Implementing Multi-Factor Authentication

[kc_row use_container=”yes” _id=”577358″][kc_column width=”12/12″ video_mute=”no” _id=”279052″][kc_column_text _id=”63655″]

Implementing Multi-Factor Authentication (MFA) is a great way to improve the security of your business and sign-in processes – here’s how it works:

[/kc_column_text][/kc_column][/kc_row][kc_row use_container=”yes” _id=”326759″][kc_column width=”50%” video_mute=”no” _id=”151975″][kc_column_text _id=”752267″]

Multi-Factor Authentication (sometimes called Two-Factor Authentication or 2FA) is a security protocol that requires users to provide two or more forms of identification before accessing a system or network. This method of authentication provides an additional layer of security beyond a traditional username and password, making it more difficult for hackers to gain access to sensitive information.

[/kc_column_text][kc_column_text _id=”85757″]

Passwordless solutions are more secure still, removing the need for a user reliant password entirely, however, the increased security carries additional cost and complexity and, as such, is something I’ll discuss in a future article.

[/kc_column_text][kc_spacing height=”20″ _id=”306927″][/kc_column][kc_column width=”50%” video_mute=”no” _id=”561906″][kc_spacing height=”30px” _id=”872435″][kc_single_image image_size=”full” _id=”133195″ image_source=”media_library” image=”19100″][/kc_column][/kc_row][kc_row use_container=”yes” _id=”132871″][kc_column width=”12/12″ video_mute=”no” _id=”669009″][kc_column_text _id=”782119″]

Short Message Service (SMS) Authentication

[/kc_column_text][kc_spacing height=”20″ _id=”799156″][kc_column_text _id=”348205″]

Probably the easiest to implement is the SMS authentication. When the user attempts to sign into a service, the system generates a One-Time Password (OTP) and sends it, via text message, to the user’s phone. Passwords created this way can be time-based (typically up to 240 seconds) or hash-based algorithms, in which the password remains valid until a new one is requested. I will go into both algorithms shortly.

[/kc_column_text][kc_column_text _id=”523006″]

SMS authentication is better than just a password and will deter most attacks, however, it is vulnerable to several sophisticated attacks from a determined bad actor. For example, SIM swapping (convincing the carrier to assign a new phone to a number) or Signalling System 7 (SS7) attach to intercept the code.

[/kc_column_text][kc_spacing height=”20px” _id=”759354″][kc_row_inner column_align=”middle” video_mute=”no” _id=”406969″][kc_column_inner width=”100%” _id=”85070″][kc_raw_code code=”W2FjdGl2ZWNhbXBhaWduIGZvcm09NzAgY3NzPTFd” _id=”555748″][/kc_column_inner][/kc_row_inner][kc_spacing height=”30px” _id=”481559″][/kc_column][/kc_row][kc_row use_container=”yes” _id=”688201″][kc_column width=”12/12″ video_mute=”no” _id=”392629″][kc_column_text _id=”599548″]

Time-Based One-Time Passwords (TOTP)

[/kc_column_text][kc_spacing height=”20″ _id=”615900″][kc_column_text _id=”823530″]

TOTP generates a unique password every 30 seconds using a shared secret key between the user and the system (typically via an Authenticator app on the user’s mobile phone).

[/kc_column_text][kc_column_text _id=”7886″]

TOTP security uses a variant of the HMAC-based One-Time Password (HOTP) algorithm, developed by the Initiative for Open Authentication (OATH). The HOTP algorithm uses an incremental counter to generate the HMAC (Hash-based Message Authentication Code algorithm), generating a code which is valid until you actively request a new one. TOTP replaces the counter with a time-based value and generates a new password every 30 seconds.

[/kc_column_text][kc_column_text _id=”749393″]

TOTP is considered reasonably secure, but there are a couple of considerations. You must keep the shared secret key secured as it could be used to generate identical passwords on several mobile Apps. It’s also susceptible to time-drift, where the time on authenticating server and the mobile App are sufficiently different to invalidate the password.

[/kc_column_text][kc_spacing height=”40px” _id=”901038″][/kc_column][/kc_row][kc_row use_container=”yes” _id=”889978″][kc_column width=”12/12″ video_mute=”no” _id=”387053″][kc_column_text _id=”700695″]

Push-based Authentication

[/kc_column_text][kc_spacing height=”20″ _id=”979325″][kc_column_text _id=”972685″]

Push-based authentication also requires a mobile device to authenticate a user. It’s a slicker process when compared to TOTP, as it replaces the need for a one-time password and instead simply requests the user’s approval for the access request.

[/kc_column_text][kc_column_text _id=”163468″]

The security of push-based authentication is based on the use of a secure communication channel between the system and the user’s mobile device. The communication channel is typically established using a secure protocol such as Transport Layer Security (TLS) or Secure Sockets Layer (SSL). This ensures that the push notification is sent to the correct device and prevents man-in-the-middle attacks. It also utilises a unique identifier, such as a device token (generated during the registration process) tied to the specific device, ensuring that only the registered device can receive and approve the login request.

[/kc_column_text][kc_spacing height=”40px” _id=”648424″][/kc_column][/kc_row][kc_row use_container=”yes” _id=”602992″][kc_column width=”12/12″ video_mute=”no” _id=”952329″][kc_column_text _id=”749060″]

It is also worth considering certain things when looking into implementing multi-factor authentication.

