Types of Multi-Factor Authentication (MFA)



In the first blog post of our Cybersecurity Awareness Month series, we talked about the different types of Multi-Factor Authentication (MFA) attacks.

As we learned, not all MFA authenticators are built equal. Some offer higher levels of insurance and better protection than others. Choosing the right MFA configuration will depend on the type of resources being protected and the users accessing those resources. Let’s take a look at some common MFA authenticators and the types of attacks they are vulnerable to below.

Knowledge-Based Verification (KBV) – Knowledge-based verification methods include your security questions and answers. These are the weakest form of authentication after passwords, as they usually contain questions such as your dog’s name, your siblings’ or parents’ names, your favorite car, etc. ., all of which may be obtained through social engineering or publicly available data on social media sites that you are a part of. Additionally, this method is also vulnerable to common MFA attacks such as phishing and Adversary in the Middle (AiTM).

One-time password (SMS OTP, Voice OTP, Email OTP) – Although authenticators such as SMS OTP, Voice OTP and Email OTP may be convenient from a user experience and adoption perspective, they do not provide a high level of assurance and are vulnerable to various types of cyberattacks. SMS OTP and voice OTP are susceptible to SIM card swapping, phishing and AiTM attacks, while email OTP is susceptible to phishing and AiTM attacks.

Mobile push-notification – This is a more secure authentication method as it involves the use of biometrics in the form of Face ID or Touch ID to unlock your mobile device to allow push authentication. Yet he is still vulnerable to rapid bombardments or MFA fatigue attacks, as seen in the news recently..

Time-Based Mobile OTP – These are your software token authenticators that generate new codes approximately every 30 seconds. They are more secure because they include biometrics to unlock, but they are still vulnerable to phishing and AiTM attacks.

Mobile push + mutual authentication – This method combines mobile push notifications with mutual authentication tokens to provide additional protection. In this method, the user may also see a mutual authentication token on the website or application they are trying to authenticate against. They need to confirm on their mobile authenticator app, which adds an extra layer of protection, but remains vulnerable to a sophisticated AiTM attack.

The above authenticators, while adding higher security than basic password, may satisfy certain use cases or assurance levels. However, for added security and assurance, organizations should consider authentication that involves the use of PKI-based smart credentials or FIDO2 tokens.

FIDO2 key – FIDO2 keys are physical keys like USB keys that a user plugs into the desktop. In some of them there is also a place to scan your fingerprint as a second authentication factor. The key contains encrypted information, which is used to authenticate the user’s identity when logged in. Once used successfully, the user is automatically logged into the system and accesses all relevant applications in a single session.

Credential-based passwordless access – Passwordless credential-based access provides a digital certificate on the user’s phone (mobile smart ID), turning it into their trusted identity. Thanks to Bluetooth®/NFC, when the user walks to a desktop, a connection is established between the mobile device (where the smart ID resides) and the desktop. There can be two options to login without password from here – either the system is unlocked when the user is asked to provide their fingerprint or face ID on the smartphone, or the desktop prompts the user to enter a PIN code to connect. session, the user can also connect securely with a remote desktop and SSH.

FIDO2 Access Keys – This is a new passwordless authentication method that is gaining popularity and adoption due to improved user experience and security. In this method, when a user tries to authenticate with an app or service, the app issues a security challenge to the nearby registered smart device (confirmed via Bluetooth). The user then uses biometrics to authenticate the password on the mobile device, which is then used to sign and resubmit the challenge. Bluetooth requires physical proximity, which means there is now a phishing-resistant way to exploit the user’s smartphone during authentication. With this capability, the user’s phone will be able to upgrade to a higher level of security (phishing resistance) without the user needing to carry specialized authentication hardware (security keys).

It is important to note that any of the above passwordless solutions can be combined with single sign-on for an additional layer of security, where the user can seamlessly access applications using federated identity protocols. such as SAML/OIDC.

Learn more about the adaptive MFA authentication offered by the Entrust Identity and Access Management platform here and contact us to find out how we can help you implement and deploy a secure adaptive MFA solution with wireless capabilities. high assurance password for your users.

The post Types of Multi-Factor Authentication (MFA) first appeared on the Entrust Blog.

*** This is a syndicated Entrust Blog Security Bloggers Network blog written by Rohan Ramesh. Read the original post at: https://www.entrust.com/blog/2022/10/types-of-multi-factor-authentication-mfa/

Source link


Comments are closed.