by Florian Riederer
Multifactor Authentication is clearly recognized as one of the most secure methods of individual authentication. We are all increasingly being encouraged to use MFA in addition to basic passwords to protect our accounts. Becoming two or more authentication factors: (What the user knows, is or has, or where the user is), MFA makes it more difficult for a bad actor to steal credentials, or breach authorization through brute force. While MFA isn’t a cure-all for security issues, it does decrease the likelihood of unauthorized access significantly.
But which additional forms of authentication should we use? Do they differ in the protection they offer? Are some unnecessarily inconvenient? Let’s take a look at some of the most common options and break down their strengths and weaknesses.
We all hate passwords. If they’re easy to use, they’re easy to crack. Thinking of a variety of hard-to-guess passwords, that are easy to use is a feat of creative ingenuity that I certainly have never managed. But be that as it may, passwords, and PINs, are and will remain the standard default knowledge check that we use to verify our identities for authentication. Password managers help a lot and are increasingly an essential tool if we all are going to get serious about password best practices. However, it’s important to be aware of those risks that pose; while stored password data is encrypted, if your main password there is compromised and breached, then all of your stored credentials are naturally also compromised.
2. Transaction Authentication Number (TAN)
TAN’s are not a common form of authentication factor, although they have their uses. An example of authentication through a possession, TANs function by giving the user a predetermined list of single-use codes. In early incarnations, this was a printed list physically given to the user. For added security, indexed TAN’s require the codes to be used in a specific order with each access. Repeating a code or using a code further down the list wouldn’t grant access. Due to their fixed nature, TAN authentication factors are relatively prone to social engineering and phishing attacks.
3. Security Questions
Security questions often pretend to be a “What the user is” factor of authentication, but they really aren’t. Like passwords, they are a knowledge check, and they are usually much more vulnerable to breaching through guesswork and investigation. They’re usually reserved as an emergency backup in cases of a forgotten password, and do provide some protection, but are far from ideal.
4. One-time Passwords
OTPs function similarly to TANs. They are a form of authentication through what the user has, either a phone number or email address. Because OTPs are generated uniquely each time an access request is sent, they avoid the vulnerability to phishing attacks inherent to TAN’s. Authentication apps. Assuming that the connection to mobile services or the internet is stable, they are also quick and efficient ways to confirm the users’ credentials.
Biometrics are generally only as good as the technology employed to read them. If a facial recognition program thinks that a stranger, with only the faintest resemblance to you, is you it is clearly not offering strong protection. Thankfully the algorithms that are used for facial or fingerprint recognition on our cell phones have improved rapidly. Similarly, much more effective biometric tools are available for access to highly sensitive locations and systems if they are necessary. We rarely need to worry that a threat actor looking for an easy buck is going to mission impossible us.
MFA is here to stay as a central part of our approach to security. It’s one of the aspects of our security protocols that average users not invested in security will have to interact with on a regular basis. Therefore, it is worthwhile to be certain that our MFA processes are maximally effective at providing security and limiting disruptions. If you would like to learn more about how Atlantic Data Security can change your organization’s current security posture, we encourage you to reach out today. email@example.com