What are Multi-Factor Authentications (MFA) and their Types

 

Data breaches are becoming commonplace for technology companies. The latest victim is Australian telecommunications company Optus, which led to unauthorized access to the identity data of approximately 10 million people. Adding to the misery of the victims, this cyberattack subsequently sparked numerous phishing and fraud attempts using data obtained from this breach. 

Stronger login security measures can protect your account and greatly reduce the chances of many automated cyber-attacks.

Multi-factor authentication (MFA) is a security measure that requires users to provide two or more proofs of identity (also known as two-factor verification or two-factor authentication) to access digital services. This typically requires a combination of something you know (PIN, secret question), something you have (card, token), or that you are (fingerprint or other biometric). For example, the Australian Revenue Service recently tightened some rules requiring digital service providers to use multi-factor authentication.

If you use certain services, you are already familiar with MFA. But not all MFA solutions are created equal. Recent research has shown how to easily subvert the more common methods used in cyberattacks. Additionally, some people prefer different MFA options depending on their needs and technical understanding.

What are the options available today?

What are their pros and cons?

Who are they suitable for?

There are four main methods of multi-factor authentication.

SMS or Text: Sending one-time passwords (codes, etc.) via text message is currently the most common option. Passwords and codes sent via SMS are very popular and easy to use, but they are often hacked by malicious apps on your phone or by redirecting your texts to another phone. This method will also fail if the phone is unavailable or turned off.

Authenticator-based: Another common method for applications installed on smartphones (such as Google Authenticator) to generate one-time passwords that are valid for a very short period i.e.30 seconds. Even while they are more secure than text messages, malicious apps can still obtain these one-time passwords. This method will also fail if your phone loses power.

Mobile App: Similar to the authenticator app, the user receives a one-time confirmation prompt instead of his password. To do this, your smartphone's internet connection must be active and turned on.

Physical Security Key: The most secure mechanism. Uses a hardware security key (YubiKey, VeriMark, Feitian FIDO, etc.) that must be associated with the device to verify identity. Many of them resemble USB flash devices in appearance. This is the currently dominant method and is supported by companies such as Google, Amazon, and Microsoft, as well as government agencies around the world.

Each of these four methods differs in ease of use and security. For example, physical security keys offer the highest level of security, but have the lowest adoption rate, with an adoption rate of only 10%, because people always use short and easy instead of hard and secure.