In the business of information security, professionals preach that the best defense is a layered defense. The more barriers or challenges there are in place, the more secure your system.
Last month I wrote about using a pass-phrase instead of a password to shore up your internet security defenses. This time, I’d like to tell you about another technology, multi-factor authentication, sometimes called second-factor or dual-factor authentication.
Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more credentials to authenticate their identity. These credentials can take the form of passwords, hardware tokens, numerical codes, biometrics, time, and location. The technology incorporates a combination of the security principles of something you know (ID and password) and something you possess (MFA key).
It is a security mechanism that requires an individual to provide two or more credentials to confirm their identity. For most consumers, these credentials take the form of another text message, usually a number. The MFA service generates a short, unique number or character set, let’s call it a key, required for authentication and sends it to a user’s device (phone, tablet, computer).
Let’s look at a banking example.
When a user navigates to his bank’s website, he’s presented with a log-in request. The user enters his user ID and password, clicks “log in.” Behind the scenes, the MFA service generates a unique key (number, character set) and sends it to the user’s device (phone, tablet, computer — based on the user’s settings). The web page displays a notice instructing the user to enter the unique key. Once the user receives, almost instantaneously, the unique key on his phone or other device, he enters it into the web page and the solution completes the authentication process.
The MFA configuration typically offers multiple communication channels to receive your key. For example, you might have two cellphones associated with your MFA configuration at your bank. If so, the service will direct the user to select where they’d like to receive the key. MFA technology also is time-based. The solution will invalidate the key generated after a short period; usually 10 to 30 minutes.
Is MFA hacker-proof? Unfortunately, no. Either through technology, carelessness or social engineering, all systems are susceptible to cracking. However, to hack your MFA-configured account, a hacker would need to not only know your user ID and pass-phrase, but also possess the device that receives the MFA key.
Setting up MFA is simple, and the technology provides another layer of defense that will improve your information security. So, if you haven’t already, consider adding MFA to your security posture.
– Mike Goforth, an enterprise applications cloud technologist with a large enterprise software and technology provider, specializing in security, operations and compliance.