The purely password-based log-in has had its day. At least it should have. Regardless of whether you want to protect a private or professional account, you should reach for multifactor authentication (MFA).
But what is MFA actually? In short, multifactor authentication is an authentication method that asks for the main factor (usually a password) and another factor to verify the user’s identity. Only those who can enter both pieces of the information correctly are granted access to the requested resource. For the second factor, a distinction is also made as to whether it is a factor that the person physically possesses (a hardware component) or something that the person brings with him or her (biometric data). After all, not all MFA is the same.
We show you what forms of authentication there are – and how they differ.
Password as the first factor
The most basic form of verifying one’s identity with online services or with local applications is the password. Usually, this is requested in combination with a user name or an e-mail address. However, as mentioned at the beginning, this form of authentication is susceptible to security incidents. If the combination of these simple access data falls into the hands of another person, this person can gain unhindered access to the account and even lock out the actual “owner” – for example by changing the password and/or the stored e-mail address. In the worst case, an attacker not only gains access to the account but can even take it over completely. Therefore, you should avoid authentication with passwords and usernames alone. Whenever a service offers another form of authentication, you should use it as well.
Security questions do not provide security
Security questions are not really a form of multifactor authentication. Nevertheless, most of us have certainly used them nicely more than once. Basically, these queries serve a similar purpose as multifactor authentication; they are used when a user has “locked out” of their mail account and now wants to reset the password. Or, to verify identity when changes are made to the account. This also served to prevent the case described above, where someone could simply take over the account.
Unfortunately, the answers are often almost easier to guess than the password itself. Your pet’s name? Can definitely be found on Facebook or Instagram! Your mother’s maiden name? Via Facebook or Instagram. Your favorite color? You guessed it – exactly, on Facebook or Instagram. Therefore, it is not very advisable to consider this method as a 2nd factor. If used at all, you can of course “trick” the system here and, for example, enter your mother’s maiden name at this point instead of the color. But be honest: Would you still know that after a year?
SMS or voice code as the most common second factor
A very common form of multifactor authentication is the so-called SMS or voice code. With this form of authentication, you store a mobile or landline phone number to which you are sent a code via SMS or voice message for authentication purposes. You then use this code to verify your identity with the application. The hurdles to using this MFA method are low: most of us carry our smartphones with us at all times, so authentication is possible at any time. Even entering a four- to six-digit code from the SMS is as easy as can be.
Although very common, this is a comparatively weak form of multifactor authentication. This is due to several things:
- The delivery of SMS is not error-free: delivery is not possible, for example, due to reception problems. Sometimes SMS can also be “lost” during sending. Or require a delivery longer than the time-out of the application allows.
- At the same time, SMS and phone calls are just as vulnerable to phishing and social engineering as passwords themselves. This concerns, for example, the possibility of having a replacement SIM card issued based on data obtained through manipulation.
- Further, SMS could be read along using a Trojan already installed on your smartphone.
- A smartphone can be stolen or lost; if a screen lock is not set up here, a third party could gain access to your codes.
Don’t get us wrong: this form of MFA is more secure than not having an MFA. An installed Trojan is the most likely scenario. But ultimately, your account data (password/username) would have to be stolen with your phone data or smartphone. At a time when a code is valid. Taken together, this is quite unlikely after all; or requires a lot of groundwork on the part of the hackers to get all the information about you, your passwords, and your devices bundled together.
Trusted device for easy verification
You can also use a device that cannot be duplicated for authentication. This “trusted device” can be, for example, a smartphone that is unique due to its composition of individual hardware and software components. In most cases, the lock code of the home screen, for example, is also used to query the identity to prevent misuse of the device. Using this form of authentication is also very simple. We carry our smartphones with us all the time, and we are used to entering our lock codes from everyday life. However, losing the hardware can result in you no longer being able to access your MFA-protected services and applications. Therefore, it is advisable to store an alternative authentication method.
Multi-weapon Authenticator Apps
Various manufacturers offer so-called Authenticator Apps. These are suitable for the popular iOS and Android versions and can be used on the vast majority of smartphones. To add a service or an application to the Authenticator, compatible services usually offer scanning via QR code. This is generated once for the user. After linking the Authenticator and the application, further authentication on a specific device using the 2nd factor can be excluded for a certain period of time. This significantly increases the user experience.
Basically, there are three possible applications for Authenticator apps:
- Push approvals.
These are a convenient way to confirm a login attempt to connected service. Users can confirm their own login attempt with one click – or reject suspicious events. Access is only granted after confirmation. For increased security, these push approvals are only valid for a set time.
- Creation of one-time codes.
At the same time, Authenticator apps create verification codes. Code generation is mostly based on the automated so-called OATH TOTP (Time-based One-Time Password) method; this uses a key known to you and the server, as well as the current time, to generate a new unique code every 30 seconds. Due to the short-lived nature of these codes, even a cracked code becomes worthless.
- Biometric login.
A frequently used option is logging in with biometric features such as fingerprint or face scan. These are stored once in the app so that no more login information has to be entered in the future. The biometric login is considered particularly secure, as it is extremely difficult to fake. But not all biometric scans are the same; depending on the manufacturer, the security of the systems can vary due to the method.
The Authenticator apps combine several advantages for the user. They run on traditional (mobile) devices that each of us carries with us all the time. At the same time, they automate the login to various services or applications and are very user-friendly due to their setting options. And they are particularly secure at the same time. Some authenticator apps also offer encrypted storage in the cloud – or at least an encrypted backup token via it. This makes their loss- and failure-proof, since they are not tied to a single device.
Another option is to use so-called hardware tokens. These are small memory chips with different appearance and functionality depending on the manufacturer. Like Authenticator apps, these are used to generate one-time passwords, which is why they are also known as OTP (one-time-password) tokens. The generated one-time codes work similarly to the codes generated in an Authenticator App. In addition to OTP tokens, there is also the option to rely on FIDO U2F TOKEN. This is based on public-key encryption and thus relies on a completely different form of encryption, in which the user must also identify himself on the hardware.
The advantage of hardware tokens is clearly that even employees who do not own a company smartphone can be equipped cost-effectively. At the same time, hardware tokens offer less convenience in use than, say, a smartphone. This is because the latter is an integral part of our everyday lives, whereas a hardware token is often perceived as a nuisance.
Which form of authentication with a second factor you ultimately rely on is up to your preferences. Each form has advantages and disadvantages, especially in the area of handling and user-friendliness.
And yet it remains to be noted: Any form of multifactor authentication is better than no multifactor authentication.