Multifactor Authentication...an in-depth explanation

In the realm of cybersecurity, the recent rise of Multi-Factor Authentication (MFA) stands as a pivotal point of fortifying defenses against unauthorised access. In my opinion, in today's digital day and age, it really is the bare minimum for anyone serious about securing their digital assets...especially businesses and external facing platforms!

Multi-Factor Authentication (MFA) is a security mechanism that requires users to provide two (or ideally) more verification factors to gain access to a resource such as an application, online account etc. Instead of merely asking for a username and password, MFA requires additional verification factors, which significantly increases the security of user logins and transactions.

These factors can be something the user knows (password or PIN), something the user has (a trusted device, security key, mobile phone), or something the user is (biometric verification such as fingerprint or facial recognition). It significantly enhances security by adding multiple layers of protection, making unauthorised access much harder for attackers to compromise sensitive data and systems from breaches.

How does MFA actually work?

Well, regardless of whether you're setting MFA up personally in order to secure your own accounts or are rolling it out to a business...the actual enrolment is of course manual and cannot be administered. The process typically involves signing in with your credentials as you usually would (the first factor) and then adding additional factors of your choosing. After successful enrolment, each login will prompt an MFA challenge which must be provided, or else access to the requested resource will be denied. There are often recovery methods and options however this is vendor specific so I won't go into that just yet.

Security Protocols and MFA options

MFA systems use various security protocols and technologies to ensure secure transmission and verification of authentication factors.

All communications between the client and server, including the transmission of MFA challenges and responses, are encrypted using secure protocols such as TLS to prevent interception or tampering. Public key cryptography is often used, especially in hardware tokens (U2F/FIDO2) and certificate-based authentication, where the device holds a private key used to sign a challenge from the server, which then verifies it with the corresponding public key. For time-based one-time passwords (TOTP), accurate time synchronization between the client device and server is crucial to ensure the generated codes match.

1. Time-Based One-Time Password (TOTP)
2. Push Notifications
3. SMS and Email Codes
4. Hardware Tokens
5. Software Tokens
6. Biometric Verification
7. Universal 2nd Factor (U2F) / FIDO2 Security Keys
8. Smart Cards
9. Certificate-Based Authentication

From this list, Time-Based One-Time Passwords (TOTP) and Software Tokens have become staples in the MFA domain, offering a significant security level by generating dynamic codes. These methods, though secure, introduce an additional step for users, requiring access to a separate app to retrieve codes. While effective in improving security, they can sometimes be seen as a hurdle from a usability standpoint due to adding an "extra step" to what users were previously used to, though most Password Managers do offer TOTP support at least giving users a "one stop shop" for authentication.

Push Notifications have emerged as a frontrunner in the MFA space, offering a seamless blend of high security with remarkable ease of use. This approach simplifies the authentication process to just a tap on a smartphone, making it both intuitive and resistant to phishing attacks.

On the other end of the spectrum, SMS and Email Codes, despite their widespread adoption and familiarity, have shown vulnerabilities, such as susceptibility to SIM swapping and email breaches. Their ease of use is undisputed, offering a low barrier to entry for users across the board. However, the trade-off in security cannot be overlooked, especially in environments where data sensitivity is high.

Hardware Tokens and Smart Cards represent a more "traditional" MFA method. Yet, their reliance on physical possession and, at times, additional hardware (like card readers) can complicate the user experience. Despite their robust security, the practicality of carrying another device or remembering a PIN can be deterrents for some.

Biometric Verification is a rather sophisticated solution. It uses a unique physical attributes such as fingerprint, facial recognition, iris scans offering a high security level with the convenience of something you always carry...you. This method has rapidly gained favor for its swift and straightforward authentication process, eliminating the need to memorize passwords or carry additional devices. Windows Hello for Business has done a fantastic job at normalising this method. If you told end users 5 years ago that they need to scan their face or their fingers in order to sign in to their device, there would have been uproar.

Universal 2nd Factor (U2F) / FIDO2 Security Keys have also made their mark by offering exceptional security against phishing and man-in-the-middle attacks. Their simplicity, often requiring just a device plug-in and a button press, marries security with ease of use, though...unfortunately, the need to carry an additional item remains.

End user adoption

Most businesses I have worked with haven't been very keen on the idea of purchasing FIDO2 keys for ALL of their staff and I would hazard a guess that unless you're working for a Fortune500 company, it will be the same for you. Working off of that assumption, the most cost effective and simple way of deploying MFA would likely be via an Authenticator app. However, this likely won't happen without pushback from some end users. This concern, while understandable, often stems from misconceptions about privacy, convenience, and the perceived complexity of using such apps.

One of the biggest worries about installing an authenticator app is the fear of being tracked or monitored. I absolutely get it...it's your personal device and perhaps you want NOTHING work related on there. You need to be prepared to offer the minority another option for MFA such as a Yubikey or Token2 for example. It's crucial to clarify that authenticator apps, such as Microsoft Authenticator, are designed with privacy at their core. Their sole purpose is to generate time-based codes used in the authentication process, not to collect personal information or track user location. These apps operate under strict data protection regulations, ensuring that any data exchange is minimal and solely for authentication purposes. It is super important to communicate this information to your users, as once they understand it, most will be happy to comply. I usually just drop an email to all staff explaining MFA and provide them with a video to watch which usually goes down pretty well!

Ultimately, adopting MFA is part of cultivating a broader culture of security awareness within today's digital age. By educating users about the mechanics and benefits of MFA, we can try to transform perceptions of it from being an annoying requirement, to a vital user-friendly tool in our toolkit.

TLDR: Biometric Verification and Push Notifications seem to have struck the best balance of security and ease of use. When was the last time you left your finger or your mobile at home? In today's day and age, there is absolutely no reason for a business or personal user to not be setting up their accounts with MFA. Get it done now, and don't risk being the victim!

The idea for this post came as inspiration from writing a guide on deploying MFA via conditional access and best practises. I wanted to ensure that my readers have a good understanding of what they are doing and why by giving some information on the fundamentals of security.