Multi-Factor Authentication

Everything you need to know about securing your application with MFA

When it comes to cyber security, it’s often said that humans are the weakest link.

After all, the one common denominator found in many cyber-attacks is human error. Any individual can make a simple error, such as clicking a malicious link or opening an unknown attachment. This one act can open the way for cyber-criminals to circumvent your defences and steal your confidential data.

However, another common denominator found in many cyber-attacks is password compromise.

Anyone familiar with the dark web will know that compromised passwords are readily available for purchase. Sophisticated attackers routinely bombard web applications with lists of compromised login and password credentials in an attempt to gain entry. Known as credential stuffing, this technique is particularly effective if people re-use the same login and password across multiple applications.

Another widely used technique, known as brute force attacks, see hackers using random characters combined with common passwords, to gain unauthorised access to applications. When people use obvious passwords, such as “password123” they are particularly vulnerable to falling victim to a brute force attack.

What all these attack techniques have in common is that they take advantage of weak password practices. Whilst most of us know that we should be selecting complex passwords, comprising a combination of upper-case letters, lower-case letters, numbers and other characters, all too often we opt for simpler passwords that are easier to remember. And, let’s be honest, most of us are guilty of re-using the same password across multiple applications.

That’s why many applications now require more than a simple password before authenticating a user. Known as Multi-Factor Authentication, or MFA, it requires a user to validate their identity using two or more methods, making it much harder for cyber-criminals to gain unauthorised access to applications.

What is Multi-Factor Authentication?

The Australian Cyber Security Centre (ACSC) defines MFA as:

'A method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier'.

Put simply, when logging into any application, at a minimum a user needs to prove their identity with a password and AT LEAST one additional verification method. If only one other form of verification is needed, it is known as Two Factor Authentication (2FA).

For example:

  • Password + one other form of verification = 2FA
  • Password + two or more other forms of verification = MFA

According to the ACSC, it is best to make use of different types of verification, including:

  • Something the user knows (e.g. password or PIN)
  • Something the user physically possesses (e.g. a physical token or smartcard)
  • Something the user inherently possesses (e.g. a fingerprint or iris scan).

What are the different types of Multi-Factor Authentication?

When it comes to implementing Multi-Factor Authentication, there are a range of technologies you can opt for that supplement the use of a password:

U2F Security Tokens and Smartcards

Universal Second Factor, or U2F, requires a user to authenticate using a physical item, such as a token or smartcard.

It ensures that a person logging into an application is also in possession of a physical item, helping keep attackers with compromised passwords out.

Common U2F security keys include:

  • Tokens: When authenticating, the user needs to either click a button on a token or insert the token into the computer (e.g. via a USB port). Once activated in this way, the user will be able to successfully login to the system.

  • Smartcards: When authenticating, the user typically needs to login to an application linked to the smartcard first, which then enables the user to successfully login to the primary system they wish to access.

It is essential that tokens and smartcards are not stored with the computer. So, for example, if an attacker steals a laptop, they will not be able to login to applications that have U2F enabled.

Physical tokens introduce friction to the user experience. Users will need to have their tokens with them every time they need to access their digital services. Add to that that it’s close to impossible for users to access their own accounts in the event they lose their security key.

Tokens improve security but  introduce friction. Users will need to have their tokens with them every time they access their digital services.

Tokens improve security but introduce friction. Users will need to have their tokens with them every time they access their digital services.

Physical One-Time PIN Tokens

This authentication method makes use of a physical token that displays a one-time PIN on a screen. The PIN displayed on the token usually changes every 60 seconds and can only be used to login to a system once.

The time on both the physical token and the application are synchronised, allowing the authentication service to know what one-time PIN should be used.

It guarantees that the person logging into the application is also in possession of the physical token, helping ensure that attackers with compromised passwords are not able to log in.

Like U2F security keys, this type of MFA introduces friction, and it is essential that one-time PIN tokens are not stored with the computer that’s used to access the application. They should be stored separately, so, should an attacker steal a laptop, they will not also have access to the token.

Like U2F security keys, this type of MFA introduces friction, and it is essential that one-time PIN tokens are not stored with the computer that’s used to access an application.

Mobile One-Time PIN Apps (Authenticator Apps)

This allows a user to gain access to a web application using a one-time PIN issued by a mobile authentication application they have installed on their smartphone or tablet.  

