Having a strong, unique password will keep you safe enough, right? Not exactly. In a world where your passwords could get stolen in the blink of an eye, having an extra layer of protection can be more than worthwhile. Interested in taking the next step in keeping your accounts safe? Keep reading!
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (or MFA for short) is the practice of using more than one “factor” or medium to prove who you are, usually when logging into a website. These factors are usually broken down into three categories:
- Something you know – these are secrets kept in your head, and hopefully not on a sticky note on your desk. These include passwords and PINs (personal identification numbers)
- Something you have – these are physical objects that have a unique identifier or other property such that they can’t be reproduced. These include key fobs, smart cards, and smart phones (well, kind of, more on that later)
- Something you are – this is the biometric factor unique(ish) to only you, and can include finger prints, retina patterns, your face, palm veins, and your voice.
You might be most familiar with authentication whenever you log on to a website or a computer using a username and password. Even though you’re entering two pieces of information, this is an example of single-factor authentication. Why? Your username identifies you, but your password is the secret you provide to prove you are who you say you are. Said another way, identification is not the same as authentication. The difference between identification and authentication might seem trivial, but it’s important to know the difference in this context.
It’s important to note here that re-using the same factor multiple times is not multi-factor authentication. For example, if you’re asked to enter a password and then asked to answer a security question, you’re only using one factor twice – two things that you know. The same thing goes for providing some piece of information about you for authentication, such as an address or your mother’s maiden name. What’s worse is when you’re asked to provide your Social Security Number for authentication; SSNs were originally intended to only be identifiers and not some secret you have to share with way to many entities.
I see this misconception about pseudo-MFA exercised in lots of places, including bank and credit card websites. Even in a post-Equifax-hack world, many websites and services still revolve around (single-factor,) knowledge-based authentication, which is a bummer. Unfortunately, in some situations (like setting up a new account, applying for credit, etc.), there’s not really a great framework available yet for something other than knowledge-based authentication. This is also a bummer, but is being worked on.
Why Do I Need Multi-Factor Authentication?
As mentioned in the intro, having just a password probably isn’t enough to keep your account as safe as you would hope. Why? Passwords are secrets, and secrets can get leaked in A LOT of ways, including: bad website or app design, malware, keyloggers, phishing, shoulder surfing, bad practices (ahem, shred those sticky notes), and in some cases, plain-old guessing. These are just a few examples; the “what could go wrong” list could be way longer.
In this day and age, single-factor, knowledge-based authentication just isn’t good enough [1].
What Are My Options?
As mentioned above, you have a few options: something you know, something you have, and something you are. For most websites, you’ll probably be limited to something you know (a password), and something you have (a cell phone, key fob, or U2F token). In terms of actual MFA, most consumers probably won’t deal too much with biometric second factors.
Something you know: Password hygiene and management is another topic altogether, but in general, you should be creating strong, unique passwords.This means that your passwords should be:
- as long as possible (or at least 10-16 characters);
- composed of multiple character types (a mix of upper/lower case letters, numbers, and symbols);
- unique to each website or service you use (meaning your password for bank account should be different than your email account);
- unique from one another (“MyP@ssw0rd1” on your email would lead some bad actor to guess that your bank account password might be “MyP@ssw0rd2”, or something similar); and
- hard to guess (don’t use your name, the name of the website you’re logging into, your pet’s or kid’s name, your username, or only common words from the dictonary in your password)
Something you have: This is where things start to get fun! Many contemporary websites, apps, or services will support some or all of the following options:
- SMS (text message) or phone-based tokens: This is one of the most common MFA implementations, and for a lot of people, one of the easiest to set up and use. When you use this option and log in to your website or service, the service provider will send you a text message or call you with a one-time-use code that you will enter on your screen. This is definitely better than single-factor authentication. Unfortunately, text messages[2] and cell phone accounts [3] aren’t 100% secure, and this method has been largely discourage from use[4]. Shortcomings aside, this MFA option is better than nothing.
- Hardware (key fob) tokens: When this option, you use a piece of hardware to generate a short-lived code that’s entered into the log-on page with your username and password. The “hardware token” is usually a small device you can keep on your physical keychain, similar to the key fob for most cars. These battery-powered tokens usually have a small screen and a button; when the button is pressed, a number should appear on the token’s screen. Without getting into the details of the inner workings, the tokens use an internal clock, a pre-set/secret string of characters, and some math to generate these short-lived codes.
This is option is sometimes seen in enterprises, but can cause some headaches, especially if the internal clock in the token falls out of sync. Hardware tokens can get expensive, and if your battery dies or your lose your fob, you’re out of luck. One definite benefit with this option is security compared to text messages – it’s pretty difficult to remotely intercept messages from your hand to your eye. RSA’s SecurID line of products are a well-known example of hardware tokens. - App-based code generators: These apps work similarly to hardware/keyfob tokens. Instead of using a single piece of hardware, the app handles the math to generate your codes, and your phone keeps track of what time it is. When you log on to a site and use this option, you’ll need to open your app and type in the code on your screen. Similar to key fobs, losing the device the app is installed on can mean that you’re locked out.
