In recent years, multi-factor authentication (MFA) has become the go-to buzzword for cybersecurity experts looking to promote better security practices and habits across the industry. Just as AI and blockchain have served as oversold and overused super-futuristic lingo in the tech industry over the past decade, the same can be said about MFA technology in cybersecurity.
As the name implies, MFA involves using more than a single authentication method to verify and validate users' identities; it adds multiple secure layers of authentication using a combination of factors from any of these credential categories:
- Knowledge factors: Passwords, pins and shared secrets; knowledge factors are based on what users know and are the most common and easiest means of authentication.
- Possession factor: This factor of authentication deals with what end-users may have in their possession; sim cards, tokens, key cards or ATM cards.
- Inherence factor: This is the most secure factor from the bunch, taking users’ distinctive features into account. Biometric scanning technology for fingerprint, iris and face is an example of this factor.
The MFA ‘Solution’
To reduce and even eliminate the myriad of risks that come with password authentication technology and protect their digital assets, enterprises often deploy MFA technology. MFA aims to combat the bad security habits passwords cause, reduce the risk of phishing, fraud, identity theft and other cybercrimes.
Here’s the catch – most MFA technology never replaced passwords or the knowledge factor. For the most part, they only serve as a huge improvement; however, these solutions are built on and still include the same problem: passwords. Because passwords can be easily breached at scale and within a few seconds, they barely count as a factor. Therefore, most MFA solutions rely solely on the second factor alone, leaving enterprises vulnerable.
MFA solutions may also include other forms of authentications; OTP (one time passwords), Push notifications and SMS notifications, but on closer inspection, they are just another iteration of passwords and, at best, a slight deviation. These methods are often mistaken for the safer, more secure alternatives to passwords but really are passwords in disguise.
Although these forms of authentication cannot be used more than once and are generated by complex algorithms, OTPs, push and SMS notifications can easily be breached in a number of ways and have even been largely discouraged as a factor of authentication by cybersecurity experts.
Truly Passwordless MFA
Technically, passwordless technology is also multi-factor but doesn’t hide passwords behind another more secure authentication means. Therefore, there’s no vulnerable password database for hackers to attempt to steal from. It also uses other technological advancements to authenticate users and secure company infrastructure;
- Adaptive authentication: This is an access method that develops patterns of a users’ behavior and takes appropriate account when a deviation to this behavior is noticed. It evaluates the risk associated with each login using information such as a user’s geographical location, registered devices, and so on.
- Liveness detection: Liveness detection is a technique that uses algorithms to analyze the data collected from biometric scanners and readers to detect and verify if the source is a false one. It can identify a spoof attempt by differentiating from a live person present at the real-time point of capture, or a fake artifact, lifeless body part or prosthetic device.
- Decentralized credential store: Different passwordless authentication technology may take different approaches to verify users; however, they all have one thing in common: they don't store users’ data within a system but instead on users’ devices. This makes passwordless technology inherently more secure than traditional and password-based security technology.
- Asymmetric cryptography: Passwordless authentication relies on the same principles as digital certificates: asymmetric cryptography with a private key serving as a lock and a public key that unlocks it. Due to the secure nature of asymmetric cryptography, only authorized people, servers, machines or devices can access the private key by using a set authentication factor.
The prevalence of flawed MFA technology comes from a misunderstanding of how secure, or rather insecure, passwords and other knowledge-based factors are. Most enterprises and organizations don't realize their MFA technology is already compromised, with 61% of cybersecurity experts admitting that their company’s MFA solution contains passwords as a factor of authentication.
Any MFA technology that builds on top of passwords is a significant improvement over traditional password authentication; however, with an ever-changing, ever-growing cybersecurity landscape, organizations must go back to the drawing board concerning the techniques they use to secure themselves and deploy the most sophisticated authentication technology. The best way to do this is by implementing truly passwordless technology.