In the context of multi-factor authentication, which option is an example of inherence?

Multi-Factor Authentication (MFA)

Multi-Factor Authentication uses multiple factors like Knowledge Factors, Possession Factors, and Inherence Factors to verify the identity people. This is significantly more secure compared the single-factor authentication. 

Multi-factor authentication adds another layer of security for businesses and its user. Multi-Factor Authentication, like 2-factor authentication (2FA), uses two authentication factors to verify the identity of the users.

Most 2-factor authenticate uses Knowledge Factors like passwords and usernames together with Possession Factors like codes being sent to the phone of the user that the user will then enter to verify their identity.

Multi-Factor Authentication mitigates the risks of weak passwords and provides an extra layer of security and keeps data much safer. MFA was previously a “nice feature to have” for websites, but now the increased risk posed by stolen and hacked passwords has made MFA a must-have for websites.

Three Significant Benefits of Using Multi-Factor Authentication

1. Improved Reliability

Multi-Factor Authentication is a cost-effective way for businesses to improve the reliability of their fraud prevention efforts, and add another layer of defense against hacking, impersonation, and ID theft.

1. Compliance with Regulation and Industry Best Practices

Multi-Factor Authentication helps businesses comply with regulations due to increased security for various customer identification and data-protection requirements. Businesses should look for multi factor authentication apps that allow you to choose between two or even more authentication factors that help add an extra layer of security.

1. Simplifying the Customer Identification Process

Multi-Factor Authentication helps businesses simplify their customer identification process and helps improve user experience. MFA adds an additional layer of security at the same time, while decreasing the burden for users and customers in terms of verifying that they are who they say they are.

Conclusion

As cyberattacks increase in sophistication, and governments implement more and more regulations to prevent fraud, businesses will find they can no longer afford to avoid using customer verification.

However, it’s important to note that the implementation of MFA must be done with user experience concerns in mind.  Making your customer identification and verification process too strenuous will increase your abandonment rate, and no one will want to buy your products or use your services.

Multi-factor authentication (MFA) is defined as a layered authentication approach of granting access to an application, account, or device. Other layers of authentication include one-time passwords (OTPs), key fobs, USB-based key generators, smart cards, and biometric identification. This article explains the basics of multi-factor authentication with the help of examples and shares its benefits, key components, and top ten best practices in 2021.

Table of Contents

• • What Is Multi-Factor Authentication?
  • Benefits With Examples
  • Key Components of Multi-Factor Authentication
  • Top 10 Best Practices for Managing Multi-Factor Authentication

What Is Multi-Factor Authentication?

Multi-factor authentication (MFA) is a layered authentication approach of granting access to an application, account, or device. The first level is usually the traditional username and password procedure. The next levels of authentication can range from OTP emails to biometric-based methods such as fingerprint scanning and facial recognition.

It is akin to having a vault at home that requires a numerical code and fingerprint identification to be opened. Even if a person figures out the code, they will still not be able to access the vault without fingerprint identification.

Two-factor authentication (2FA) is the most commonly used form of MFA. This involves exactly two levels of authentication (for example, swiping a card at the ATM and entering a PIN code). Some organizations use 2FA and MFA interchangeably, though MFA implementation can involve more than two authentication factors.

The most frequently observed example of multi-factor authentication is sending an OTP to a registered phone number for monetary transactions, even while the user is logged in. This provides double insurance to ensure that the user is valid.

MFAs can be built on top of an organization’s existing identity and access management (IAM) system or come bundled with one of their own. MFAs are important because no matter how robust the security management system of an organization may be, entry points or gateways are always the authentication mechanism.

There are two levels of multi-factor authentication:

• • Device-level or system-level MFA: This type of authentication is implemented while logging on to a device or system itself. 
  • Application-level MFA: This type of authentication is implemented at a specific application or functional level. For example, sending an OTP to a mobile phone when a logged-in user tries to change the account password.

MFA implementation can either be employee-facing or customer-facing. Let’s understand both.

Employee-facing: Here, MFA is typically applied to email, VPN, remote access, and third-party services such as file sharing apps, cloud repositories, etc., at an internal, corporate level. The implementation of the MFA depends on the size of the organization, industry, compliance regulations that need to be considered, and the security aspects. In addition, it must be ensured that the MFA implementation is uniform throughout the organization’s systems and network.

