Multi-Factor Authentication
This article is part of the ongoing series discussing identity and access management (IAM).
What is Multi-Factor Authentication (MFA)?
Your username and password used to login to different websites and passwords is regarded as a single authentication factor. Using MFA means that the login process requires at least two or more factors to do the same thing.
The additional MFA factors might be a six digit code from an app on your phone or accepting a notification from an app on your phone to help prove it’s really you. There are many different options for what those MFA factors might be.
Why do we need to use MFA?
Many web sites and applications unfortunately get hacked or do not have a strong authentication process when you login. If they’re hacked then possibly your user name and password are then known to many other people. If the login process allows unlimited login attempts for your login, then maybe someone can guess your password.
As many people reuse the same password for multiple web sites, it could mean that a hack on one site means that password to many sites is now known (see haveibeenpwned to see how many passwords have been leaked and how many of those are your own). Hackers use automated techniques to scan and attempts logins on a huge number of sites almost continuously, so it’s likely that these other sites would also be discovered and then allow a login. As far as they know, it’s the correct user as the user name and password is correct.
It’s really, really important that you don’t use the same password for different web sites.
So with that additional MFA factor of a code from your phone, that’s one piece of information the hackers do not have. The way the code (for this type of MFA) is generated is specific to only that one web site. When you use their web site user setup option to enable MFA, an additional special code is created that is unique to you on that site. This is then used with some fancy maths to create that six digit number that changes every 30 seconds on your phone.
Microsoft have stated in the past that using MFA properly on a user login is around 99% effective at preventing account compromise. See How effective is multifactor authentication at deterring cyberattacks?
What MFA types are better than others?
In 2024 there are multiple options to use MFA and some are better than others. What’s available depends on the web site or your Identity Provider (see Single Sign On where we recommend you use SSO for as many things as possible), but the main thing to know is using any of these is better than using nothing at all.
TXT messages
This is not recommended based on a determined attacker being able to circumvent the way the TXT message is sent to you. It’s possible they can get your phone number changed to their own device or they can clone the SIM card to masqurade as your actual mobile phone.
Time based codes
These are fairly good for most situations and are simple but often annoying to use if they occur too often. People need to have a mobile app installed or a small dedicated key fob device that shows the code. If these are lost then they need to be deregistered from the user account and a new one added.
Each web site will generate its own set of codes, so a dedicated key fob may not always be reusable. A mobile app like Google Authenticator, Microsoft Authenticator, Ping ID, Okta, and others will be able to register and provides codes for multiple web sites. Again, using SSO would mean one account and one MFA code which is easier and more secure when done properly.
Passwordless
Talking about “passwordless” seems like it’s the opposite of being secure. Surely we still need passwords?! And yes, we still do, but we can reduce the need to use them.
If the login process supports it (largely if you use Microsoft Entra ID and the Microsoft Authenticator mobile app) a push notification will be sent to your registered Authenticator app on your mobile. This will ask you to press the button matching the number visible on the login screen to confirm it is really you, or in some scenarios just acknowledge you are trying to login.
A downside to passwordless is “notification fatigue” which happens if an attacker can send many repeated login attempts, each sending a notification to the user. At some point they may just click the accept button and allow the attacker to then login successfully. Requiring the correct number match does reduce the likelihood of this shortcoming.
Passkeys
In the last couple of years a new option has been created that removes the need for a special device or typing in codes. Passkeys can be used on supported computer or mobile hardware with most modern web browsers and in web sites that have passkeys enabled.
The web site user account setup will prompt to enable a passkey for your account and share some secret information with your web browser or computer OS. This will be securely linked to your user account and be checked when you login to that website.
By creating a passkey you’re trusting your Windows or Mac OS or mobile phone that you’re using. If you share that device or Windows/Mac OS login with others that you don’t trust for that web site, then don’t use passkeys.
Where your device supports password synchrnisation with Microsoft or Apple or another ecosystem, you may be able to sync that passkey to your other devices.
Hardware tokens
A hardware token is regarded as one of the best forms of MFA and should be used to help secure highly privileged accounts like those used for administrator tasks. One of the most popular providers is Yubikey.
Hardware tokens do not have a display or create codes to type into a web site. They’re cryptographically linked to the user account via data stored on a small USB stick or similar device. When required at login time, you are prompted to insert the hardware token and either touch a button on it, or use a fingerprint reader embedded in the device. The coded data is then sent to the web site to complete your login.
This option is not cheap at scale, with hardware tokens often starting at USD$30 per device for the most basic option. Having a set of spares and registered backup devices for important functions then increases cost, but these extras cannot be ignored.
Other forms of MFA
Using SSO platforms like Microsoft Entra ID can provide other options to check at login time. Some examples of this are,
- what network is the login request coming from?
- is the device known to your organisation?
- is the device compliant based on your device management evaluation?
- is this a person where additional MFA options should be used?
- is this a login attempt to a web site that should have extra MFA options applied?
- does the login attempt come from a OS or certain device type needing different options?
It’s very important that these rules (called conditional access policies in Entra ID) affecting login are well managed and robust. Getting these wrong by creating too many or making them too complex, will likely lead to gaps and increased risks of not applying the required controls.
Usability vs Security
The best security option is the one that does its job while being invisible to the user of the system. Most of the options above directly interfere in the user login process, but do make things more secure.
If passkeys are supported, they’re a great option for usability for normal user access. Other options needing a code typed in will likely have push back when introduced from your staff. Expectations and the user experience are key considerations when deploying MFA.
In some situations, making that MFA requirement an interuption might be a good idea. If someone is about to login to a critical system, having them insert a hardware token should be a reminder of the importance of the actions they’re about to undertake.
Your staff must be aware of what the MFA process is expected to look like and when they should expect to use it. Similarly they need to know that no one should ever be expected to ask them for their MFA codes or related information.
What if I lose my MFA app or hardware token?
Like many password related processes, there needs to be a secure method to update someone’s MFA information. This might be available from a trusted device, or even need to be done by authorised support personnel. What we don’t want to do is to reduce the effectiveness of MFA by creating an easy way for an attacker to bypass its use or to create their own MFA codes.
Summary
If you don’t already use MFA in your organisation right now, this needs to be one of the top priorities to remediate. Plan it, educate your staff, but make it happen. It is one of the most effective methods to prevent unauthorised access to your business systems and information.
Many regulatory bodies now require the use of MFA to be compliant and if your business is looking to have cybersecurity insurance, a lack of MFA may make your business uninsurable.