Multi-factor Authentication (MFA) – What is it?

We can think of Multi-factor Authentication (MFA) as one or more additional steps required when authenticating against a system, after entering the first factor (e.g., after entering the username and password), and before being granted access to the system.

Referring to online accounts, imagine that somehow your credentials were compromised—that is, someone managed to discover them. If you don’t have MFA enabled, the attacker will be able to access your account without any difficulty. However, with MFA active, after entering the username-password combination, the attacker will be confronted with a second authentication step using a different factor.

The goal is for only the user, the true account holder, to have access to the additional factor(s) required to access the system in question. This way, in a situation like this, the account will be protected, as it will be much harder for the attacker to bypass these other factors. However, harder does not mean impossible.

Authentication factors

There are three primary authentication factors. They are:

• Something you know, which can be a password, a passphrase, a PIN, the answer to security questions, etc.
• Something you have, which refers to physical devices in the user’s possession that can help with authentication, such as a mobile phone, a smart card, a hardware token, a memory card, a USB drive, etc.
• Something you are, which refers to physical characteristics of a person, such as fingerprints, facial features, retina patterns, iris patterns, hand geometry, etc.

In addition to the three primary factors, attributes such as the following can be added:

• Where you are, based on a device, geographic location, a phone number, etc.
• Contextual authentication, where, for example, you can set working hours, not allowing access to the account outside of those hours. It can also include location and device type.
• Something you do, which can refer, for example, to gestures used on mobile devices to unlock them by connecting points (pattern), or image passwords, supported by Windows 10, where the user moves their fingers on the screen over an image.

Something you know

This factor is also known as knowledge-based authentication or type 1 authentication factor.

It means that the user provides something they know to authenticate themselves to a system.

In the case of passwords, they can be simple or complex, where:

• Incorrectly, people tend to use simple passwords, often related to personal information, because they are easier to remember. When this happens, passwords are easily guessed.
• When using complex passwords, people often end up writing them down somewhere, whether on post-it notes stuck to the monitor, in a notebook, or even in a text file on their computer’s desktop. In these cases, the password becomes visible to others, or even if it is not in plain sight, it can be found relatively easily.

The solution to these problems lies in Password Managers, which organize your credentials, store them securely, and, best of all, you only need to remember one password—the master password, which is used to log in to the Password Manager. This master password should be long (at least 14 characters) and, to make it easier, you can create a passphrase.

If you want to learn more about the best practices for password management, click the button below:

Passphrases are passwords based on phrases, making them easier to remember, and they address the complexity issue, especially when mixed with uppercase and lowercase letters, numbers, and special characters.

Regarding security questions, their security also increases if the user uses complex strings instead of the actual answer to the questions. The true answers are often so obvious to those who know the user even slightly (and with all the information shared on social media these days, this can be relatively easy), making them easy to compromise.

Something you have

This factor is also known as possession-based authentication or type 2 authentication factor.

Perhaps the most common method is One-Time Passwords (OTP), which, as the name suggests, are codes that can only be used once and expire if not used within a certain period of time. They can be generated via:

• Software (soft tokens), such as the popular Authenticator apps like Google Authenticator, Microsoft Authenticator, Cisco DUO, etc.
• Hardware (hard tokens), which are dedicated hardware devices, such as the RSA SecurID.

In addition to the type of device where they are generated, OTPs can be:

• Synchronous OTP, which is the most common and least complex. It can be time-based or counter-based. Time-based OTPs are generated every 30 or 60 seconds, while counter-based OTPs increment a number with each use.
• Asynchronous OTP, which, although less common and more complex, provides a more robust layer of security.

Smart cards, on the other hand, are so named because they contain an embedded integrated circuit that can perform calculations and generate unique authentication data for each transaction. They can be:

• Contact Smart Cards, where the chip on the card needs to make contact with the reader to receive power and allow the transaction to be completed.
• Contactless Smart Cards, where the reader sends signals that are strong enough to power the chips and communicate with them, allowing the card to perform the necessary calculations and respond to the reader.

Memory cards contain a type of memory that is embedded in a magnetic strip, usually on the back of the card, from which the same data is read during each transaction.

Something you are

Also known as biometric authentication or type 3 authentication factor.

It is divided into:

• Physiological characteristics, which can include fingerprints, hand geometry, facial features, eye characteristics (such as iris and retina), etc.
• Behavioral characteristics, which can include how a person writes, walks, speaks, presses the keys on a keyboard, etc.

Where you are

Location can be obtained based on the IP address or through geolocation.

This type of system can prevent access by users who are not in the location where they typically connect – where you are not. In fact, a basic rule is that a user should not be able to log in to their account outside of their workplace, or, if they wish to do so, they must request permission. Although this control can be easily bypassed using a VPN, it still serves as a protection that makes sense.

Single-Factor Authentication and Two-Factor Authentication

There is some confusion regarding what is considered the use of authentication factors.

For example, if a system uses more than one type of authentication, but all are from the same factor, it is not Multi-Factor Authentication, but rather Single-Factor Authentication. Examples where, despite using different types of authentication, Multi-Factor Authentication does not occur:

• The use of username/password and the answer to security questions – both mechanisms belong to the something you know factor.
• The use of a token generated by Google Authenticator and another generated by RSA SecurID – both mechanisms belong to the something you have factor.
• The use of a fingerprint reader and a retina reader – both mechanisms belong to the something you are factor.