App-based code generators are a good happy medium right now. Many MFA-friendly sites are compatible with the plethora of options available, and even though mobile devices are far from impervious, compromising an individual device can be a lot harder for bad actors than getting access to your cell phone account. Some example apps include Lastpass Authenticator, Authy, and Google Authenticator (each offering their own unique features). - Interactive apps: A relatively new option, some smart device apps offer interactive features that make MFA less of a manual process at the surface level. After setting up one of these apps on your smart phone and website, you’ll be prompted with a notification asking you to approve/deny any authentication attempts made with your account. One benefit is the ease of use; using these apps can make signing in a breeze and some offer support for lost devices or syncing with multiple phones.
Two major drawbacks are trust and availability. The app provider is acting as a third party that allows or denies your logon attempts, meaning that a disreputable provider could (theoretically) allow bad actors access to your protected accounts, if the bad actor also knew your password. If the app provider’s service is down (or you’re without Internet access), then you may also be locked out. Fortunately, most of these apps also allow you to use the app as as a token generator as a back up.
Because of the reliance on an outside entity and costs associated with running this kind of service, there’s relatively little adoption of these kinds of services outside of enterprise or corporate environments. Examples include Duo, which offers services geared towards enterprises, and the Microsoft Authenticator app (when used with Microsoft accounts). - Smart cards: These are almost exclusively used by large enterprises and government/military entities. Smart cards, sometimes referred to as common access cards (or, redundantly, “CAC Cards”)[5] have an embedded chip that’s read and validated by special-purpose hardware.
- U2F devices: The U2F, or “Universal 2nd Factor”, standard is one of the newest MFA options available. These devices work similarly to smart cards, except instead of requiring a specialized reader, these tokens are inserted into USB or other ports. Since the standard is still fairly new, it’s not as widely accepted as code-generating apps or fobs. Some of the better examples of U2F hardware include offerings from Yubico[6], which assisted in developing the standard along with Google[7]. If the websites you’re going to be protecting accept U2F devices, they may be a worthwhile option for you.
Something you are: Most consumers probably won’t need to worry about using biometrics for true multi-factor authentication, but this section is important as more and more devices support the use of fingerprint and facial scans in place of passwords (making biometrics your single authentication factor).
These options can be a little tricky, especially when talking about the hardware involved. With passwords, fobs, and short-lived codes, it’s pretty easy for a system to know if what you’re entering is correct or not. When it comes to reading fingerprints, faces, retinas, etc., there’s a lot more guesswork involved (relatively speaking). Biometric scanners have to process a lot of information, and for a number of reasons, don’t always get it right.
Ever get pruny fingers after washing the dishes? How about a spec of dust or some “surprise” grime on your camera lens? Confounding variables like these could render some biometric scanners unusable. It’s for this reason that biometric scanners have tolerances in the scans they take, and simply put, can use a close-enough scan as an accepted reading. This is why you have to scan your finger print A LOT when you set up your finger print on your phone. This fuzzy comparison can lead to cases of false acceptance and false rejection. In the case of false acceptance, a reading is marked as “OK” when it shouldn’t have been (e.g. a stranger unlocking your cell phone with their thumb). Similarly, false rejection happens when a reading is marked as “not OK” when it should have been (e.g. having wait for your hands to dry before unlocking your phone).
The false acceptance and false rejection rates can make or break a biometric system, and the direction in which these systems err varies depending on how they’re used. For example, it might be OK for an amusement park that uses palm vein scanner to err on the side of false acceptance and allow someone who didn’t buy a season pass in, but a highly secured vault would probably err on the side of false rejection.
What MFA options are right for me?
The “best” MFA options for you depend on a few factors (no pun intended). Compatibility with the services or resources you’re using will likely be the biggest limiting factor. Beyond that, consider the degree to which the service needs to be protected, and consider the tradeoff between protection and convenience/availability. If you’re looking to protect your junk or alternate email account that’s not tied to anything important, maybe SMS-based MFA will work just fine. If, on the other hand, you’re trying to keep your bank account or your main email address locked down tight, then it might be worth investing in a couple of U2F devices (two is one, and one is none).
Keep your individual risk appetite in mind as you look at the below list. I’ve ranked what I believe to be some of the more common MFA options based on service/website support, cost, ease of use, and how much security “value” I believe they provide.
- app based generator
- interactive apps
- U2F, hardware fobs, and smart cards
- Phone and SMS codes
How Do I Set Up MFA?
This really, really depends on which websites or services you’re using. Searching for “Service_name multifactor authentication set up” is a great start towards getting the information you need to help protect your individual accounts. If you find that the website you want to protect (let’s say, your bank) doesn’t support MFA, reach out, make your voice heard, and see what’s on their roadmap!
The TL;DR (Summary)
Your passwords and basic “recovery question” information can get stolen pretty easily now-a-days. MFA, or “multi-factor authentication”, can help reduce the impact of credential breaches and keep your accounts safer. Using MFA means that you are using at least two different methods to prove you are who you are when you log in. There are 3 kinds of ways to prove who you are: something you know, something you have, and something you are. App-based code generators are a pretty good place to start using MFA, while text messages aren’t quite as good. Either way, adding some kind of MFA is better than just relying on a single password.
References
[1] https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
[2] https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin
[3] https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html
[4] https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
[5] http://www.cac.mil/common-access-card/