Customer-facing: This multi-factor authentication is used by the consumers of an organization’s products, applications, or services for extra security. For example, ecommerce apps sending OTPs to registered users’ phone numbers during checkouts. This is trickier than implementing employee-facing MFA, because it needs to consider the trade-off between ease of use vs. security. Customer-facing MFA is used to protect consumers’ private data—the data that they have entrusted the company with. 

The exact nature and checkpoints of implementation of an MFA need to be decided before looking out for MFA solutions and vendors. Most organizations usually have both device- and application-level MFAs.

Also Read: What Is Biometric Authentication? Definition, Benefits, and Tools

Benefits With Examples

Today, organizations are increasingly moving online for their day-to-day functioning and customer offerings. Large amounts of private user data is being stored and moved around. This leads to increased security threats to the whole organization from the breach of just one component in the system. Data breaches also damage the trust that consumers place in the organization’s brand.

Benefits of Multi-Factor Authentication

While password-based offenses seem innocuous at first glance, Verizon’s 2020 Data Breach Investigations Report shows that 37% of data breaches in 2020 were due to stolen user credentials. The top malware reported was the password dumper, which extracts and dumps all application passwords from a compromised system for further malicious activity.

COVID-19 caused considerable organizational restructuring in 2020. The number of remote workers has never been as high. With an increased need for secure data movement, many organizations have initiated the first steps of adopting a zero trust security model, according to a 2020 Forrester report commissioned by Cloudflare. 

A routine security framework follows the perimeter model, where firewalls and content filtering systems, among others, guard the organization’s network by securing data that flows in and out. However, all components inside the company’s network are assumed to be safe, and data flows between them unimpeded. The zero trust security model assumes that any data or request, no matter where it originates, cannot be trusted and must be verified at every stage for possible threats. 

However, the implementation of a zero trust model is complex and expensive. But one of the first steps toward building such a system is implementing an MFA. This perhaps explains why the MFA market value is expected to reach $24 billion by 2025 after being valued at only $9 billion in 2019.

Also Read: What Is Privileged Access Management (PAM)? Definition, Components and Best Practices

Here are some benefits of multi-factor authentication:

1. Provides increased security

As mentioned above, one of the key benefits of MFA is increased security posture. MFAs address multiple types of cyber-attacks such as phishing, brute force attacks, man-in-the-middle attacks, credential stuffing, and keylogging.

2. Addresses compliance regulations

Many regulations such as HIPAA in healthcare and PCI DSS for any business that stores credit card information require MFA as part of their guidelines.

3. Reduces legal risks

MFA reduces the risk of cyber-attacks and system downtimes, preventing an SLA breach that might lead to lawsuits being filed against the organization.

4. Lessens impact of password offenses

With consumers and employees juggling multiple user credentials daily, password reuse and weak passwords are very prevalent. Good password hygiene has become difficult to follow across all services. MFA allows users to have a secure fallback mechanism to keep their data safe.

5. Improves usability

Instead of just typing in the login credentials, users can now leverage advanced hardware capabilities available on their phones to authenticate themselves, for example, using the smartphone’s fingerprint scanner. This makes for a smoother user experience.

6. Inexpensive step toward zero trust model

There are many MFA solutions available today that can just be plugged into the existing system. Besides, considering the potential financial losses from data breaches and downtime, the return on investment on a good MFA solution is pretty high.

Let’s look at some examples of multi-factor authentication:

• • One example of consumer-facing MFA is Etsy’s optional 2FA security. Etsy account holders can either opt for a simple username-password login or the second level of authentication. This is invoked every thirty days or if the user tries to access the Etsy account from a new device. The user receives a generated code through a phone call, an SMS, or their authenticator app. The authenticator app needs to be installed on the user’s device. Etsy shop owners can use this option for increased account security.
  • Another MFA example is swiping a smart card, entering a pin, and using fingerprint scanning to access private testing labs in hospitals.
  • While accessing a VPN machine, one MFA mechanism involves downloading the VPN client using a valid digital certificate and then using a password to log in.
  • One of the strongest MFA offerings comes from Amazon’s AWS. It offers five different factors of authentication—virtual MFA device, U2F security key, key fob hardware, smart card, and specialized key fobs for its government clients. When a user signs in to the Amazon Management console, they must type in both the password and the authentication code from one of these devices. This is crucial since AWS is an on-demand cloud computing platform used for everything from database storage to content delivery.

Also Read: What Is Browser Isolation? Definition, Technology Components, and Vendors

Key Components of Multi-Factor Authentication

Key components of an MFA system are the different factors used for each level of authentication and the tokens used to enable each factor. Each kind of token comes with its own specific hardware or software requirements. Therefore, it is crucial to know which of these requirements are accessible to the organization’s employees and consumers before implementing them.

