Why is multi-factor authentication (MFA) “multi-factor” anyways? A simple enough question, right? Well, it’s not as simple as it sounds.
Depending on where you look, you can see references to two-factor authentication, three-factor authentication, strong authentication, advanced authentication. Based on the name, it sounds like these are all just subcategories of multi-factor authentication. Unfortunately, that’s only half true, and that’s also where this question gets complicated.
Which types of authentication are always examples of multi-factor authentication?
Two and three factor authentication are always examples of multi-factor authentication. Multi-factor definition, by definition, is authentication using at least 2 of the 3 possible authentication factors. So yes, two-factor and three-factor authentication are both examples of multi-factor authentication.
What about “strong” and “advanced” authentication?
This is where it gets tricky. Both strong and advanced authentication in use can be considered multi-factor authentication; however, it depends on how the authentication is implemented. To understand what I mean we first need to define what multi-factor authentication is.
What is multi-factor authentication?
The term “authentication” refers to the ability to verify the identity of a person attempting to access a system (presumably someone who is authorized to access that system). The term “factor” then, necessarily refers to the different types of tests someone must successfully complete to identify themselves. For IT security, these factors often filter down into three broad categories:
Knowledge: Something you know.
This is the factor upon which password-only systems rely. To pass a knowledge factor based test, you must prove that you know a secret combination, like a password, PIN, or pattern.
Possession: Something you have.
To authenticate using this factor, you must prove you possess something that only you should have, like a key, or an ID card.
Inherence: Something you are.
Inherence means something that is inherently yours. That usually means a unique physical or behavioral characteristic, tested through some sort of biometric system.
Multi-factor authentication requires a system use at least two of these authentication factors to authenticate users. That’s why it’s “multi-factor” authentication.
Wait… so what was that about “strong” and “advanced” authentication?
Well, multi-factor authentication requires at least two factors be used. Both advanced and strong authentication can use two or three factors; however, the requirements do not require the use of “tests” from different categories. Strong authentication could be achieved by using a password and a security question, while advanced authentication could established with a password and a challenge question. This means that, while all multi-factor authentication solutions count as strong or advanced authentication, not all strong and advanced authentication solutions count as multi-factor authentication.
Why do businesses need multi-factor authentication?
Many groups feel that single-factor authentication is adequate for their needs, but let’s consider something first. You have a bank account, and tied to that bank account you likely have both a debit and a credit card. To access your money you already use multi-factor authentication. You have a debit/credit card (possession), and a pin code/ password (knowledge). Now, consider how much the damage a breach could cost your business. Does your business’ network deserve the same level of protection as your personal bank account, if not more?
Yes, yes it does.
Many industries already require multi-factor authentication! If you work in law enforcement in the United States, then you’re likely required to be CJIS compliant. CJIS compliance requires advanced authentication. If you work in retail, you’re likely PCI compliant. Again, PCI compliance requires multi-factor authentication. If you work in healthcare, then there’s HIPAA to consider. HIPAA is yet another regulation that requires multi-factor authentication. What this demonstrates is that, for IT security, MFA is becoming mainstream.
What’s my recommendation for a multi-factor authentication solution?
Well, no solution should be a one size fits all response. You should be able to customize and tailor any potential solution so that vital resources are protected, without inconveniencing users who don’t require multi-factor authentication. If you’re interested a solution designed from the ground up with security and usability in mind, then I’d recommend “AuthAnvil Two Factor Auth”.
AuthAnvil Two Factor Auth is a multifactor authentication server capable of adding identity assurance protection to the servers and desktops you need to interact with on a regular basis, and deep integration into many of the tools that you may use day to day. It also works with pretty much anything that supports RADIUS, so along with your Windows logon it can protect things like your VPNs, firewalls and Unix environments. Conveniently enough, it also integrates smoothly with Kaseya. That way you can accomplish even more from that single pane of glass.
For more information on multi-factor authentication: Click Here
For a look at how much AuthAnvil’s Kaseya integration can be used: Click Here
Author: Harrison Depner