2FA or MFA (Two or Multi-Factor Authentication)
The two-factor (2FA) or multi-factor authentication (MFA) method uses two or more factors to authenticate a user. It is considered more secure than the conventional single-factor authentication method described in the previous article (Guide to Digital Identity — Part 2).
Due to the digital age, so much of our lives are happening on laptops and mobile devices, and cybercriminals often attack our digital accounts. 2FA or MFA forms an extra layer of protection to provide a more secure authentication process and helps in slowing down the rate of cybercrime.
Two authentication methods, step-up and adaptive authentication, both use 2FA or MFA. Let’s start by talking about them.
Step-Up Authentication: This method significantly lowers the risk of a hacker accessing your online accounts. It involves requesting a user to authenticate themself using the following factors during login:
- First to authenticate using something you know (password).
- Then to authenticate with a second factor via something you have (mobile phone, security key) or something you are (biometrics).
For example, a banking portal requires you to provide user id and password, and then to enter the OTP received on your registered mobile number. In this case, the OTP on your mobile number works as a second factor of authentication. Similarly, another 2FA factor can be used instead of OTP via SMS.
Adaptive Authentication: This method significantly secures users from the fraud in case of unusual account activity. It involves requesting a user to authenticate themself again based on the configured risk profile or the user’s tendency to use the application. It uses the something you have or something you are as the authentication factor.
For example, an e-commerce application might require a logged-in user to authenticate themself in the following scenarios:
- Multiple subsequent unsuccessful transaction requests (risk profile).
- Bulk order creation that costs a considerable amount (unusual account activity, i.e., the user never created a bulk order in the past).
Next, let’s talk about the popular types of 2FA or MFA used for Step-Up and Adaptive Authentication:
1. Security Key / Hardware Token
These are the physical devices given to authorized users of a computer system or service for authentication.
Hardware tokens are small-size portable devices that either store unique cryptographic keys or user biometric information. They can also refer to devices that display Personal Identification Number (PIN), which dynamically changes with a set frequency.
After connecting the hardware token to a laptop or mobile, you can use it for authentication in the following ways:
- The application reads the cryptographic key and authenticates you.
- You scan the fingerprint on the device for authentication.
- You enter the PIN displayed on the device for authentication.
This 2FA method can be useful when:
- Your targeted audience doesn’t have proper cell phone connectivity or internet on mobile to get an OTP or SMS.
- You do not want the users to use their mobile phones for authentication due to security reasons.
Advantages of hardware token-based 2FA:
- It does not require internet connectivity to generate tokens.
- Secure and reliable, as they are designed to perform one task.
Disadvantages of hardware token-based 2FA:
- Expensive to set up and maintain.
- Easily lost or misplaced.
2. OTP (SMS or Voice)
OTPs are generated on the server-side and sent to the user’s mobile number. OTP generation algorithms are used to create a random, unpredictable, and irreversible sequence of OTPs, which can be delivered via SMS or voice call. The user then enters the received OTP for the authentication.
This method can be useful when you want to utilize the user’s phone number for the 2FA, or your targeted audience doesn’t have the proper internet connectivity on their mobile devices.
Advantages of OTP-based 2FA:
- User-friendly, since it is based on SMS/voice call.
- Inexpensive to set up and maintain.
Disadvantages of OTP-based 2FA:
- Third parties can intercept SMS/voice calls.
- A phone is required to receive an SMS/voice call and complete 2FA.
In this case, the mobile device acts as a token and utilizes particular factors unique to the device. If the device’s unique factor and the value stored in the database are the same, the application completes the step-up or adaptive authentication.
Step-Up or Adaptive authentication uses the following unique factors:
- International Mobile Equipment Identity (IMEI) number: The IMEI number is unique for each mobile phone and is accessible on the mobile phone itself from the server’s database. It allows the user to identify themself by that device.
- International Mobile Subscriber Identity (IMSI) number: IMSI is a unique number associated with a SIM card in the mobile phone, and is accessible on the SIM itself from the server’s database. It allows the user to identify themself by that SIM.
If the IMEI or IMSI number of the device and the values saved in the application database are the same, then the user is authorized.
This 2FA method can be useful for mobile apps where the apps are connected to the user’s mobile number by ensuring additional security.
