What Is Multi-Factor Authentication, and How Can I Use It?
The official definition given in TechTarget’s IT Dictionary reads: “Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access.”
At the heart of authentication is controlling access to ensure individuals only access the information they need. With stories of password compromises becoming more common it is important to understand the types of authentication factors available and good computing practices.
As part of Information Security Planning, firms should also identify applications, services or websites that require at least one level of authentication (e.g. password protection, PC certificate, or security tokens) as well as any that may require multi-factor authentication.
Following are the three commonly used authentication factors:
Knowledge based, which centers on something you know such as a password or answer to a security question. This is the most commonly used authentication factor and potentially the weakest if strong password and change requirements are not enforced. Firms should require passwords to be at least 12 characters in length, changed at least every 90 days, and not be reused. Employees should also be trained on safe computing practices (i.e. don’t share your password or use the same one for everything.)
Possession based, which is linked to something you have such as a cryptocard, mobile device or ATM card. When using a mobile device, for example, a one-time password (OTP) can be generated to provide access for only one login session or transaction.
Inherence based, which is tied to what you are such as a fingerprint or eye scan. Apple notably introduced inherence factor authentication with its iPhone TouchID biometric fingerprint reader. Another place this factor is common is for granting access to a data center – firms may want to use biometric screening as a second authenticator.
Speaking of a second authenticator, multi-factor authentication is established by requiring two of the above factors. This means that in addition to providing a password for access, a user would also need to provide a separate PIN number, for example.
Product Spotlight: Duo
Putting a specific two-factor authentication product in the spotlight, Eze Castle Integration offers Duo, a two-factor authentication tool, to our Eze Cloud Solutions clients to provide an added layer of security and protection. Duo combines modern two-factor authentication with advanced endpoint security solutions to protect users from account takeovers and data breaches.
With Duo, users leverage their smartphones for authentication, eliminating the need to carry extra devices, like tokens, fobs and key cards. And through Duo’s one-tap app, users don’t need to ask for bypass codes to get around two-factor, since the app is quick and painless.
Reminder: Secure User Authentication Practices
Last, but not least, it is important to compliment whichever authentication factor is implemented with the following practices:
Assign unique domain user IDs to each employee
Enforce domain account passwords required to be at least 12 characters in length, changed at least every 90 days, and not be reused
Control data security passwords to ensure they are kept in a location and/or format that does not compromise the security of the data they protect
Restrict access to active users and active user accounts only
Additional Resources on this Topic:
Editor's Note: This article has been updated and was originally published in March 2015.