GovLoop

What You Need To Know About Multi-Factor Authentication (Part 2)

Developing programmer Development Website design and coding technologies working in software company office

Let’s summarize what has been covered in my articles: 

  1. Cybersecurity has many layers like an onion or a parfait.
  2. Cybersecurity starts when the computer is first powered up. Way before it even hits the firewall.
  3. Hackers get in because of insecure password management.
  4. The employee managed passwords is cybersecurity’s weakest link.
  5. Credential theft is a greater problem than credit card theft.
  6. Killing passwords is not a solution.
  7. The truth about multi-factor authentication.

In this post, we’ll delve into two-factor authentication (2FA) and three-factor authentication (3FA)

Two-Factor Authentication

Two-factor authentication is the combination of any two of the different factors.

Something you have + Something you know:

This is the most common of all the two-factor systems. It is relatively inexpensive to deploy and manage. It uses much of a company’s existing infrastructure and is the least cumbersome for employees. The typical solution is an employee’s badge plus a password. The employee presents his card via a reader connected to the computer and types in a Personal identification number (PIN).

The system will read the unique identifiers of both the card and the PIN. Stronger systems will encode this information in ways that make it very difficult to fool. The data will also be encrypted using SSL protocols before any data are transmitted to prevent data capture and playbacks.

The PIN can be fairly short to make it less burdensome for the user to type and remember.

Smartcards actually allow the match to occur within the card, so the user’s known information is never stored in some offsite data center or server.

Magnetic stripe ATM, credit, and debit cards face frequent and common attacks. Thieves place a second card reader called a skimmer inside the point of sale terminal and a small camera pointed at the keypad. When a card is swiped, the skimmer copies data from the card while the camera records the PIN entry. Then, the thief clones the magnetic stripe onto a blank card, which he can use or sell along with the PIN.

To prevent these attacks, the industry has moved to smartcards that are more difficult to clone. You have probably already received your new credit card with a shiny gold chip on it. I’ll write a separate article about how banking regulators really messed this up.

Something you have + Something you are:

This is similar to the Have + Know authentication, but instead of typing a PIN, you use your fingerprint, face, voice or any other biometric. The user simply presents his card, then puts his finger on a scanner, looks into a camera, or speaks into a microphone.

With a smartcard, the biometric template can be stored on the card itself, not in some remote data center that hackers can target. Having a match-on-card solution ties the user to a specific card.

Something you are + Something you know:

With this solution, a user presents his fingerprint, then types the PIN. Everything resides within the individual. There is no need to carry anything extra.

Extra devices can be lost, stolen, or forgotten. When employees come to work without their device, IT would have to offer the employee a recovery system allowing them to work when they are not in possession of their credentials, or have a policy that they must return home and get their card or dongle. That is not a problem with this solution.

Wrapping up of 2FA

As you can see, every environment has different circumstances creating different requirements to optimize MFA. There is no one size fits all solution. Recognizing those different situations means you can save money deploying only what’s necessary for each environment, instead of trying to make a single solution that works for everyone.

Three-Factor Authentication (3FA)

As the name implies, 3FA occurs when the Have, Know, and Are factors are all combined to produce the ultimate assurance of authentication. The odds of a hacker having all three factors at once are significantly more remote than requiring just two. With this higher security comes a greater cost, so before you implement 3FA, it is a good idea to first perform a risk and threat evaluation to ascertain the value of the data you are trying to protect.

Layers of Assurances

Layering multi-factor authentication also increases security. These layers of assurances look like this: The first layer consists of the user applying one set of multi-factor authentication, a card (Something you have) + a PIN (Something you know) which authenticates to the computer that the card is paired with the right user. The next layer happens between the card and the computer as the card authenticates itself to the computer’s operating system with different information that the user does not even know, like the smartchip’s unique ID (Something the card is) and a symmetric key (Something the card knows).

Wrap up

It is possible for you to create a password authentication infrastructure (PAI) with seven levels of assurance, without breaking the bank. When it comes to building the chain of trust, every single node and device should go through a separate layer of multi-factor authentication. I will discuss the PAI solution in a future article.

Network security must begin with authentication so you can know who is trying to get past your firewall. The more obstacles you can put up, the better. If you need more convincing, check out my next article for a comprehensive review of exactly how hackers go after your personal information, your company’s proprietary information, your financials, and everything else you are storing on your servers!

Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyberattacks, free individual computer users from cumbersome security policies and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).

Exit mobile version