are, such as biometric technology (less common)
Traditional user names and passwords involve only something you know, so if that knowledge is breached, there’s no stopping hackers, thieves and criminals. MFA is far more secure because it is far less likely that a hacker will be able to get their hands on something you know and something you have, let alone something you are. Even if one factor is compromised, the other or others may not be.
Two-step authentication, by contrast, does involve two separate steps for authenticating — say a traditional username/password combo and a code that is texted or emailed to the user — but the two steps can be the same factor (i.e. both something you know). Some people consider call this just another method of single-factor authentication, while others dub it the simplest form of MFA. Whatever you call it, the method is still not as strong as combining something you know with something you have.
What Are the Various Types of Multi-Factor Authentication?
Here are some of the most popular methods of multi-factor authentication, along with their pros and cons:
- USB tokens: These pocket-sized devices are plugged in to a computer to authenticate the user. Some tokens pose a threat if lost because they are not disabled until the user reports the missing device. If the thief also knows the password, the device can be compromised. However, there are newer hardware tokens on the market that do not store any personal information, making them far safer.
- Software tokens: For people who don’t want to carry around a physical token, there is software-based mobile phone authentication. Users download a secure app and use that to authenticate. This option is becoming increasingly popular, as it is more convenient. The method is also one of the most secure.
- OTP over SMS, email or voice call: Many companies, particularly banks and financial institutions, authenticate by sending a one-time password (OTP) to the user via text message, email or a voice call. Despite its popularity, this method has proven not to be secure. Hackers have worked their way around it through phishing attacks, often sending a fake link from, for example, the person’s bank and then sending a phony verification code to fool the user.
- Security certificates: Some people describe certificates as a legitimate second factor, but technically they do not fall under the category of something the user knows or has — they are behind the scenes when a user logs in. Hackers have proven that they are able to steal private keys from digital certificates. These do not guarantee safety.
- Smart cards: These work much like USB tokens, just in card form. Like USB tokens, some users don’t like the idea of carrying around an object. They can be lost, posing a security risk, and the cards can be expensive.
- Biometric scanning: Fingerprint scanning, eye scanning and the like are solid in terms of security. The biggest problem is the cost of implementation. These are expensive systems beyond the reach of many companies. Currently, they’re most common in the field of law enforcement. However, Apple’s newly-launched iOS 8 has generated some excitement about use of the fingerprint scanner features to access websites, applications and more. Apple has opened up its Touch ID API for app developers to use.
Beyond just the method of multi-factor authentication, it’s important to pay attention to how the vendor you choose stores and uses your data. This is a crucial component to security. If your personal information is stored in a vendors’ database, then you are still susceptible to a data breach. WWPass has developed a sophisticated method of encrypting, fragmenting and dispersing data, which prevent hackers from getting all the puzzle pieces they need, even in the case of a successful breach.
WWPass has developed a hacker-proof method of multi-factor authentication for businesses and consumers. Our technology encrypts, fragments, and disperses data across 12 locations in the cloud, where it can’t be accessed. We offer your choice of a hard token or a secure mobile app as a second factor of authentication. Neither stores any personal data.