Multi Factor Authentication – why is this something that is so commonly misunderstood?

“The single biggest problem in communication is the illusion that it has taken place.” said George Bernard Shaw. This can be true in so many aspects of life and unfortunately, it is all too often reflected within the world of Information Security. It is common for many of us to think we have got to grips with a solution to a problem, only to realise half way through that the problem is not quite as we envisaged.

Take the case of “Multi Factor Authentication” (MFA), meaning the use of multiple methods of authenticating ourselves to one another, or to a computer system or application. We had all become used to the phrase “Two Factor Authentication”, meaning that we need two different credentials to provide this authentication. Seem simple enough to extend this out to “Multiple” means of authentication right?

Well – as it turns out, this is still an area that causes confusion, even before we changed the wording to make things even more vague! So, what is the problem? Let’s go back to the start.

We all use MFA without giving it much thought on a regular basis. Whenever we go shopping or take money out from an ATM, we are using MFA. In short, in any Chip and Pin transaction there must be multiple authentication methods, and these usually fall into the following categories:

  • Something you know (such as a password or PIN)
  • Something you have on your person (such as a Bank card or a USB stick generating a Token)
  • Something you inherently are (such as a biometric like fingerprint or retinal scan)

When accessing a system that requires you to authenticate yourself in more than one way we present two or more of these values to the authentication system. So why is there still confusion?

Well – it is easy enough to get this mixed up. Take the following scenario into consideration; “I log onto a system with my username and password, and then I access a database application with a separate user name and password. That is Multi Factor isn’t it?” – NOPE!……this is single factor being used multiple times, and is often the cause for much confusion.

In order for Multi Factor authentication to be truly implemented, at least two of the above means of authenticating yourself must be presented as part of the same log on procedure. So I present my User name and Password to my access application, which then also requests my fingerprint. This is two factor authentication. MFA is any access method that requires 2 or more authentication factors.

In the case of the trip to the shops, when I purchase something I present my payment card (something I have) and then I must enter my PIN, (something I know). 2 Factor Authentication. Apple Pay brings in another element in that it uses biometrics as the second factor, which is another step up the security ladder.

This is something that will affect us all in our daily lives as security tightens up to reduce identity theft and online fraud. How many of us have been given a PIN reader for use with our online banking accounts? This is generating a ‘second factor’ token for you to use alongside your password.

The PCI DSS version 3.2 now requires the use of Multi Factor Authentication for administrators accessing Payment Card systems from within the local network. MFA was previously reserved for remote access but the additional security that MFA brings is such that it is a useful tool, even from within trusted systems.

So, MFA is here to stay and when it is implemented well it should be easy and intuitive to use. There are lots of solutions out there, so finding one that suits your needs should no longer be a barrier to increased security.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

Posted 1 year ago on · Permalink