A big topic at the moment in Information Security is multi-factor authentication(MFA), also known as two factor authentication (2FA). So the first question, what is a “factor”?
Put simply a “factor” is element that a principal (i.e. a person trying to logon to a system) can use to prove to the system they are the person they identify themselves as. There are three main types of factor, and another two that you might see used:
Type 1 – Something You Know
The first factor is one you’ll be very acquainted with: a username and password, these are things that you remember, i.e. “something you know”. When you attempt to identify yourself to a system you can provide this factor as proof you are the identity you purport to be. Other examples of a type 1 “Something You Know” factor are a Personal Identification Number (PIN) number.
Type 2 – Something You Have
The Type 2 “Something You Have” factor can vary in its physical (or logical) type, its something you have, i.e. some item you have in your possession. An example might be a Passport, a Smart Card, a Token (e.g. YubiKey) or a Smartphone App with a TOTP/HOTP (Temporal/Hash-Based One Time Password). You having this “item” means it can be used to support your claim to be a specific identity.
Type 3 – Something You Are
The third factor type, “Something You Are” is just that, its something about yourself that makes you unique, commonly known as biometrics; examples include Fingerprint, Iris Scan, Facial Geometry etc. So if a system checked for “Something You Are”, you might be asked for your fingerprint to confirm the identity you purport to be.
Type 4 – Somewhere You Are
A Type 4 factor can’t really be used alone, “Somewhere You Are” because its not sufficiently unique to you. It can be used though in combination with the other factors to increase confidence in your claim on a particular identity within the system. For example, if you try to login to a system with your username and password, the IP address you are using to login from could be checked to ensure it is within the UK or perhaps a city. The system would know you’re only going to normally login from within the UK, so if a connection was seen coming from China, this might be enough to reject the connection outright, or perhaps require additional factors of authentication to prove you really are who you say you are.
Type 5 – Something You Do
The final factor is “Something You Do”, is something like a signature or a pattern unlock on your phone, again these are typically supporting factors, something you can’t use alone. That being said, for how many years was a signature on a cheque taken as proof of your identity?
Multi-Factor Authentication and its Reasons Why
So now where does Multi-Factor come in? Multi-factor authentication is just that, its requiring two (or more) of these factors to be presented at the same time in order to authenticate a particular user to a system.
When logging on to a system you’ll perhaps need to enter your username and password, once successfully inputted and authenticated, the system then asks for another factor to confirm you are the identity you purport to be, i.e. authenticate you. Let’s say it requires you need to plug in a USB token into your laptop or type in a 6 digit code that is present on a smart phone app, before it let’s you access the system.
That is multi-factor authentication, you were asked for username/password (Type 1 Factor) followed by a USB token to be plugged into your laptop (Type 2 Factor), in this case the former was “something you know”, the latter “something you have”.
So, how does this help in protecting systems?
Its a good question, the username and password are not (alone) a very good form of security, getting or guessing someone’s username and password can be fairly straightforward. Attackers also just try every combination of username/password on a system (brute-force) to attempt to find the correct username and password. Either way, having a single factor means that once found/known/compromised, an attacker has access to the system unless there is a second factor to stop them (or slow them down).
The premise of a multi-factor (or two factor) authentication system is that its less likely that both (or more) of the factors could be compromised at one time. For example it might be reasonably easy to get hold of someone’s username and password; but to get hold of those AND the person’s USB token or mobile phone (with a TOTP code on it) at the same time is far less likely.
That is where the protection comes in that Multi-Factor offers, if someone accidentally falls for a phishing attack and provides their username and password to a hacker, they won’t have also provided their mobile phone or USB token; which means if the hacker attempts to use it they can’t get in to the system because they are missing a second/multi-factor.
Conclusion
Hopefully that gives you an overview of multi-factor authentication and how it can help in your security both at home and at work. And remember its not all that new, “Chip and Pin”? Your debit card (something you have) and your PIN (something you know).
If you interested in seeing a practical application of multi-factor authentication try downloading the “Google Authenticator” application for your smartphone. Then see if some of your favourite websites support turning on “Multi-Factor” or “2FA”, you’ll find many now do, why not give it a try?
And why not read this example for HPE Nimble Storage to turn on 2FA?