It is an undeniable fact that users tend to be the weakest link in IT security, due to human imperfection and easily compromised credentials. In fact, credentials are involved in 61% of data breaches and they increase the cost of a data breach by 23%. How can IT admins mitigate this risk? By implementing multi-factor authentication (MFA). MFA is an IT system’s first defense against security breaches, and is the lowest-hanging fruit for organizations with little to no security protocols in place.
For a more detailed look at why you should use multiple factors for authentication, check out part one of this series. For part two, we will dive into the different types of factors you can use to develop an MFA protocol that works for your organization.
What Is a Factor?
In the context of identity and access management (IAM), a factor is simply a type of authentication used to confirm someone’s identity. For example, when you log in to your email, you are providing an email address to establish your identity. Your password is then the factor used to authenticate your identity and grant you access to your inbox. The more factors layered onto a login process, the more robust the security—although IT admins must also balance this with user experience.
Three Most Common Types Of MFA Factors
The most commonly used MFA factors fall into one of three categories:
- Knowledge, aka something you know, such as a password or security question
- Possession, aka something you have, such as an SMS code or physical key
- Inherence, aka something you are, such as a fingerprint or face ID
Some would argue that there are a total of five categories of authentication factors, including Location, aka somewhere you are, and Behavior, aka something you do. Since these are less common forms of authentication—and often less secure—this article will focus on the three primary categories of MFA factors.
Knowledge Factors Are The Least Secure Authentication Factors
Password fatigue is real. In today’s tech-driven society, every single one of us manages multiple devices and accounts. This means multiple passwords, PINs, and answers to security questions, which are all examples of knowledge factors. What’s the easiest way to keep them all straight? Use the same ones across work and personal accounts.
The innate weakness of knowledge factors can be illustrated by this telling statistic: 91% of people understand the risk of reusing passwords, yet 61% still do it. The fear of forgetting “something you know” drives behavior more heavily than the fear of a hypothetical security breach. This is why IT admins need to step in with additional authentication factors.
Examples Of Possession Factors
Email & SMS Verification Codes
Verification codes sent via text or email are arguably the most widespread form of authentication. Unfortunately, they are also the least secure of the possession factors because they can be intercepted by malicious players. Targeted attacks on mobile networks or email inboxes are easier to execute than we’d like to think.
Time-based, One-Time Passwords (TOTPs)
TOTPs are similar in concept to email and SMS verification codes, but they are more secure in practice. This is for two reasons:
- the code is produced directly on a device in the user’s possession, and;
- the code adheres to a strict time limit before expiring
With no third-party network involved and a very narrow time window, there is much less opportunity for a potential breach.
Push notification factors are a more sophisticated version of TOTPs and can be easily implemented with mobile apps like JumpCloud Protect. Instead of inputting a time-sensitive code, the user just needs to accept the authentication request produced directly on their smartphone. This factor is literally as easy as pressing a button and provides a better user experience than TOTPs. Additionally, push notification MFA incorporates another factor of security in a seamless way by requiring a user to authenticate to their phone with a PIN, fingerprint, or face ID.
Physical security keys are a highly secure possession factor because they require the use of a physical piece of hardware. Hardware keys only pose a risk to security if they are lost or stolen from the user. Also known as universal second factor (U2F) keys, users can either plug the key directly into their login device for authentication, or use the key to generate a unique code for a variation of a TOTP.
Examples Of Inherence Factors
Unlike behavioral biometrics, physical biometrics are unable to be changed by the user and independent of any device. Physical biometric factors include:
- Facial recognition
- Voice recognition
- Iris or retina scans
In the context of authentication, the most common biometric factor is, of course, a fingerprint. While it is technically possible to fake this factor, it requires significant effort to do so and the technology of fingerprint scanners is continuously improving. Fingerprints are generally considered to be a very secure form of authentication, especially when combined with other factors.
Multi-Factor Authentication & Zero Trust
Currently, 78% of IT and IT security leaders don’t think their companies have sufficient cyberattack protection, and 91% of companies are increasing their cybersecurity budgets this year. In a business environment where cybercrime is on the rise and criminals can exploit anything from a weak password to a stolen device, IT administrators can’t afford to trust bare-minimum security.
In fact, admins shouldn’t trust anything without proper verification first. This is where Zero Trust security comes in. A Zero Trust model helps alleviate rising security concerns by establishing a protocol of verification before trust: trust nothing, verify everything. This is now considered a security best practice, especially for hybrid workplaces of both in-office and remote workers or “work from anywhere” organizations.
MFA is a key component of establishing a Zero Trust environment because it requires additional verification of the user’s identity on top of a password before trusting them with access to applications, devices, networks, and other resources.
Implement Multi-Factor Authentication with JumpCloud
JumpCloud’s Directory Platform makes it easy to layer MFA onto IT resources by unifying identity, access, and device management into a single cloud-based admin console. Admins can leverage a comprehensive view of their IT environment to enforce MFA, implement conditional access policies, and achieve compliance, all without disrupting their existing tech stack or employee experience.
To learn more about how JumpCloud can simplify the implementation of MFA in your own organization, check out our multi-factor authentication platform page.