There are more online user accounts per person than ever before, and all of those user accounts translate to more opportunities for account compromise. Unfortunately, even if the accounts are personal, they still pose a risk to your organization due to password reuse, which stems from the difficulties the average end user faces when asked to create multiple, unique and complex passwords for their (likely) hundreds of online personal and professional accounts. In short, every one of these online accounts can cause significant security issues for IT admins.
However, there are ways to protect accounts from weak, reused, or irresponsibly managed passwords, and one method in particular has gained considerable popularity across B2B and B2C accounts: multi-factor authentication (MFA, or also known as two-factor authentication / 2FA). This seemingly simple solution protects online resources better than even the most complex of passwords, but what exactly is multi-factor authentication? And how does it work, both from an IT admin’s and end user’s perspective?
After reading this three-part series, you’ll have an understanding of what is multi-factor authentication, why it’s needed, how it works, and how to implement it for any combination of onsite employees and remote employees.
What is Multi-Factor Authentication?
Often referred to as two-factor authentication (or 2FA), multi-factor authentication is a critical and vital tool in the fight against identity theft and unauthorized access to company resources. Multi-factor authentication (or MFA for short), adds a second or third (or more) factor to the login process for company resources (apps, services, servers, etc.).
Think of the most common factors for validating a person’s identity as the following:
- Something that you are: perhaps most foundational is identifying you by something you are. Ideally these are unique and non-changing attributes such as a fingerprint, face picture, retinal imprint, or even your speech or typing patterns. These are widely believed to be the most secure factor, but also difficult to operationalize, and then, of course, there are significant privacy concerns.
- Something that you know: this is unique knowledge to a person including such items as passwords, facts about your life, family history, and more. Historically, this is the most common form of online identification. It was easy to implement, store, and operationalize.
- Something that you have: an increasingly popular form of identification is to validate identity based on something that only the person may have. This could include a certificate or key (private key for example when discussing SSH key pairs). From a multi-factor authentication perspective this was popularized through a key fob that generated a token (pin or series of numbers). Today, something that you have can include your mobile phone.
Historically the most common online factor of user identification has been the password. As online security has become much more critical, IT experts have long advocated for strengthening that single factor as well as adding other factors to identify a person. In addition to using their password (which is the most popular first factor of authentication, often considered “something you know”), users must now have something else they enter or use to validate who they are; this often constitutes either “something you have” or “something you are” since these two factors are extremely difficult to spoof or access remotely as criminal hackers often need.
For example, a common MFA approach generates a token or code from a smartphone via an app such as Google Authenticator (ie something you have). The code is a randomly generated number tied to the system or application that the user is logging into.
Another similar method is called “push” where instead of entering a code or token from the smartphone, the user simply pushes a button to acknowledge the second factor check. There are a number of different techniques to generate a “second factor”, which are discussed later in this series. As interesting, many of these second factors are now being looked at for becoming combined first and second factors to create a passwordless experience for end users.
History of Multi-Factor Authentication
The first concept of a factored authentication system can actually be traced back to the Egyptians, who used a wooden pin lock to bar access to specific structures. When the key was inserted, pins hidden inside the fixture would lift out of drilled holes, allowing it to move. This is very similar to the current iteration of the lock and key, except it is now made with metals to be more durable.
By 1985, Kenneth Weiss, who founded Security Dynamics in 1984, invented and patented “an apparatus for the electronic generation and comparison of non-predictable codes.” His invention sparked the first concept of what came to be known as multi-factor authentication. Almost a decade later, he initiated the purchase of RSA Security, then a small encryption company working within the burgeoning ecommerce space. The SecureID product, built upon the RSA encryption algorithm developed by the founders of RSA Security, became one of the first enterprise-focused multi-factor authentication products and dominated for years.
