Multi-factor authentication is being touted as a “silver bullet” to protect against breaches, which have littered the news over the past couple of years. No companies are considered safe, and even entities perceived to be bulletproof, such as RSA, Sony and Google have fallen foul of cyber crooks.
Single factor authentication has been around since we started using computers. The most common example is something you know, such as the password on your account. Other factors that may be used for
authentication would be something you possess, such as an ID card, or something that is uniquely part of you – such as your fingerprint.
Implementing multi-factor authentication requires that a user’s identity is authenticated by the use of at least two of these three factor.
Now, many well-known Web sites are jumping on the bandwagon, and introducing multi-factor authentication as an extra layer of security, says Richard Firth, serial entrepreneur and CEO of MIP.
“In fact, nearly all financial institutions use multi-factor authentication as a default, making it compulsory for any clients wishing to use online services.”
However, he says many other types of businesses are introducing it too, as a means of protecting their users’ accounts.
“Microsoft, Apple, Google, Facebook and more recently, Twitter, have all adopted multi-factor authentication.”
He describes multi-factor authentication as an extra layer of security, or a process in which two or more means of authentication are used to verify one’s identity.
“Typically, one factor will be something that is remembered such as a password, and another factor will be a physical item of some sort, such as a bank card. A perfect example of this would be a bank card and its
PIN code.”
He cites another example as a one-time password (OTP) that is generated in conjunction with an online service, when the user logs in with a username and a password. “To complete the transaction, an OTP needs to
be entered, and is sent via SMS to the user.” The OTP is evidence that you have your physical item – which is your cell phone.
Firth believes multi-factor authentication is a highly useful weapon in the war against identify theft, phishing and other online fraud, as a password is no longer enough.
“It also completely prevents brute force password hacking, whereby a hacker, either manually or using an automated tool, overpowers the computer’s defences by using repetition, and recombining thousands of words
in thousands of different combinations.”
He says this is particularly effective, as most people choose shockingly weak passwords, such as date of birth, or children’s names, as they are easy to remember. “Cracking these passwords is child’s play, but with
added authentication, a hacker cannot access your system of private data. At most, he might be able to crack your password, but OTPs or tokens only remain valid for a short time.”
However, he adds that some companies have still not implemented multi-factor authentication, even though it may look like they have at first glance.
“For example, one of the big banks requires a log (identity), a PIN (something you know) and a password (another something you know) in order to login to its Internet banking site. This is not multi-factor
authentication, as this bank is using the same type of factor twice, and only brings a second factor (OTP –something you possess) into play when you try to make a payment to an external party.”
The BYOD trend has also raised many security concerns, says Firth. “With many staff members working on the go, from abroad or from home, multi-factor authentication means that only legitimate employees can
access the company’s database and network.”
However, Firth stresses that multi-factor authentication is not infallible. “A man-in-the-middle attack would be able to bypass the authentication by fooling a victim into visiting a fraudulent Web site.
“Since these attackers are extremely clever, the fake site would defy all but the closest scrutiny, and the user might well enter their logins believing it to be genuine. The crook could then use these details on the
genuine site, which sends an OTP. The user could then enter this password onto the fake Web site, and the attacker onto the legitimate one.”
He adds that when he recently booked a cheap flight on Kulula, he was provided an EFT payment option which raised similar concerns for him.
“At the end of the booking process, the Web site automatically took me to a banking site to input my banking details including user name and password. We need to realise that one should never put this information
into any Web site unless you have directly gone to the bank’s Web site.
“Kulula is trying to simplify its internal processes, but placing consumers at massive risk of Internet attacks or harmful requests for banking details. I think the banks should not allow this business behaviour.”
He says to always be aware that any third-party authentication technology relies totally on the vendor, or mobile network provider, and the security measures and protocols they have implemented. Ultimately, users
also need to be educated on security, and on the tools available, and the security measures themselves, must balance security with ease-of-use, or users will be put off using them.
Firth suggests that implementing all three factors for authentication might be the way forward. “Something you remember, such as a password, something that you possess, such as your cell phone which received the
OTP, and something that is part of you, such a fingerprint or retina scan. These sorts of measures would be very difficult to hack, but remember, a determined hacker will always find a way in.”