The user first needs to download the mobile application to their smartphone/tablet, and link it to the web application they are wanting to access through the use of a QR code.

This is not a straightforward and seamless experience. Each time the user needs to login to the web application, they will need to select the correct authentication app to use, open the mobile application, obtain the unique one-time PIN, and use it to authenticate their identity on the web application. This is not to mention the challenges of migrating authentication app data when you change your device.

From a security perspective, whilst this method does offer significant security benefits, it should be noted that if the mobile device has been compromised or stolen, the passcodes generated by the mobile application may be accessible by attackers.

This is not a straightforward experience. Each time a customer needs to login, they will have to switch devices and select the authentication app to obtain a one-time code.

This is not a straightforward experience. Each time a customer needs to login, they will have to switch devices and select the authentication app to obtain a one-time code.

SMS, Email or Voice Messages

One of the most common authentication methods is the one-time password.

Many applications now require a user to provide a mobile number or email address. Each time the user subsequently logs into the application, they will be sent a unique one­time password via SMS, email or delivered as a voice message.

This password is then used to login to the application.

This form of authentication poses the problem that a stolen or lost mobile phone, or one that has been compromised through SIM-swapping, may allow hackers to access the one-time passwords.

SMS-based one-time codes are phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

SMS-based one-time codes are phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

Software Certificates

Whilst most MFA methods focus on authenticating the user, another path is to authenticate the device.

Many applications that are installed on devices store software certificates in the device’s registry.

When a user seeks to login to an application, the application verifies that the login is occurring from the same device on which the software certificates are stored. This helps ensure that the person logging in is doing so from the correct device.

The challenge with this approach is that it won’t block a cyber-attacker if they are seeking to access an application on a stolen laptop which has the software certificates stored in its registry.

Software certificate based MFA focuses on authenticating the device.

Haventec Silent MFA

A seamless and non-disruptive MFA approach is Silent MFA, powered by Haventec Authenticate.

With Haventec’s Silent MFA approach, customers do not need to install authentication apps, switch devices or apps for another authentication factor, or worry about physical tokens and smartcards. Multi-Factor Authentication becomes a single-step experience offering unprecedented convenience and peace of mind.

With Silent MFA, customers are seamlessly onboarded. All they need to do is login with their username and password. Haventec then transparently enrols and activates the user’s device. The username/password combination, together with the device signature, are then used to create a private key that is matched against a public key for successful authentication. The combination of these two sets of keys, public and private, are renewed and re-encrypted every time a user needs to authenticate.

From the user’s perspective, all they do is login with their username and password and MFA takes place silently in the background, without any disruption.

With Silent MFA, multi-factor authentication becomes a single-step experience offering unprecedented convenience and peace of mind.

With Silent MFA, multi-factor authentication becomes a single-step experience offering unprecedented convenience and peace of mind.

Common Challenges Implementing Multi-Factor Authentication

Whilst implementing MFA on all applications is highly recommended by all cyber security professionals, it remains optional in many consumer applications due to the substantial effort required to educate and onboard users. Many users will require significant support to set up a MFA as it adds layers of friction to the authentication experience.

Regular and consistent communication strategies need to be implemented to ensure application users are aware of the importance of MFA, how it can benefit them, and how they can activate and use it.

After all, setting up and using MFA can often be time-consuming. It may require use of tokens which can be easily misplaced, or authentication apps that need time and effort to set up and migrate when users upgrade their devices. Constantly having to switch devices for MFA can also be inconvenient, especially that customers may not have the 2nd authentication device with them at all times or may misplace it.

Furthermore, MFA Introduces friction and bias into the authentication experience and may raise legitimate accessibility concerns among certain demographics who may not have access to a second authentication device.

How can Haventec help with seamless and secure MFA?

As cyber-attacks become more sophisticated, and demand for seamless user experiences grows, application developers and technology leaders must evaluate whether a traditional MFA approach is going to meet expectations in the modern digital era. 

With its seamless user experience and easy integration into existing IAM infrastructure, Haventec Silent MFA is the solution you need. Silent MFA enables you to make an effortless and customer-centric shift to effective Multi-Factor Authentication with a consistent and secure access experience every time. 

To learn more, book a free consultation today with one of our security engineers.