Five different identifying factors can be used at each level of authentication.

Key Components of Multi-Factor Authentication

1. Knowledge (What You Know)

Knowledge refers to the password, a security question, or a PIN that ideally only the user knows. It is usually the first level of authentication and is the most widely used one.

2. Possession (What You Have)

This authentication is based on something that the user has, such as a mobile phone, a SIM card, a smart card, or a key fob. Therefore, even if a hacker gains access to the password, they also need to access one of these possessions to penetrate the system successfully. 

3. Inherence (What You Are)

This authentication is based on unique biological traits such as fingerprints, iris of the eye, and facial features. This typically requires reader hardware, a database, and software to process for authentication. 

4. Location (Where You Are)

This refers to the location from which the user’s request to access has come in. It uses the IP address of the request and the user’s geolocation if available.

5. Time (When You Are)

This is based on the time of the user’s access request. For example, if the employee’s work hours are between 9 to 5 p.m., and they haven’t granted access to log in after that, the request is denied.

The first three factors are the most commonly used, with advanced MFA systems leveraging location and time. However, intelligent MFA systems also consider the behavioral context of the user to conclude if a request is valid or not. This means analyzing a combination of the above factors. For example, if a withdrawal request from a bank’s user comes from San Jose (U.S.), and another request comes in within 15 minutes from Madrid (Spain), it can be flagged as suspicious activity, and the request can be denied.

To enable these five factors of authentication, the following five types of tokens are typically used: 

1. 1. Security (or hardware-based) tokens: Security tokens are key fobs or USB devices that generate an OTP when connected to the device that needs to be accessed.
   2. Soft tokens: Soft tokens are software-generated codes that enable authentication. An example is the time-based OTP (TOTP) algorithm that generates a time-bound OTP, restricting the usage of expired tokens.
   3. Biometric tokens: These tokens are generated by devices that can read and process unique bodily identifiers such as fingerprints.
   4. GPS tokens: These tokens are generated by the location of the user.
   5. Mobile phone-based tokens: These usually work in tandem with soft tokens. Generated soft tokens are communicated to the user through a phone call or text message. 

It is important to note here that each authentication factor in an organization’s MFA system must be mutually exclusive. This means that if the authentication is successful by one factor, it shouldn’t automatically lead to entry at the second level too.

Also Read: What Is Password Management? Definition, Components and Best Practices

Top 10 Best Practices for Managing Multi-Factor Authentication

So far, we have seen everything about multi-factor authentication and how every organization must integrate it within their identity management solutions. Now let’s move on to the best practices that go into maintaining a well-oiled MFA system.

 Top 10 Best Practices for Managing Multi-Factor Authentication

1. Create a multi-factor authentication plan for the organization

When it comes to creating an MFA plan, it is crucial to set the scope and budget of the implementation right at the beginning. Organizations need to ask themselves the following questions:

• • Which applications and services require MFA?
  • How much of it will be customer-facing? 
  • How much will be employee-facing? 
  • What authentication tokens do users have access to?

A good MFA plan strives to create an optimal balance between cost, usability, and security. Customers will drop off if MFA comes at the cost of a smooth user experience. Employee productivity can take a hit if they spend most of their time authenticating themselves. 

As discussed, MFAs use a combination of different factors such as knowledge, possession, and inherence. Each stage of authentication must be a combination of tokens that cover two or more of these factors. For example, authenticating the user with a password and a security question are both based on the user’s knowledge. This isn’t really MFA. 

The MFA plan also needs to consider scenarios where a user, for instance, a traveling employee, may not have mobile coverage. If scenarios like this are common, investing in hardware tokens can be a viable solution.

2. Make authentication factors configurable

MFA must be configured with flexibility in mind. The number of authentication stages that a user undergoes can be based on risk factors and the context of the request.

For example, GitHub offers either plain password login or TOTP-based 2FA. If the codebase stored by the user is a publicly available repository with low organizational risk, 2FA is not required. But for a private codebase that is accessed across multiple teams in the organization, using the second level of time-based OTP makes sense.

Advanced MFA implementations tout context-based factor decisions. For example, if an authentication request comes from a known device within a safe network, then the second authentication stage may not be required. But if a request comes during off-hours from atypical locations, then multiple factors of authentication make sense. Context, in this sense, refers to location, legitimacy of the device, network where the authentication request originated from, time of the request, etc.

