We, as security practitioners, need to be mindful about what we mean when we say “2FA” or “MFA.” These terms are often used interchangeably. The confusion is understandable, since 2FA is a subset of MFA. However, just like Halloween candy, MFA (including 2FA) comes in many flavors. Let’s unpack these terms and consider the various options.
MFA offers three factors to prove identity, plus additional attributes to further support the claim:
- Knowledge factor. Something you know — passwords, passphrases, or PINs.
- Possession factor. Something you have — certificates, software, or hardware tokens.
- Inherent factor. Something you are and/or something you do — biometrics (e.g., fingerprint, face, voice) or behavioral biometrics (e.g., typing speed, swipe/mouse patterns).
- Implicit attributes. Geolocation and device characteristics (e.g., OS and browser versions) are not truly “factors” since they do not, on their own, confirm a user’s identity, yet these attributes absolutely do improve security posture and inform adaptive/contextual/risk-based authentication.
It is worth noting that the use of two attributes from the same factor category, such as a password and a PIN, is not 2FA and does little to improve your security posture.
Distinguishing Between 2FA And MFA
Today’s 2FA, offered by vendors such as Auth0, Duo Security/Cisco, Google, Microsoft, Okta, OneLogin, and Idaptive, typically consists of password-based access via a computer against a user repository, such as Active Directory, combined with a one-time password delivered to the user’s smartphone (either via an SMS text message or directly through a dedicated mobile app). 2FA is one of the most effective security investments organizations can make to protect against lost or stolen credentials, phishing, social engineering, credential stuffing, and brute-force attacks. The Forrester Analytics Global Business Technographics® Security Survey, 2019, found that 27% of external attacks were carried out using stolen credentials, underlining 2FA’s importance.
Biometrics, including behavioral biometrics, can provide additional frictionless security as a second or third factor. We do not recommend using this as the only authentication factor, since it is probabilistic in nature and has the potential to be spoofed, as opposed to factors such as knowledge or possession that are deterministic. The biometrics factor often requires specialized hardware (high-resolution cameras or fingerprint receptors), yet biometrics is becoming a more accessible option, as evidenced by Microsoft’s Windows Hello, which allows Windows 10 users to sign in with face or fingerprint. Behavioral biometrics vendors such as BehavioSec and BioCatch, provide novel approaches, based on the “something you do” factor, and do not rely on additional hardware.
Out-of-band (OOB) adds another layer of security by delivering the second factor authentication request via a distinct channel, such as Verizon’s wired/wireless networks, yet even with this added layer of security, a one-time password (OTP) sent via SMS is vulnerable to SIM swapping attacks. Therefore, we suggest using an app, such as Google Authenticator or Authy, for OOB 2FA. This protects against SIM swapping by linking the authentication session to your device rather than to your phone number.
To better mitigate risk, security and risk (S&R) pros should deploy MFA uniformly across the entire workforce (though exceptions for legacy systems, partners, etc. will exist). Alternatively, they can choose targeted deployment models, such as step-up authentication for password resets or for activity flagged as high risk like first-time access from an unregistered device. Some organizations may choose to deploy MFA only for higher-risk databases or specific high-risk user populations.
We recommend that S&R pros do the following:
1) Move away from passwords, even when deploying MFA.
2) Employ implicit, risk-based authentication in policies to minimize user friction.
3) Avoid SMS text message-based OTPs.
4) Encrypt all identity secrets, whether the data is in motion or at rest.
In the spirit of Cybersecurity Awareness Month, let’s advance the discussion around MFA and move toward a Zero Trust model by ending our reliance on the password as the gatekeeper to our sensitive and high-value data assets.
Watch for my upcoming report, “Use Zero Trust To Kill The Password,” which will address strategies for moving beyond the password to better protect your workforce from account takeover. My colleague, Andras Cser, will be publishing a report on passwordless authentication, so keep an eye out for that, as well.