Multifactor Authentication Solutions and Their Classifications
By Enterprise Security Magazine | Friday, November 30, 2018
Multifactor authentication or MFA were designed to keep users' credentials protected but all MFA methods don’t provide 100 percent security and have their own strengths and weaknesses. MFA methods safeguard and simplify password management by adding at least one extra factor of authentication process beyond a simple and plain password. As credential theft becomes more prominent, many MFA solutions have flooded the market. But, the main question is: Are all MFA solutions equally effective?
Here are multiple forms and approaches to MFA.
SMS - One Time Passwords (OTPs):
SMS authentication is based on the six-digit or a four-digit code being sent to the users' phone. It seems secure but there are many proven ways to hack an SMS OTP. For example, news and entertainment website, Reddits' security was violated in mid-June 2018 by using an SMS intercept. Reddit responded quickly to the breach and took proper steps to save the information but this indicates that SMS authentication is not totally secure. An experienced hacker can manipulate cellular network vulnerabilities or install malware on the victims' phone to redirect the SMS code to their phone. As a matter of fact, US standards-setting agency NIST deplored SMS authentication in 2016, indicating that it is no longer secure.
It is one of the oldest MFA methods. It requires a key-fob which is a small hardware device with built-in authentication showing time-based OTPs. The hardware fortifies the internal unique key but there are pitfalls. These tokens are portable but needs to be carry around all the time; they're expensive, require logistics and must be changed in a timely fashion. Some tokens require a USB connection which can be problematic if you need to authenticate from a phone or tablet.
Mobile tokens are similar to hardware tokens but require a mobile app. All it needs is a Smartphone but it gets tricky to get inside the activation process. It is highly advised not to use Google Authenticator for all keys and credentials because anyone that gets a copy of that QR code will have a copy of your version of the token.
Push-based authentication tokens:
The secure push technology is getting popular because of its improved feasibility. It is an evolved version of mobile tokens and SMS. Instead of carrying an OTP like an SMS, push technology delivers an encrypted message that can only be opened by a specific app on the users' phone. If the login attempt is genuine, the user can approve or deny the authentication. After approval, a unique OTP will be self-generated on the users' phone and will be sent for verification. Other MFA solutions ignore this and increase the risk of a push approval message being mimicked.
QR code-based authentication token:
QR code-based authentication method doesn't need a data connection to work. The user scans the QR code on the screen with the authenticated app and then the app self generates an OTP based on the unique key, the time and the contextual information. The smooth user experience of push-based and QR code-based tokens are making these MFA solutions popular. If the login process is slow then people might switch to a more risk prone method.