Multi-factor authentication is a strategy that complements the use of passwords to strengthen security and make it harder for threat actors to gain unauthorised access. It requires a user to meet two or more conditions to verify their identity before they are granted access to a system or device. MFA provides individuals and organisations with an additional layer of security to protect sensitive data and valuable IT assets.
An effective MFA should have:
- a user knows, like a PIN
- a user has, such as a phone, token on a smartcard
- a Biometric identification like face recognition or fingerprint
- an action like a gesture
- a location in which access is authorised at a given time.
Multi-factor authentication has its weaknesses and doesn't guarantee absolute security. It can be broken if hackers intercept the message containing the authentication code or use other social engineering tactics to trick users into revealing or sharing both passwords and MFA credentials. It also fails if the user implements the service incorrectly, allowing hackers to bypass the second step. A misplaced device used to access the MFA code could expose the service if it falls into the hands of threat actors.
After reviewing the potential vulnerabilities of multi-factor authentication, the Cybersecurity and Infrastructure Security Agency (CISA) has made recommendations for the effective use of the service. They recommend the need to prioritise the use of MFA for the most valuable roles or cloud applications, to give users a high level of comfort when receiving unauthorised MFA notifications. They also recommend the use of number-matching based MFA as an additional layer of protection to secure the specified applications, and stress that the use of tokens is a good measure if the user can find a way to keep them within reach at all times.
Other commendable ways to enhance the effectiveness of multi-factor authentication include:
- continuing using other techniques like firewalls, antivirus programs and intrusion detection software to enhance security
- applying zero trust security policy where permission to access the system is only granted to users when necessary
- implementing mobile device management policies to protect against security risks posed by a remote workforce
- monitoring or analysing traffic patterns to dictate unauthorised users who have infiltrated the environment.
Implementing these factors will ensure an all-encompassing layer of security around an individual's or organisation's sensitive data, and mitigate potential leaks or attacks by threat actors.