The combination of two factors, such as something you know and something you have, can be called Two-Factor Authentication.

The difference between Two-Factor Authentication and Multi-Factor Authentication is that the former refers to the use of two factors, while the latter refers to the use of two or more factors.

It is important to note that using different types of authentication from the same factor typically does not add security, as the same type of attack can compromise them. In other words, using a password and a PIN does not guarantee that you are more secure than if you only used a password, as the same attacks that can be performed to discover the password can also discover the PIN. In contrast, when using different factors, such as a password and an OTP from a hard token, it would be necessary to both discover the password and physically steal the hard token in order to successfully access the account.

Weak and Strong Multi-Factor Authentication

Although Multi-Factor Authentication (MFA) is a recommended configuration, it does not guarantee by itself that your accounts are secure. For example, SMS-based Multi-Factor Authentication is considered weak due to an attack known as SIM Swap, in which criminals gain control of the victim’s phone number, thus gaining access to the code sent to it, enabling them to log into the victim’s accounts.

However, even when using strong authentication factors, there are some considerations to keep in mind:

• When using an Authenticator that sends notifications for the user to approve access, if the user is distracted or unaware of what they are doing, they may accidentally approve access for a third party without realizing what is actually happening.
• When using an Authenticator that sends notifications, generates codes, or asks for a code provided on the website, although these methods are considered secure, the user can be deceived if they access a fake website that closely resembles the real one. In such cases, the data the user enters—such as their username and password—will be sent to the real site, followed by the OTP, allowing the attacker to gain unauthorized access.

To address this, you could consider using passkeys or even security keys (physical security keys), as these devices must be physically connected to the device from which the login is being made, or brought near (via NFC), in order for access to be granted. This adds an additional layer of security by ensuring that the attacker cannot gain access without having the physical key or device.

Does the second authentication factor always have to be requested?

No, not always. For example, some services only ask for it the first time you use a particular device. After that, the device is authorized to access your account and is recognized as trusted, and it itself, by itself, functions as a factor. The second factor will only be requested when you access from a device that the service does not recognize.

There are also services that allow you to store the data for a certain period of time, not requesting the second authentication factor until that period expires.

What if I lose the MFA method?

You should always keep in mind alternatives to the MFA method you set up. For example, some services provide backup codes that can be used in case you lose access to the configured method. Make sure to note those codes down carefully. If you are using a security key as an authentication factor, like a Yubikey, it is a good practice to have a second security key in case you lose the first one. You might even consider storing the second key in a different physical location than the first.

A word about FIDO2

I can’t finish this article without mentioning Fast IDentity Online 2 (FIDO2), although in a very brief way. FIDO2 is an open protocol for user authentication that uses passkeys, which are credentials created through public key cryptography, with a private key and a public key being created. The private key is securely stored on the user’s device, and the public key is encrypted and sent to the service’s server.

O par de chaves é utilizado para realizar a autenticação do utilizador diretamente no dispositivo deste, seja ele um computador, um tablet, um telemóvel ou uma chave de segurança. Sempre que o utilizador efetua login, o serviço apresenta um desafio único ao cliente. A ativação do dispositivo é efetuada recorrendo ao toque, leitura da impressão digital ou da face, ou inseração de um PIN, o que permite que o pedido seja assinado e devolvido. Isto torna o processo criptograficamente protegido de phishing.

Como é gerado um conjunto de chaves diferentes para cada aplicação web ou website, têm também a vantagem de incrementar a privacidade do utilizador, por dificultarem a associação entre serviços.

O FIDO2 implementa ainda o conceito de Passwordless, o que significa que não são utilizadas passwords para efetuar login. Isto torna o acesso não só mais prático mas também mais seguro, pois são conhecidas as vulnerabilidades associadas às passwords.

A primeira versão, que introduziu o Multifator de Autenticação resistente a phishing, foi lançada em 2014, e a segunda, lançada em 2018, definiu o standard para autenticação sem passwords.

Conclusão

Em conclusão, e apesar de toda a informação deste artigo, o principal a reter é a importância de ativar o Multifator de Autenticação em todas as suas contas que o suportem – isto é algo que normalmente pode ser efetuado nas configurações da conta.

Nem todos os serviços utilizam MFA forte, mas ainda assim, ter MFA ativado, mesmo que fraco, é melhor do que não ter.

Faça agora uma auditoria às suas contas com vista à ativação do MFA naquelas em que ainda não o ativou. É verdade que lhe vai tomar algum tempo, mas no final vai ficar mais descansado em relação à segurança das mesmas e da informação que contêm.

Pensar que só acontece aos outros não é uma boa estratégia de segurança. Além disso, é importante reter que existem várias formas de obter as credenciais, seja em ataques que podem ser perpetuados tendo o próprio utilizador como alvo, ou o serviço onde as suas credenciais estão armazenadas. E nem sempre sabemos de que forma os serviços armazenam estes nossos dados, ou seja, há diversas leaks que comprovam que ainda existem serviços a não utilizar as melhores práticas para guardar as credenciais dos seus utilizadores!