In the early days of computing, authentication was simple: If you wanted to log in to an IT system, you had to enter your username and password. If what you entered matched what the system had stored in its directory, it decided that you were who you claimed to be and granted you access; otherwise, you were denied access.
This approach grew in sophistication over time. For example, modern password-based authentication systems like Kerberos don’t actually transmit passwords anymore; they generate an authentication token that is submitted instead.
But even with these enhancements, a username-and-password based approach to authentication still has a key weakness: If someone learns another user’s password, they are indistinguishable from the true user. This is a real and pressing security problem, since there are many ways of getting a password, from educated guesses to technical attacks to targeted social attacks such as phishing. In fact, it’s difficult for a system to prevent a user from re-using a password across multiple systems or using a password that is easy to guess.
Moreover, even if an attacker doesn’t know a user’s password, most username-and-password authentication systems are vulnerable to tactics like replay attacks (in which an attacker simply listens for the authentication traffic and replays it) and Golden Ticket attacks (in which the attacker dumps a valid authentication token from the memory of a vulnerable system).
These weaknesses in traditional authentication systems have led to organizations embracing multifactor authentication. What is multifactor authentication? Well, username-and-password authentication is single-factor: you verify you are who you’re claiming to be using just one method, or factor — providing your username/password combination.
Two-factor authentication, as its name implies, involves requiring two different factors. It is the most basic type of multifactor authentication, which requires two or more different factors. This is often (though inaccurately) described as combining “something you know” (your password) with “something you have” (such as a code from an app on your phone).
For convenience and clarity, I’ll be using the term “multifactor authentication” since it includes two-factor.
Multifactor authentication benefits both organizations and their users by addressing the key weaknesses of username-and-password authentication. For example, suppose I have used my super-secret password of “CovidSux2021!” across multiple websites, including my corporate network and a forum for cute cat photos that I frequent. Unfortunately, the cat photo forum stored my password in an easily hackable format and they suffered a breach — now my username and password for that forum can be had on the open web for a few pennies.
Without multifactor authentication, an attacker could purchase that username and password, do a little bit of research about where I work, and surmise that I might have used the same password there. If that guess is right, then it is game over — they have access to everything I can do at work. Similarly, they might try using the same username/password combination on various banking sites; if they manage to log in, I could end up with my account cleaned out.
But with multifactor authentication, simply knowing my password does them no good. They are missing the other factor (or factors) the system requires to prove they are me. Thwarted!
There are multiple different common multifactor authentication technologies. But which one is best for your needs and requirements?
MFA strengths and weaknesses
As you might guess, any MFA is usually superior to just a username and password. However, the various multifactor authentication approaches have different tradeoffs associated with them. Here are some of the common MFA technologies with some of their tradeoffs and weaknesses:
OTP via SMS
OTP via SMS is the least secure, even though it is the most widely implemented. To defeat SMS-based multifactor authentication, an attacker can steal a user’s phone or convince the carrier of the phone to move the user’s phone number to one controlled by the attacker. Additionally, SMS MFA is vulnerable to social attacks, where an attacker convinces a user to provide the SMS code over the phone by impersonating a support person.
Hardware tokens are also vulnerable to physical theft and social attacks and are inconvenient for users who might not have the token with them when they need to authenticate.
OTP via a Phone App
OTP via a phone app is probably the current “sweet spot” in multifactor authentication — it is ubiquitous, easier to set up than smart cards, and fairly secure. Yet it too has its negatives.
Users can usually self-enroll multiple devices to provide the passcodes, which is convenient but increases the attack surface. Worse yet, many modern password managers (like 1Password or Apple’s Keychain) integrate OTP generation into the password manager itself for convenience’s sake, so if an attacker gets access to the password manager, it’s all over.
Smart cards are considered a very strong form of authentication because the cryptographic keys stored on them are well protected. Indeed, smart cards are often used by government agencies because they help ensure compliance with regulations like the Defense Federal Acquisition Regulation System (DFARS).
But smart cards are inconvenient for the users who have to carry them around, and they are vulnerable to physical theft. Plus, implementation tends to impose significant administrative overhead. To help mitigate these drawbacks, modern versions of key cards like Yubikeys, integrate biometrics and are compatible with a wider range of devices.
Biometrics are increasingly popular. They are extremely convenient for users; I’ve never left home without my fingerprints or my face — though a cut or other injury could make it impossible for the system to authenticate me. Biometrics are also difficult to hack because they are so complex — but if they are compromised, you’re in a tough spot, since you can’t swap out your fingerprints the way you can reset a password or replace your phone.
Also, someone could physically force you to provide your fingerprint or scan your face; whether local and federal law enforcement can use your biometrics without your consent to access your devices has been decided differently in various court cases but has not yet reached the Supreme Court.
This is an exciting option that is currently secure and delivers a great user experience. However, it is not supported by many identity systems. Furthermore, a key technical component to making passwordless authentication work is “secure enclaves” on the registered device.
As we know, endpoints are vulnerable to attack from malware, so for the device registration to mean much, we need to rely on a “computer within the computer.” On iOS devices, this is the Secure Enclave; on Macs, it is the T2 chip; and on Windows computers, it is the Trusted Platform Module (TPM) chip (though it is currently possible for administrators to set up Windows Hello for Business without a TPM!).
If a widespread flaw were to be found in one of these systems, it could render device registration meaningless for whole categories of endpoints.
There’s no question that multifactor authentication benefits organizations and users by dramatically strengthening security. Indeed, Microsoft reports that its telemetry shows that 99.9 percent of organization account compromise could be stopped by simply using MFA. But requiring multifactor authentication for everyone all the time is pretty much guaranteed to frustrate users and hurt productivity. It’s important to take a balanced approach.
Indeed, multifactor authentication is best understood as one aspect of your organization’s broader security strategy. Many experts now recommend developing a security strategy based on Zero Trust principles and using tools like Azure AD Conditional Access, which gives you a lot of flexibility to apply MFA judiciously.