Also Read: What Is Content Filtering? Definition, Types, and Best Practices

3. Create a plan for lost pins and forgotten passwords

Any organization should have a recovery plan to address lost or forgotten authentication tokens. Care must be taken to avoid recovery channels based on the same factor. For example, a ‘forgot password’ link is usually sent to the email. If there is an MFA in place and an OTP is sent to the same email ID, then anyone with access to the email account can gain access to the organization’s account as well. 

Lost devices, such as hardware keys or even mobile phones, also need to be addressed. Any current sessions on these devices need to be invalidated. Access rights need to be revoked, and if necessary, remote device memory wiping may also need to factor in.

4. Check for compatibility with the existing system

If your organization is already using OAuth standards, then MFA implementations must follow them. Similarly, if remote authentication dial-in user service (RADIUS) is the authentication protocol used in the organization’s network and VPNs, standards set by the protocol must be followed.

5. Provide multiple token generator options

It must always be assumed that the same set of tokens will not be accessible to the user at every given point in time. For instance, while verifying a YouTube account during creation, the user is presented with three options: a time-based OTP sent either as an email, an SMS, or a phone call. The user can choose one of these options based on the accessibility to each one. 

6. Keep compliance regulations in mind

MFA is mandated in certain industries based on the compliance regulations that they need to follow. One such example is the ‘Payment Card Industry’s Data Security Standard’. In some cases, MFA may not be overtly stated as a mandatory requirement, but the security standards that it does specify can be directly fulfilled by MFA. 

For example, Health Insurance Portability and Accountability Act (HIPAA) regulations do not call for MFA specifically, though they suggest that MFA implementation would help achieve the ‘HIPAA Security Rule’. Also, remember to maintain documentation of the MFA implementation to help with compliance audits.

Also Read: What Is Unified Threat Management (UTM)? 

7. Do not rely on SMS based OTPs alone

A two-factor authentication implementation with an SMS-based OTP provides much better security than a one-factor authentication system with just a password. But this does not mean that it is hack-proof. SIM hijacking or SIM swapping is increasingly becoming a threat to these systems. 

This is done by scraping through a user’s social media entries, government-issued ID numbers, or even through a successful phishing attack. With all this user information in hand, the hacker proceeds to contact the mobile carrier to acquire a copy of the SIM. This gives them access to all mobile-based authentication tokens. 

Wherever possible, it would be prudent to set up biometric tokens or use the mobile’s native push notifications as token carriers. It is much more difficult for a hacker to access a phone’s notifications than the SIM.

8. Implement MFA along with supporting security tools

Enterprises typically used a myriad of services, each with its own user credentials. Since this means maintaining multiple passwords at once, password hygiene goes for a toss. This is why it makes sense to use other authentication mechanisms such as single sign-on (SSO). SSO eliminates the need for multiple passwords by redirecting to a single authentication framework.

Any app or cloud service that has been registered with the SSO framework is authenticated using these single credentials. Thus, combining the convenience of SSO with the security perks of MFA can improve the user experience. Another such security measure that MFA can be combined with is privilege-based access. 

Also Read: What Is Malware Analysis? Definition, Types, Stages, and Best Practices

9. Maintain regular iteration plan and update when necessary

It isn’t enough to just do a one-time implementation and pull back when it comes to managing the MFA. With new hardware capabilities reaching the masses every few months, newer token options may need to be explored. 

User feedback systems need to be set in place, either through explicit feedback or using auditing tools. These auditing tools can give insights into adoption and use. For example, if users try to use an OTP multiple times and then abandon the authentication process, it means that the MFA plan needs to be revisited. 

The MFA plan also needs to be revisited and updated every time new services and functionalities are added.

10. Follow good IAM hygiene

MFA is usually built on top of identity directory services. Good identity hygiene includes frequently updating, deleting orphan accounts, and separating users by entitlements. In addition, good IAM provides support to the MFA system, making it more robust.

Also Read: What Is Data Loss Prevention? Definition, Policy Framework, and Best Practices

In conclusion

In 2020, four out of five data breaches reported were caused by weak or stolen passwords. A well-thought-out MFA implementation is the perfect solution to counter such breaches. Implementing a layered authentication approach of granting users access to an application, account, or device is the best way to go. 

Did this article help you understand the basics of multi-factor authentication? Tell us on LinkedIn, Twitter, or Facebook. We would love to hear from you!

What is inherence in multi

Which of the following are examples of inherence?

What are examples of multi

What is inherence based authentication?