Multi-factor authentication
Multi-factor authentication (MFA; two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.
"Two-factor authentication" redirects here. For two-factor authentication on Wikipedia, see Help:Two-factor authentication.
An increased use of MFA is helping organizations and individuals to have a secure data environment.[1] However, there are numerous threats that consistently makes it hard to ensure MFA is entirely secure. Employee practices is also a source of concern that ought to ensure data is private and secure from unauthorized persons and bad actors. The problem is that most people do not want to remember complicated password thus going for easy passwords.[2] Often, people try to avoid the feeling of being frustrated in any case they forget their crucial passwords to specific sites.
A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.
Perhaps, apart from the third-party applications, users should use a user authentication technique which enables users to log into their account without necessarily having to memorize their passwords. Users ought to use a scan using QR code then verify an image using the smartphone and then send it to the smartphone using push notification. [3]
Two-factor authentication over text message was developed as early as 1996, when AT&T described a system for authorizing transactions based on an exchange of codes over two-way pagers.[11][12]
Many multi-factor authentication vendors offer mobile phone-based authentication. Some methods include push-based authentication, QR code-based authentication, one-time password authentication (event-based and time-based), and SMS-based verification. SMS-based verification suffers from some security concerns. Phones can be cloned, apps can run on several phones and cell-phone maintenance personnel can read SMS texts. Not least, cell phones can be compromised in general, meaning the phone is no longer something only the user has.
The major drawback of authentication including something the user possesses is that the user must carry around the physical token (the USB stick, the bank card, the key or similar), practically at all times. Loss and theft are risks. Many organizations forbid carrying USB and electronic devices in or out of premises owing to malware and data theft risks, and most important machines do not have USB ports for the same reason. Physical tokens usually do not scale, typically requiring a new token for each new account and system. Procuring and subsequently replacing tokens of this kind involves costs. In addition, there are inherent conflicts and unavoidable trade-offs between usability and security.[13]
Two-step authentication involving mobile phones and smartphones provides an alternative to dedicated physical devices. To authenticate, people can use their personal access codes to the device (i.e. something that only the individual user knows) plus a one-time-valid, dynamic passcode, typically consisting of 4 to 6 digits. The passcode can be sent to their mobile device[4] by SMS or can be generated by a one-time passcode-generator app. In both cases, the advantage of using a mobile phone is that there is no need for an additional dedicated token, as users tend to carry their mobile devices around at all times.
Notwithstanding the popularity of SMS verification, security advocates have publicly criticized SMS verification,[14] and in July 2016, a United States NIST draft guideline proposed deprecating it as a form of authentication.[15] A year later NIST reinstated SMS verification as a valid authentication channel in the finalized guideline.[16]
In 2016 and 2017 respectively, both Google and Apple started offering user two-step authentication with push notifications[5] as an alternative method.[17][18]
Security of mobile-delivered security tokens fully depends on the mobile operator's operational security and can be easily breached by wiretapping or SIM cloning by national security agencies.[19]
Advantages:
Disadvantages:
Implementation[edit]
Many multi-factor authentication products require users to deploy client software to make multi-factor authentication systems work. Some vendors have created separate installation packages for network login, Web access credentials, and VPN connection credentials. For such products, there may be four or five different software packages to push down to the client PC in order to make use of the token or smart card. This translates to four or five packages on which version control has to be performed, and four or five packages to check for conflicts with business applications. If access can be operated using web pages, it is possible to limit the overheads outlined above to a single application. With other multi-factor authentication technology such as hardware token products, no software must be installed by end-users.
There are drawbacks to multi-factor authentication that are keeping many approaches from becoming widespread. Some users have difficulty keeping track of a hardware token or USB plug. Many users do not have the technical skills needed to install a client-side software certificate by themselves. Generally, multi-factor solutions require additional investment for implementation and costs for maintenance. Most hardware token-based systems are proprietary, and some vendors charge an annual fee per user. Deployment of hardware tokens is logistically challenging. Hardware tokens may get damaged or lost, and issuance of tokens in large industries such as banking or even within large enterprises needs to be managed. In addition to deployment costs, multi-factor authentication often carries significant additional support costs. A 2008 survey[43] of over 120 U.S. credit unions by the Credit Union Journal reported on the support costs associated with two-factor authentication. In their report, software certificates and software toolbar approaches were reported to have the highest support costs.
Research into deployments of multi-factor authentication schemes[44] has shown that one of the elements that tend to impact the adoption of such systems is the line of business of the organization that deploys the multi-factor authentication system. Examples cited include the U.S. government, which employs an elaborate system of physical tokens (which themselves are backed by robust Public Key Infrastructure), as well as private banks, which tend to prefer multi-factor authentication schemes for their customers that involve more accessible, less expensive means of identity verification, such as an app installed onto a customer-owned smartphone. Despite the variations that exist among available systems that organizations may have to choose from, once a multi-factor authentication system is deployed within an organization, it tends to remain in place, as users invariably acclimate to the presence and use of the system and embrace it over time as a normalized element of their daily process of interaction with their relevant information system.
While the perception is that multi-factor authentication is within the realm of perfect security, Roger Grimes writes[45] that if not properly implemented and configured, multi-factor authentication can in fact be easily defeated.
Patents[edit]
In 2013, Kim Dotcom claimed to have invented two-factor authentication in a 2000 patent,[46] and briefly threatened to sue all the major web services. However, the European Patent Office revoked his patent[47] in light of an earlier 1998 U.S. patent held by AT&T.[48]