Adding Multi-Factor Authentication to your application
What is Multi-Factor Authentication?
First of all, what is ‘Authentication’? Simply ‘Authentication’ is the process of distinctly identifying a certain entity. As the name implies the Multi-Factor Authentication is to use multiple factors to identify a certain entity.
Those factors can be categorized as ;
- Knowledge factor
- Ownership factor
- Inherence factor
The knowledge factor is some hidden information that the user knows. This can be a password, username, answer to a security question, PIN or an address. The user should be responsible for not exposing this information to the outside. Anyway considering the other factors there is a high chance of leaking this information to the outside and high tendency of forgetting this stuff based on human nature.
The ownership factor is some physical object the user has. This can be a physical device like keys, smartphones, smart cards, USB drives, and token devices. You all may have the experience of using an SMS OTP (One Time Password) as the authentication factor, where we use the mobile phone as the ownership factor. If the device is lost or accessed by an attacker, then this authentication factor can be breached.
The inherence factor is something the user is. This can be any part of the human body that can be used to uniquely identify a user. Some examples would be a fingerprint, facial recognition, voice recognition or any other biometric feature. Unless if an attacker forces you to authenticate on behalf of him/her, this factor is hard to breach.
So when it comes to the Multi-Factor authentication it uses two or more factors among the above-categorized factors.
Why Multi-Factor Authentication
- Security: When using the MFA it acts as a layered defense to the authentication system. So even if an attacker breaches one of the above factors then the attacker has to break the other barrier.
- Usability: If we use MFA we can say goodbye to the passwords which reduce risk caused by bad password habits because we have the option to engage one of the other factors rather than using typical passwords.
- Compliancy: Some compliancy standard enforces more security, hence certain organizations may require to add more barriers when accessing more sensitive data. Thus, MFA enables to address compliance requirements.
Real-world use cases
Let’s consider some real-world use cases where we can observe the practical usage of MFA.
- Bob needs to transfer some money to his friend Alex. Bob logs in to his account using the Internet Banking System. When logging, Bob has to provide his username and password as the credentials. Bob completes the necessary steps which are needed to transfer money and click on the ‘transfer button’. Bob got an SMS to his mobile phone with an OTP. Bob enters that OTP to the system and successfully transferred money.
Here in this use case, the system has enforced multiple barriers for the critical task which is transferring money. Bob could use single-factor authentication when logging to the system where he can do some limited tasks like checking the account balance. But when it comes to the money transferring, then he needed to consume MFA by using the combination of a knowledge factor (User credentials) and an ownership factor (Mobile Phone).
- Bob’s girlfriend Alice wants to do some shopping but she does not have enough money for that. So she plans to get some money from Bob’s bank account. Alice knows Bob’s email address, so she uses the email address as the user name and entered her birthday as the password. Unfortunately, it shows an error saying invalid credentials. In the second attempt, she entered Bob’s car plate number as the password. Yaa….y she could guess the password and log in to the system. Then she tries to transfer money. Ooops… an OTP was sent to Bob’s mobile. Alice does not have access to Bob’s mobile. Hence desperate Alice gave up her effort.
As the system is secured from a second factor, the attacker could not complete the critical transaction. Even if the first factor is breached, the attacker had another barrier in her way.
- Bob worried about the OTP received. He contacted the bank and added an additional security factor to protect his bank account. With the new factor, Bob needs to prove his identity to the system in three means. He needs to provide his credentials, provide the OTP and put his fingerprint to transfer money.
Now Bob feels much secure because he knows that no one can steal his fingerprint.
Convenience vs Security
One special thing to notice when engaging MFA to your application is to maintain a balance between convenience and security. If we add multiple authentication steps, then obviously the security will be higher. But in the usability aspect, the user may need to prove his identity in several means which is a hassle for the user. On the other hand, if you reduce the number of authentication factors, the usability aspect will be higher but the security could be compromised.
Hence when using MFA we should be very careful to identify the correct balance between the convenience and the security.