For example, when you set up a payment app on your mobile device, it requests you to set a PIN/Password/Fingerprint and then request an SMS from your linked phone number. This message contains the IMSI number of your SIM. Later, you can log into the payment app by just providing the set PIN/Password/Fingerprint as long as you have the phone number used for 2FA in your device.
However, it is possible that the payment app will only allow one active session at a time on the mobile device.
Advantages of device-based 2FA:
- Once set up, it works in the background, i.e., no user involvement required until the user changes device or SIM.
- Highly secure, as the user account cannot be accessed on any device other than the registered device.
Disadvantages of device-based 2FA:
- 3rd parties can intercept SMS messages.
- A phone is required to receive SMS and complete 2FA.
In SMS-based authentication, the mobile phone sends the user-specific unique identification information to the server via an SMS to authenticate the user. The server then checks the content of the SMS. If the content is correct, the server generates an OTP randomly and sends it to the mobile phone. You can use OTP within a fixed time interval.
This 2FA method can be handy when the application is connected to the user’s mobile number. It ensures additional security.
For example, when you set up a financial app on the mobile phone, the login process can be completed in the following two steps:
- You enter the PIN/Password/Scan fingerprint.
- The app requests you to select a phone number with which you have an account registered. Then you need to send an SMS to the app, which acts as the 2FA method for you to log into the account.
Advantages of SMS-based 2FA:
- User-friendly, since it is SMS based.
- Inexpensive to set up and maintain.
Disadvantages of SMS-based 2FA:
- Third-parties can intercept SMS messages.
- A phone is required to send SMS and complete 2FA.
The biometric authentication is done using fingerprint, retina, or face recognition. For more details on these biometric authentication types, refer to the biometric authentication section of the previous article (Part 2).
This 2FA method is useful when it is necessary to upgrade the security and ensure that only the desired user is logging into the application. For example, the employee can log in and perform various operations on the organization portal. However, to mark the attendance, the employee needs to scan their finger or use face recognition.
Advantages of biometric-based 2FA:
- Separate token generation is not required as the user is the token.
- Multiple options are available, such as fingerprint, retina, face recognition.
Disadvantages of biometric-based 2FA:
- Requires additional hardware to read and verify biometric data.
- Storing the biometric data raises privacy concerns.
- If compromised, the biometric data cannot be reset.
6. Authenticator App / Soft Token
The Authenticator App-based authentication uses a software generated one-time password. It is also referred to as a soft token. For this authentication method, the user must download and install a 2FA app on their mobile device.
Soft tokens are time-based, i.e. it expires after reaching the configured expiration time. It adds an additional security layer when compared to the SMS-based OTP.
Unlike SMS-OTP based authentication, this method requires an internet connection and a smartphone.
This 2FA method can be useful when the targeted audience does not have the proper internet or cell network connectivity on their mobile devices. A popular authenticator app is the Google Authenticator app.
Advantages of software token-based 2FA:
- It does not require an internet or cell network connection to generate the token.
- A single authenticator app can be utilized for multiple applications.
- More secure when compared to SMS/OTP-based 2FA.
Disadvantages of software token-based 2FA:
- Requires additional software installation.
- Expensive to implement and maintain.
7. Push Notifications
In this case, a push notification is sent to the user for authentication. The user can either accept or decline the access request with a single touch. This method eliminates the need for entering an OTP or using biometrics for 2FA. Also, this is a highly secure 2FA method and helps in reducing the man-in-the-middle and phishing attacks.
Unlike SMS and OTP-based authentication, this method requires an internet connection and smartphone.
This 2FA method can be useful when the target audience has an internet connection on their mobile device, and for the ease of use, you don’t want them to type the OTP. Thus, you send them a push notification with the option to accept or deny.
Advantages of push notification-based 2FA:
- User-friendly, as users can click once to allow or deny authentication.
- Secure, as it cannot be used until the mobile device is unlocked.
Disadvantages of push notification-based 2FA:
- It requires a phone to receive a push notification.
The next article will be dedicated to Single Sign-On (SSO) authentication, with information on how it works, SSO types, and various SSO protocols. Stay tuned!
Originally published at gupta-deepak.medium.com