The fact most data breaches are the result of human error is not a contentious issue in the cybersecurity industry. Stolen credentials are involved in 61% of data breaches and they increase the cost of a data breach by 23%.
Many of these breaches can be prevented by enabling multi-factor authentication on all sensitive accounts which is a basic but effective security method. Basic also means it’s widely accessible within organisations with a limited security posture.
Below we will explore the different types of factors you can use in MFA and which ones are generally considered stronger. See our previous article for a more detailed overview of what MFA is and why your organisation should consider implementing it.
Categories of MFA Factors
The most common factors used in MFA are:
- Knowledge (i.e., something you know – a password)
- Possession (i.e., someone you have – a physical key)
- Inherence (i.e., something you are – a fingerprint)
As these are the most common we will focus on specific factors related to these categories. However, additional factors may also include your Location (i.e., somewhere you are) and Behaviour (i.e., something you do).
Although these are less common, they’re still effective. For instance, you could geo-lock an account so that it couldn’t be accessed outside of Australia regardless of stolen credentials or block access during unusual times for that user to be online.
Knowledge factors are the least secure
Every employee manages multiple devices and accounts in everyday work. How many do you think memorise complex and unique passwords for every account? Not many, right? To save themselves time and frustration, most employees use the same password for every account.
They know this is wrong, but convenience drives the behaviour. How do we mitigate this issue? Firstly, every employee should be using a password manager. Programs such as LastPass and DashLane help immensely in bolstering password security. Secondly, IT admins need to make additional authentication factors a minimum company requirement.
Possession factors are generally more secure
There are varying degrees of security for possession factors, however they’re more secure than knowledge factors and often used in conjunction with them to verify your identity. Here are some examples:
Email & SMS Verification Codes
These are the most common but least secure methods of possession factors. Despite most modern email services utilising encryption, these messages can still be intercepted and used against you.
Attackers may launch a targeted “sim swap” attack by impersonating you to a cellular company representative and obtaining a replacement sim. This may then be used to reset your password through access to your SMS authentication code.
Time-based, One-Time Passwords (TOTPs)
Although similar to email and SMS verification codes, TOTPs are considered to be more secure. These codes are produced by applications such as Google Authenticator and Microsoft Authenticator.
This is more secure for two reasons. Firstly, because the code is produced directly onto the user’s device without the need for a third-party service. Additionally, the code is subject to a short time limit before expiry. This makes it difficult for a potential breach to occur within such limited time.
Push Notifications
As the name suggests, the user must push an authentication button requested by their device. Many people prefer this method as it’s a more seamless integration of MFA that takes less time than TOTPs. Typically, this will require you to verify your identity via fingerprint or face ID which adds an extra layer of security on top.
Hardware Keys
Unless a user is careless with their possessions, hardware keys are considered a highly secure form of authentication. The user can plug this key into a port (USB) and authenticate that way or generate a unique code like TOTP.
Some examples of common hardware keys: YubiKey 5, CryptoTrust OnlyKey and the Thetis Fido.
Inherence factors are the most secure
Physical biometrics are unique and unchangeable which is why they provide high levels of authentication security. These include:
- Facial recognition
- Voice recognition
- Retina scans
- Fingerprints
Although it’s possible to impersonate these factors, it requires access to sophisticated technology and methods to access a targets physical biometric data.
The cost to benefit ratio simply will not be great enough for an attacker to attempt a breach through this method relative to their alternatives. But the more forms of authentication you have the better.
Get in contact with Evisent today and learn more about MFA, what benefits it will have to your organisation’s security posture, and ways we can get started with a smooth implementation.