Multifactor authentication, or MFA, is an IT security technology method that requires an individual to provide two or more authentication factors to confirm his identity for online transactions or to gain access to corporate applications, networks and servers. Multifactor authentication benefits include tighter security and user identity protection to avoid phishing scams.
The goal of multifactor authentication methods is to increase the difficulty for an adversary to exploit the login process and roam freely around personal or corporate networks and compromise computers to steal confidential information -- or worse.
The three most commonly used authentication factors are:
- the knowledge factor: Something only the user knows -- such as a username and password, a PIN or answers to security questions;
- the possession factor: Something the user has -- such as a smartphone, one-time passcode or smart card; and
- the inherence or biometric factor: Something unique to the user -- biometrics, such as a fingerprint, iris scan or voice recognition -- that proves the user's identity.
Multifactor authentication combines two or all of these factors.
MFA tokens: From key fobs to mobile apps
Hardware tokens, one of the oldest multifactor authentication methods, are still in use today. A hardware token often comes in the shape of a key fob that displays a randomly generated, one-time password.
When a user presses the button on the key fob, the screen displays a sequence of numbers, typically for 30 to 60 seconds. Users must then accurately type this transient passcode sequence into the application or resource they are attempting to access before it expires.
The passcode generated by the key fob checks against a server located on the enterprise network to ensure that they match. This server runs the identity management processes, sets up various security policies and connects the tokens with the user directory stores, such as Active Directory or RADIUS.
If the number sequence matches the generated passcode, the user is granted access. If not, he or she must start over by once again pressing the button on the key fob to generate a new passcode.
This technology has significant downsides, which is why traditional key fobs have fallen out of favor. Keeping track of hardware tokens is cumbersome, and a user may not have the required token on hand when out of the office. Companies also face the added burden of having to deactivate key fobs for ex-employees or for users who lost their key fobs.
What is the answer to these problems? Mobile tokens and biometric authentication.
Various mobile apps function like hardware tokens and generate one-time passwords, helping to alleviate the above issues.
Additional second factors enabled by smartphones and other mobile devices include using SMS texts, emails and cameras to scan QR codes that display on webpages when users are trying to sign into applications or perform transactions.
Now that many device makers have added fingerprint sensors and cameras sensitive enough to scan irises to their devices, organizations can choose biometrics as one of the factors for multifactor authentication. Biometric authentication relies on a user's unique biological characteristics, such as a fingerprint or iris scan, to grant access to an application or other resource. The biggest benefit of biometric authentication is that users don't have to spend time entering long passcodes or PINs.
However, biometrics does not have the ability to change codes like users can with a PIN or passcode. If compromised, there is no way to change biometrics, leaving the company and user vulnerable.
The growing appeal of multifactor authentication
As passwords have become more insecure, the use of multifactor tools has moved from just IT workers to just about everyone in the enterprise, especially those who have access to personal information.
In addition, with the proliferation of SaaS-based web services and the number of reused passwords, multifactor authentication methods have become more important, and they now appeal to small and midsize businesses, as well. Another of the multifactor authentication benefits is that the likes of Facebook, LinkedIn, Twitter, Google, Apple and numerous other vendors have adopted these tools to secure their own applications.
If enterprises haven't started using and supporting multifactor tools yet, they'll find it takes some effort to configure and deploy. The tools have many moving parts, and enterprises will need specialists from different parts of their IT organizations to coordinate and configure their infrastructures and get protected logins working properly.
The most important of the multifactor authentication benefits is that the tools are somewhat easier to manage. They still require some integration effort, however. To that point, some of these products include various software agents that can protect virtual private networks, SharePoint servers, the Outlook Web App and database servers, for example.
Finally, many providers have moved their traditional hardware-based, on-site multifactor servers into the cloud. Most multifactor authentication vendors offer both options, and many of their customers are choosing off-site deployments thanks to the flexibility the cloud offers in terms of support and management.
The cost of multifactor authentication
The typical cost to deploy a multifactor authentication platform is a few dollars per month, per token. However, this can add up to tens of thousands of dollars per year for companies that have a lot of users and tokens.
Complicating the picture is that each vendor calculates the bottom line price differently. Pricing options might include quantity discounts, multiyear price breaks and 24/7 support fees. Some vendors charge on a per-token basis -- with differing rates for hard or soft tokens -- while some charge on a per-user or per-server basis. Other vendors offer added components or integration layers for an addition price.
Overall, multifactor authentication tools are worth the hassle, especially as the number of password exploits continues to rise. Businesses need better ways to protect user login information beyond the simple username and password combination.
The combination of a robust multifactor authentication product landscape and user awareness of the importance of strong authentication means the time is right for enterprises to consider multifactor authentication and its benefits.
Linda Rosencrance contributed to this report.