What You Need to Know about Two-factor, Multi-factor, and Strong Authentication

by Daniel Waldman, on Wed 06 November 2019

In today’s digital world, it’s a given that anything important is password protected: bank accounts, Facebook accounts, even smart phones are (hopefully) PIN-protected. These are all put in place to help users protect sensitive information from prying eyes. When an account gets hacked, it could be someone just trying to watch Netflix for free, or it could be far more serious crimes like identity theft and fraudulent purchases.

For businesses the consequences of a data breach can be outright disastrous—even catastrophic. According to a study by IBM and the Ponemon Institute, corporate data breaches cost approximately $3.86 million per breach. And, according to a separate report, there were approximately 945 data breaches in 2018. In other words, data breaches cost companies approximately $3.5 billion. In fact, approximately 81 percent of all hacking-related data breaches use stolen or lost credentials.

So how can a business avoid such dangerous and costly breaches? One essential method is ensuring that software systems containing sensitive business and customer information are secured with multi-factor authentication. There is a lot of confusion over what that means, though, and what is the difference between two-factor authentication (2FA), multi-factor authentication (MFA), and strong authentication. Let’s take a closer look at these terms to understand how a business needs to best protect its most sensitive assets.

Two-Factor Vs. Multi-Factor vs. Strong Authentication.

Before we get to definitions and comparisons, it’s important to understand that there are three main types of authentication factors:

  • Knowledge (something you know);
  • Possession (something you have);
  • Inherence (something you are).

Thus, two-factor authentication uses two of the above factors, where multi-factor uses two or more (more on strong authentication below).

That said, we see a lot of misunderstanding about what actually constitutes two-factor authentication. In order to be truly 2FA, the credentialing system must use only different factors. Producing a password, a PIN, and answering security questions to log into an account is still a single-factor (knowledge).

2FA or MFA is only achieved using two or more authentication types during user sign-in. For example, using a combination of a password (knowledge), a smart card (possession), and the user’s fingerprint (inherence) to log in would be an example of using all three factors. Apart from these three main types, other authentication factors may be taken into account, e.g., geolocation, browser and device type, etc.

Why use multi-factor authentication? Obviously, businesses want to make it more difficult for a malicious person (hacker) to get access to important accounts, resources, etc. In the industry, this is called strong authentication.

What Is Strong Authentication?

Many authoritative sources on cybersecurity define strong authentication as any kind of multi-factor authentication. For example, see European Central Bank requirements described in PSD2 specification. There is also the National Institute of Security and Technology (NIST) definition:

Strong authentication is a method used to secure computer systems and/or networks by verifying a user’s identity by requiring two-factors in order to authenticate (something you know, something you are, or something you have).

Can the strength be measured? Are there any commonly accepted algorithms or a measurements that enable us to determine if one method is twice as strong as another? Surprisingly, not. But we can very roughly estimate the strength of particular password or cryptographic key.

NIST outlines a better approach in its Publication 800-63, distinguishing three “authentication assurance levels”:

  • AAL1 is any single factor authentication: no matter it is a password or cryptographic hardware device;
  • AAL2 is any multi-factor authentication with both “knowledge” and “possession” factor. Possession factor should use a cryptographic technique and is allowed to be a “software” solution, e.g. a smartphone app;
  • AAL3 is also multi-factor, but now only cryptographic hardware authenticators are allowed as a possession proof.

Apart from number of factor types, NIST distinguishes between software or hardware authenticators as well as cryptographic and non-cryptographic protocols.

Due to its flexibility and a choice of authenticator form-factors WWPass technology fits all three AALs. When used without a PIN, the WWPass authentication corresponds to AAL1; used with a smartphone and a PIN is AAL2; using a WWPass smart card or token with PIN is at AAL3, the highest level of security.

Now, even if a company uses 2FA or MFA, there are still a major vulnerability: The Password.

The Problems with Passwords

Almost every traditional security system starts with a username/password credential. And there are almost always password requirements that determine its strength:

  • More than eight characters using small and capital letters,
  • Use of numbers
  • Use of special symbols
  • Sometimes users are forced to change the password regularly.