While tokens, key fobs, and other MFA devices still exist, smartphones have since made it possible for users to authenticate their identities from virtually any location, keep their accounts more secure, and more easily log into accounts. Although organizations initially used multi-factor authentication for financial transactions or in highly secure situations, they’ve started to administer multi-factor authentication for both customer and employee user identities, independent of the purpose of the application in question, to keep valuable information secure.
The evolution of multi-factor authentication has allowed IT admins to keep sensitive data away from hackers’ encroaching threat while becoming a natural part of the login process for end users.
Why is Multi-Factor Authentication Needed?
When you allow a single set of credentials to play the only role in authentication, one compromised set is all an attacker needs to steal or manipulate company data. This is especially true if the account in question is a key account such as your email account that underpins many of your other accounts.
Inherent Weaknesses of Relying on Passwords
Individual passwords are simply not strong enough on their own to protect your company’s data and should never be enough for your most critical accounts such as email, banking, and more. Here are a few statistics as to why multi-factor authentication is so vital for safeguarding company resources:
- 92% of organizations have credentials for sale on the Dark Web
- 61% of people reuse the same or similar password everywhere
- “123456” and “password” were the top two password choices in 2018
- 81% of data breaches have been the result of weak or stolen passwords
Ultimately, there are two paths for IT departments to solve this issue. One is to train your users to leverage unique passwords on each site and use lengthy (and possibly complex) passwords, but implementing this strategy is difficult, and requires a lot of trust to be placed with your users. Many users will comply, but some will not, and those that don’t become the weakest link to your organization’s IT network.
Having good password hygiene is a critical security training item no matter what, but many IT admins cannot just rely on their users. And, to be fair, even if your end users do everything right, a breach on a key third party site still may render your passwords compromised – with no fault of your end users.
How MFA Bolsters the Security of Passwords
Adding a second factor makes it much significantly harder for malcontents to cause damage, since attackers now must have two objects in their possession to move forward with their actions. And, MFA is becoming more ubiquitous and easier to use, which creates less friction with end users. This makes multi-factor authentication attractive for organizations looking to boost their security policies without creating much additional overhead.
One other key point to add – many end users are now concerned about their online security and what it can mean to them, which means they are motivated to protect themselves and their accounts.
What are the Pros and Cons of Multi-Factor Authentication?
Multi-factor authentication isn’t perfect, as it requires additional overhead with user onboarding and system administration, so let’s consider the pros and cons of multi-factor authentication.
Pros of Using Multi-Factor Authentication
- Protects sensitive information: Users are the number one risk point for a network, so multi-factor authentication relieves user and IT admin anxiety by protecting data from falling into the hands of relentless hackers.
- Almost always secure: If a hacker has somehow acquired a user’s password to a system, they cannot gain access, as they do not have the second factor (which is generally in the user’s possession or something that they are).
- Don’t lose sleep over lost devices: Device-based multi-factor authentication (and paired with full-disk encryption) ensures that lost devices do not lead to compromised access or data.
Cons of Using Multi-Factor Authentication
- Added friction: If you don’t have access to the device or system to receive your second factor, and haven’t set up backup resources for authenticating user access, you cannot be granted access to a particular application or system.
- Can be expensive: Traditionally, multi-factor authentication can be quite expensive if an organization uses a solution that requires on-prem hardware and has to integrate with existing identity solutions.
- Time-consuming: The time needed to log in to your system and verify using a mobile device or token can be inconvenient.
- Inconsistencies: It is hard to implement multi-factor authentication across an entire organization, as it is often left up to the users to implement it fully. IT admins may not always have insight into an organization’s use of multi-factor authentication.
When implemented correctly, multi-factor authentication can significantly benefit IT security without adding much burden to the end-user.
Evaluate JumpCloud Free Today
If you’re new to JumpCloud and interested in learning more about the platform and how to achieve stronger security practices, evaluate JumpCloud today! JumpCloud Free grants new admins 10 systems and 10 users free to help evaluate with access to the complete platform Once you’ve created your organization, you’re also given 10 days of Premium 24×7 in-app chat support to help you with any questions or issues if they arise.