Adding Multi-Factor Authentication to your application

Image for post
Image for post
Multi-Factor Authentication

What is Multi-Factor Authentication?

Those factors can be categorized as ;

  • Knowledge factor
  • Ownership factor
  • Inherence factor

Knowledge Factor

The knowledge factor is some hidden information that the user knows. This can be a password, username, answer to a security question, PIN or an address. The user should be responsible for not exposing this information to the outside. Anyway considering the other factors there is a high chance of leaking this information to the outside and high tendency of forgetting this stuff based on human nature.

Ownership Factor

The ownership factor is some physical object the user has. This can be a physical device like keys, smartphones, smart cards, USB drives, and token devices. You all may have the experience of using an SMS OTP (One Time Password) as the authentication factor, where we use the mobile phone as the ownership factor. If the device is lost or accessed by an attacker, then this authentication factor can be breached.

Inherence Factor

The inherence factor is something the user is. This can be any part of the human body that can be used to uniquely identify a user. Some examples would be a fingerprint, facial recognition, voice recognition or any other biometric feature. Unless if an attacker forces you to authenticate on behalf of him/her, this factor is hard to breach.

So when it comes to the Multi-Factor authentication it uses two or more factors among the above-categorized factors.

Why Multi-Factor Authentication

  • Usability: If we use MFA we can say goodbye to the passwords which reduce risk caused by bad password habits because we have the option to engage one of the other factors rather than using typical passwords.
  • Compliancy: Some compliancy standard enforces more security, hence certain organizations may require to add more barriers when accessing more sensitive data. Thus, MFA enables to address compliance requirements.

Real-world use cases

Image for post
Image for post
  • Bob needs to transfer some money to his friend Alex. Bob logs in to his account using the Internet Banking System. When logging, Bob has to provide his username and password as the credentials. Bob completes the necessary steps which are needed to transfer money and click on the ‘transfer button’. Bob got an SMS to his mobile phone with an OTP. Bob enters that OTP to the system and successfully transferred money.

Here in this use case, the system has enforced multiple barriers for the critical task which is transferring money. Bob could use single-factor authentication when logging to the system where he can do some limited tasks like checking the account balance. But when it comes to the money transferring, then he needed to consume MFA by using the combination of a knowledge factor (User credentials) and an ownership factor (Mobile Phone).

Image for post
Image for post
  • Bob’s girlfriend Alice wants to do some shopping but she does not have enough money for that. So she plans to get some money from Bob’s bank account. Alice knows Bob’s email address, so she uses the email address as the user name and entered her birthday as the password. Unfortunately, it shows an error saying invalid credentials. In the second attempt, she entered Bob’s car plate number as the password. Yaa….y she could guess the password and log in to the system. Then she tries to transfer money. Ooops… an OTP was sent to Bob’s mobile. Alice does not have access to Bob’s mobile. Hence desperate Alice gave up her effort.

As the system is secured from a second factor, the attacker could not complete the critical transaction. Even if the first factor is breached, the attacker had another barrier in her way.

Image for post
Image for post
  • Bob worried about the OTP received. He contacted the bank and added an additional security factor to protect his bank account. With the new factor, Bob needs to prove his identity to the system in three means. He needs to provide his credentials, provide the OTP and put his fingerprint to transfer money.

Now Bob feels much secure because he knows that no one can steal his fingerprint.

Convenience vs Security

Hence when using MFA we should be very careful to identify the correct balance between the convenience and the security.

Written by

Associate Technical Lead @ WSO2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store