Why add special symbols? Is the choice among 36 different letters and digits not enough? Why change the password every two months, not four? All of these different factors lead us to believe a password is strong, but how strong are they really? The truth is that it’s wrong to assume that a password is secure, even when it meets all these different criteria.

Passwords are intrinsically weak and can hardly be used in reliable single-factor authentication, and only slightly more in 2FA or MFA. Their advantage is rather in user experience and ease of implementation. For some users, it may be possible to remember one or two good passwords or PINs. But let’s face it: the human brain is not built to remember hundreds of randomly-generated passwords.

Most businesses have several dozens of passwords to secure systems or resources that simply cannot be memorized. They are often written on stickers or in spreadsheets, or even contained in a single password manager that itself does not have a secure password. This means that passwords become a possession factor, too, as opposed to a knowledge factor. Consequently, passwords stored like this used in conjunction with another possession factor (say like an access code transmitted to a smartphone) are no longer two-factor authentication. Indeed, only two or more different types of authentication factors are counted for authentication to be multi-factor.

The good news is that NIST’s Publication 800-63B describes more realistic limitations; for example, it states that 8-characters is enough. What’s more, if the password is automatically produced by a true random number generator, six characters are acceptable. Also, those six characters should only be digits (i.e., no need to have more than 20-bit entropy). Finally, if the password is not compromised, there is no need to change it.

So why does NIST suggest such a relaxed requirement? Probably because password-only authentication cannot be “strong” by definition. Which leads to the conclusion that any sensitive application should use multi-factor authentication in order to be truly secure.

Multi-Factor Authentication vs Right-Factor Authentication

Traditional multi-factor authentication starts with a username and password (‘something you know’), both of which create security risks and inconvenience for the end user and also for the service provider, and then adds something else on top of it (SMS, OTP, push, etc). These additional factors are often also inconvenient, and in some cases are not secure either.

To combine security and convenience, the authentication process should focus not so much on the number of authentication and verification factors but rather on their order. This is where Right-Factor Authentication (RFA) comes into play. If you start the login process with “something you have” (smart card, security token, mobile app, etc) you immediately eliminate such attack vectors as phishing, brute force, credential theft or man-in-the-midde as you cannot steal or compromise something, which does not exist. ‘Something you know’ (PIN) or ‘something you are’ (biometrics) can be used as additional verification factors. Right-Factor Authentication offers one more benefit. The same authenticator can be used to provide client-side encryption capability in addition to multi-factor authentication. Ready to see what WWPass right-factor authentication and encryption technology can do for your company? Request a free demo with our experts.

A Password Manager with Multi-factor authentication to the Rescue!

In today’s world still domineered by usernames and passwords, password managers drastically reduce the amount of memorization a single person needs in order to access secured systems. Given that truly strong passwords are not memorable and that businesses need to deploy multiple systems and resources, each requiring a secure password, it’s clear that businesses require a password manager.

But what good is a vault of sensitive and valuable information if itself is not secure? Password managers must be trusted and properly protected in two aspects: security and availability.

In regards to security, it would seem like a no-brainer that a business password manager needs to be protected against security attacks. While a really strong, unguessable password is important, multi-factor authentication is the best fit for a password manager in order to properly secure it. It’s even better if that password manager is protected with MFA, and a password isn’t even one of the criteria!

In regards to availability, the password manager needs to be accessible on multiple devices and under many different conditions. Password managers with local storage are vulnerable. What happens if the computer hosting the password manager experiences technical issues, such as an accidentally (or purposefully) wiped hard drive? What happens if there’s a power outage and the computer can’t be turned on? Sure you could mirror a database directory in a cloud storage application like Dropbox or Google Drive. But those themselves are not fully secure and immune to insider attcks.

The truth is that most businesses require higher levels of security when it comes to guarding access to their most sensitive data and passwords. If you’re ready to upgrade to industrial-strength password management system with multi-factor authentication and client-side encryption, try PassHub for Business FREE for 30 days.