[/kc_column_text][kc_row_inner column_align=”middle” video_mute=”no” _id=”267151″][kc_column_inner width=”50%” _id=”559736″][kc_spacing height=”15px” _id=”257966″][kc_single_image image_size=”full” _id=”777965″ image_source=”media_library” image=”19099″][/kc_column_inner][kc_column_inner width=”50%” _id=”450484″][kc_column_text _id=”398875″]

All these authentication methods take advantage of the users’ mobile device (probably their phone) as it provides additional security benefits and risks. The mobile devices may be secured with a PIN or biometric authentication (improving protection) but are also subject to being lost, broken, or stolen, making it tricky to regain access to the account again. Ultimately recovery options often “work around” the MFA process making the account susceptible to attack, but if the recovery options are disabled then regaining access to the account may be very time consuming.

[/kc_column_text][/kc_column_inner][/kc_row_inner][/kc_column][/kc_row][kc_row use_container=”yes” _id=”318945″][kc_column width=”12/12″ video_mute=”no” _id=”233601″][kc_column_text _id=”391134″]

Almost because of the advice about length and complexity, people tend to use the same password everywhere, appended with an increasing number for enforced changes. This means a successful phishing attack (the most likely cause of a password discovery) even at an unrelated service (Facebook, for example) could lead to compromising your corporate network. MFA significantly improves your systems security posture and should be considered the minimum for keeping your business safe. So if you aren’t currently, implementing multi-factor authentication should be explored in your business.

[/kc_column_text][/kc_column][/kc_row][kc_row use_container=”yes” _id=”540734″][kc_column width=”12/12″ video_mute=”no” _id=”376748″][kc_row_inner column_align=”middle” video_mute=”no” _id=”735001″][kc_column_inner width=”100%” _id=”463327″][kc_column_text _id=”608658″]

For more information on security, and to see how Vissensa can help, click below.

[/kc_column_text][kc_spacing height=”30px” _id=”293028″][kc_button text_title=”Find Out More” _id=”834745″ link=”https://www.vissensa.com/business-data-security-backup-and-recovery/||” custom_css=”{`kc-css`:{`any`:{`button-style`:{`text-align|`:`center`}}}}”][kc_spacing height=”30px” _id=”239997″][/kc_column_inner][/kc_row_inner][/kc_column][/kc_row][kc_row cols_gap=”{`kc-css`:{}}” use_container=”yes” force=”yes” css_custom=”{`kc-css`:{`any`:{`background`:{`background|`:`eyJjb2xvciI6IiNmZmZmZmYiLCJsaW5lYXJHcmFkaWVudCI6WyIiXSwiaW1hZ2UiOiJub25lIiwicG9zaXRpb24iOiIwJSAwJSIsInNpemUiOiJhdXRvIiwicmVwZWF0IjoicmVwZWF0IiwiYXR0YWNobWVudCI6InNjcm9sbCIsImFkdmFuY2VkIjowfQ==`},`box`:{`padding|`:`40px inherit 40px inherit`}}}}” _id=”383034″][kc_column width=”12/12″ video_mute=”no” _id=”37556″][kc_row_inner column_align=”middle” video_mute=”no” _id=”586419″][kc_column_inner width=”100%” _id=”164153″][kc_spacing height=”20″ _id=”1000″][kc_column_text _id=”678273″ class=”border-bottom-title border-bottom-title-center animation-element”]

FAQ

[/kc_column_text][kc_spacing height=”20″ _id=”797350″][fs_faqs _id=”653202″ faqs=”eyIxIjp7InF1ZXN0aW9uIjoiSG93IHRvIGltcGxlbWVudCBtdWx0aSBmYWN0b3IgYXV0aGVudGljYXRpb24/IiwiY29udGVudCI6IlBIQStTRzkzSUhSdklHbHRjR3hsYldWdWRDQk5kV3gwYVMxR1lXTjBiM0lnUVhWMGFHVnVkR2xqWVhScGIyNGdLSE52YldWMGFXMWxjeUJqWVd4c1pXUWdWSGR2TFVaaFkzUnZjaUJCZFhSb1pXNTBhV05oZEdsdmJpQnZjaUF5UmtFcElHUmxjR1Z1WkhNZ2IyNGdkR2hsSUc1bFpXUnpJR0Z1WkNCdmNIUnBiMjV6SUhsdmRTQm9ZWFpsSUdGeklHRWdZblZ6YVc1bGMzTXVJRWwwSUdseklHRWdjMlZqZFhKcGRIa2djSEp2ZEc5amIyd2dkR2hoZENCeVpYRjFhWEpsY3lCMWMyVnljeUIwYnlCd2NtOTJhV1JsSUhSM2J5QnZjaUJ0YjNKbElHWnZjbTF6SUc5bUlHbGtaVzUwYVdacFkyRjBhVzl1SUdKbFptOXlaU0JoWTJObGMzTnBibWNnWVNCemVYTjBaVzBnYjNJZ2JtVjBkMjl5YXk0Z1BHRWdhSEpsWmowaWFIUjBjSE02THk5M2QzY3VkbWx6YzJWdWMyRXVZMjl0TDJsMExYTjFjSEJ2Y25RdGMyOTFkR2hoYlhCMGIyNHZJajVHYVc1a0lHOTFkQ0J0YjNKbElDNHVMand2WVQ0OEwzQStEUW89In19″][/kc_column_inner][/kc_row_inner][/kc_column][/kc_row]