Today, computers and smart devices are inexpensive enough that we can own many of them: smart phones, laptops, tablets, and even wearable micro devices. Our work and private lives demand portability. This, along with a trend towards moving enterprise servers into the cloud, makes secure user authentication even more imperative…and tricky. That brings us to multi-factor authentication (MFA), what it means, and how it is achieved.
The goal of multi-factor authentication is to create a layered defense of two or more independent credentials: what you know (password), what you have (security token), and what you are (biometric verification). Requiring multiple factors to authenticate a user makes it more difficult for an unauthorized person to gain access to computers, mobile devices, physical locations, networks, or databases; each successive layer should help protect where other layers may be weak.
Multi-factor authentication is becoming more common, particularly in the financial industry, and is advancing to include retina and fingerprint scanning, voice recognition, and even facial recognition.
If only it were possible to develop a single method of authentication that was 100 percent accurate and could not be hacked—we wouldn’t need multi-factor authentication. But passwords can be seen, overheard, guessed, or bypassed; a token can be lost or stolen; and an identical twin or using a photograph may even work to fool biological recognition systems. This is why multi-factor authentication is currently very important to account security.
The concept of security using multi-factor authentication is that, while there may be a weakness in one authentication factor—say, a stolen password or PIN—the strength of a second or third factor would compensate to provide proper authorization for access.
Applications are available which generate one-time passwords in the same way that security tokens have operated in the past. The one-time password is generated and sent to the mobile device using a time-based SMS.
Using a smartphone or tablet eliminates the need for a user to keep track of a token, and companies incur less cost replacing lost tokens, activating tokens for new employees, or deactivating tokens when an employee leaves.
Top smartphone manufacturers understand that security is a growing customer concern, and have also started offering biometric authentication to ensure that only the authorized user can access the device. Each of these techniques have advantages and disadvantages.
|Fingerprint authentication||Individuals have unique fingerprints||Requires integration with network access software|
|Voice recognition||No extra hardware is necessary||Not effective in settings where the user must remain quiet, or with excessive background noise|
|Facial recognition or retinal scanning||No extra hardware is necessary (when the device is equipped with a camaera)||Not effective in low light, and possible to defeat authentication with a photograph|
As data, communication, training, storage, server infrastructure and more are migrated to the cloud, IT admins must deal with the risks of moving beyond the more traditional on-premises server location. Multifactor, random authentication for user access is essential to protect data in the cloud.
Microsoft, Google, Amazon Web Services, Facebook, and Twitter—among others—all offer two-factor authentication for access to their cloud services, and some are extending to multi-factor authentication strategies.
Multi-factor authentication for Office 365
Office 365 requires a password to access applications on PCs, Macs, and mobile devices. The Office 365 admin tool automatically issues a random, 16-character token for users to sign in. When signed in, users are prompted to set up additional authentication.
Multi-factor authentication for Office 365 using Microsoft Azure Active Directory
Office 365 with Microsoft Azure Active Directory is an enterprise-level solution that requires users to correctly enter a password, and then acknowledge a phone call, text message, or an app notification on their smartphone to authenticate and sign in.
Using and supporting multi-factor tools requires that IT organizations coordinate and configure the enterprise infrastructure to get protected logins working properly. Most tools include various software agents that can protect VPNs, SharePoint servers, Outlook Web App, and database servers. As more traditional hardware-based onsite servers move into the cloud, most multi-factor solution vendors offer cloud and on-premise options. Customers are choosing offsite deployments more and more because of the support and management flexibility the cloud offers.
It’s important to evaluate multi-factor authentication products carefully to determine how each one differs subtly with regard to the desired deployment. Not every vendor can handle all scenarios equally well, and this is often a prime factor in product selection. Here are a few questions to ask when preparing to look more closely at multi-factor authentication products for a business:
Making a business case for multifactor authentication clearly requires some advanced planning. There are many use cases for the technology that can be applied in different ways to different parts of an IT infrastructure. Understanding how MFA will be used ahead of time will be helpful when it comes time to selecting a provider.
Before you begin the task of picking a multi-factor authentication vendor, carefully consider the following possible obstacles to deployment:
MFA has become a more mainstream option for financial firms and other consumer-facing businesses. In 2014, more than 1800 respondents to a Ponemon Institute survey indicated that their organizations planned to adopt some form of multi-factor authentication, while another 40 percent were considering it. As passwords become increasingly insecure, and as our mobile, cloud-based computing becomes more prevalent, multi-factor tools are finding use in just about every corner of the enterprise, especially where personal information is being consumed. For example, Symantec Validation and ID Protection Service is a highly scalable, cloud-based solution that delivers highly secure multi-factor authentication for enterprises of all sizes.