You’ve probably heard the term multi-factor authentication (MFA) before, and you know it’s a good thing, but how much do you really know about it? With all of the recent data breaches, there has been more talk than ever before about multi-factor authentication and what it can do to help reduce them. But that is on a large, nationwide scale, and MFA isn’t just for national corporations that have hundreds of millions of dollars a year in sales and millions of customers. It’s as much for them as it is for the small merchant or restaurant, with a location or two. It’s also for anyone who has an online account that requires a user name and password, merchant or not. And in today’s world, that includes just about everyone.
MFA is a vital function for any organization, as it secures access to corporate networks, protecting the identities of users and ensuring that those users are who he or she claims to be. It is called “multi-factor” authentication because it goes beyond just a user name and password to add another layer of protection to any secure account logon. Every time you enter a single password to access an account, like an email or financial account, or log on to a work computer, you are at a single factor of authentication. Usually it is suggested to use multiple upper and lower case letters combined with several special characters to come up with a strong, secure password. Unfortunately, even passwords like these can be hacked, regardless of how short or long they are. This is where MFA comes in. By adding factors beyond a single password, the account is far more difficult to hack, and therefore much more secure. Even if hackers figure out the password, the chances of them getting much further are lower with each successive factor employed. The more factors used to determine a user’s identity, the greater the trust of authenticity, and the more secure the account becomes.
But beyond a password, what kind of other authentication “factors” are there? Many experts believe that MFA can be achieved with just three factors. They are:
- Something you know – this would be your password, PIN number and/or answers to secret questions, with which everyone is familiar (single-factor authentication). Even if you are required to provide both a user name, a password AND answer a secret question, it is still considered single-factor authentication, because they are something you know.
- Something you have – this is something physical, like a one-time password, employee ID card, a smartphone SIM card, or a token of some sort, often in the form of a smart card or key fob. The key here is that they are all physical objects (two-factor authentication [2FA]).
- Something you are – biometrics, which is essentially using a piece of you to authenticate your identity. They include various scans of your retina, iris, fingerprints or veins, facial or voice recognition, and even hand and earlobe geometry (three-factor authentication [3FA]).
Sometimes there are forth and fifth factors, as well, and they are location and time. Location can often be used to authenticate where the logon is taking place, as most smartphones have some sort of GPS within them. Similarly, time, which is also considered a forth or sometimes even a fifth factor, works against some types of user account hijacking attacks. Both factors may be especially useful in preventing many types of online bank fraud. For example, a bank customer cannot physically use her ATM card in Detroit and then in Moscow 15 minutes later.
When considering MFA, it’s important to review your organization’s needs to determine what will work best for you and your employees. A simple user name and password is likely not enough, but a second form of authentication may just do the trick. There are many excellent online sources that can help you to determine what level of authentication to consider; TechTarget's Multi-Factor Authentication page is a good place to start. Whatever level of MFA you choose; your organization’s vital information will be more secure for it.