Two Factor vs Multi-Factor Authentication

The Coronavirus pandemic has led to rise in hacking and phishing activities. Activities like SIM swapping, fraudulent emails, clickbait links on the Internet are on the rapid rise these days and traditional authentication measures like receiving codes on SMS aren't sufficient in protecting your personal and online accounts. SMS based notification alerts have been in use for a long time and unfortunately, they aren't secure anymore. Let us look at the shortcomings of SMS based authentication system and then explore the possible resolutions.

Why SMS isn't sufficient?

Over the years, hackers have tricked mobile connectivity carriers into porting a number into a new device. This is known as SIM swapping and it allows hackers to gain access to your phone number. Plus, it is not very difficult for hackers to know the last digits of your Social security numbers or your banking credentials-these inputs often get leaked from bank system. Combine these two and your personal information can be easily compromised.

Plus, there is a significant weakness in mobile telecom system, known as a SS7 attack. During a SS7 attack, a hacker can listen to your phone call, read text messages and see your location.

The drawbacks listed above makes SMS based authentication system very unsafe. A more advanced method is to use Authentication apps instead. Let us explore them below

Authentication apps

If you attempt to login to Gmail through an unrecognized device or location, Google will send you a prompt, asking you to verify yourself first. A picture code is displayed on the screen and the same code is sent to your mobile phone as well. You would need to tap the code on your phone before the app allows you to proceed. This is how app-based authentication works. Apart from Google, there are other players in the game as well such as Microsoft Authenticator or Authy etc.

These authentication apps are more secure than SMS. Unlike SMS which stays on your device forever, the codes generated by the apps last for 30 seconds or less. Also, you are required to tap the code, instead of manually entering them. This further enhances the security.

There are many apps which support this type of authentication system. You would just need to activate the feature. This way you will automatically get push notifications, that require a tap for authentication.

Having said that, Authentication apps, just like SMS are a type of two factor authentication (2FA) and two factor authentication systems have serious shortcomings. Let us explore them below

Drawbacks of Two Factor Authentications (2FA)

Two step verification systems (for e.g. the SMS feature or the authentication apps) is a more secure way than one factor authentication (which only includes entering the password). Nevertheless, there are plenty of shortcomings of a 2FA system which makes them vulnerable. The demerits of only a SMS based is already described earlier in the blog. There are other scenarios too which makes 2FA an inconvenient feature. For e.g. when Hurricane Harvey and Irma hit North America, the power setup of affected areas were badly damaged. People didn't had electricity to charge their mobile phones and thus, they couldn't log into their financial and social media accounts.

Also, recovery options contradict the entire notion of 2FA. If you are able to recover your factors using simple recovery measures then the hacker can do the same. However, without recovery options, you can lose your account.

In addition, hackers can use Two factor authentication to shut you out of your own account. They can change your login credentials and you can forever lose access to your sensitive data.

Multi Factor Authentication

Over recent years, Multi-factor authentication has emerged as a viable replacement to Two factor authentication. Multi-factor authentication (MFA) replaces two factors of identification with multiple factors. For e.g. in addition to password and SMS/authentication app code, you might be asked to add your fingerprint/facial recognition etc. These added layers make your login session more secure and prevent you from external hacks/breaches.

Typically, Multi factor authentication consists of the following elements

a. Items that you know. For e.g. your Password etc.

b. Items that you have in your possession. For e.g. smartphone or badge.

c. Items which are an inherent part of you. For e.g. biometrics, fingerprint sensors, voice recognition etc.

Multi Factor Authentication mainly uses a combination of the following elements for authentication:

a. Smartphone generated codes

b. Badges, USB and other devices

c. Certificates or soft tokens

d. Facial recognition.

e. Behavioral analysis

f. Security question answers.

g. Codes delivered to email addresses

h. Fingerprints

MFA works by considering behavior of the users and the situational context while authenticating. These mainly include

a. Where is your location? Are you at your home network or are you outside over an insecure Wi-Fi network (like cybercafes etc.)?

b. At what time are you trying to access? Is it during an odd time?

c. Which device is being used to access? Is it a smartphone or a laptop/desktop?

d. What kind of network you are in? Is it public or private?

Adaptive Authentication

Adaptive Authentication is a type of Multi-factor authentication which leverages advanced technologies like Artificial Intelligence and Machine learning etc. The idea is to use these technologies to detect unusual logins and flag them to users. It also prescribes better usage of MFA in scenarios it deems risky. For e.g. if you are trying to sign-in from a cafe then Adaptive authentication will give you harder MFA elements. If it becomes a regular occurrence i.e. you visit the cafe daily during that period of time then MFA questions will become easier. In short, Adaptive authentication typically monitors your user activity and then suggests the best possible identification measure while flagging risky scenarios.

Conclusion

In the modern business landscape, more and more people are working from home and this has brought the subject of secure access into limelight. Businesses must have advanced identity and access measures which are secure and can support a variety of scenarios. Unfortunately, two factor authentication (2FA) is heavily outdated and it has serious security shortcomings. Over the recent years, Multi-Factor Authentication has been gaining lot of ground as they provide a safer identity setup. With the advent of adaptive authentication, it is becoming even harder for hackers to cause a breach as the technology examines the user activity and then gives customized authentication locks to open.