Multi-factor authentication — a must have or a waste of time?

What is authentication

Authentication is often confused with identification (recognition of an object by a unique identifier) and authorisation (granting certain rights to a subject).

This includes matching the password entered with the one stored in a database or verifying the digital signature of a letter.

The history of authentication dates back to ancient times. At that time, speech passwords were invented, complex seals were made. Even a lock and key is an example of authentication.

Today, there is a trend towards multi-level authentication in many areas. This is due to the unreliability of the password system. A password that is too simple is not secure and a password that is too complex is difficult to remember, so people write it down somewhere (losing all meaning). In order to increase the level of security, additional tools are increasingly being used in addition to passwords.

About the procedure and its application

Multi-factor authentication is an advanced method of controlling access to resources. Under this method, a user must present several «proofs» in order to gain access.

Several groups of such evidence are distinguished:

• knowledge of certain information (password, code);
• possession of a key (card, mobile device, thumb drive);
• distinctive features (fingerprints, facial features, iris, speed and character of typing on a keyboard).

All three groups of authentication tools are used simultaneously rather in movies; the most common user identification procedure involves only two steps. The use of multiple types of verification dramatically increases the security of user data and avoids fraud, theft and data loss.

We most often encounter the procedure when using online banking or logging into a Google or Facebook account from a new device. Then the system sends a text message with a one-time code to the mobile number linked to the account, makes a voice call, or asks you to put your finger on the scanner.

Some owners of expensive gadgets set the phone for dual authentication in the form of a fingerprint and a code (perhaps to prevent a jealous spouse from unlocking the device with their sleeping partner's finger).

The flip side of the coin

On the face of it, increased security may not be a bad choice, but there are a number of nuances:

1. If the second stage of authentication involves using a mobile phone, it is imperative that it is within range of the network. This can cause inconvenience when travelling to another country. When data needs to be accessed quickly, multi-step verification (especially if it is a text message, which can take time to deliver) is very inconvenient.
2. The text sent to the user in the second stage of standard double verification is not encrypted and can be intercepted even by a novice hacker who knows the right phone number.

Because of such shortcomings, more and more systems are adopting biometric identification, in particular the fingerprint scanner built into most modern smartphones. A finger is somewhat more difficult to get hold of than a password (the sensor won't work on a severed limb).

How to choose the right security

Generally it is recommended that users only use multi-factor authentication if they are accessing data that if lost or compromised would have serious consequences. Otherwise, it is better to use reusable passwords and, if you need to increase security, one-time passwords.

Change your passwords periodically (at least 1-2 times a year). The more important the information you protect, the more often you will need to generate a new password. Never use names, significant dates or other easily guessed information as a password. Instead of a reusable password, it is better to use passphrases. These are a set of words modified at the owner's discretion.

For example, you're a big fan of Italian cuisine. You can make the word «spaghetti» into a passphrase.
Spaghetti — spaghetti — sp48hett1.
This is still your favourite pasta, but the word is already faintly guessed and it would be extremely difficult to pick up such a password, especially if you make it longer.

There are also special apps that provide an extra layer of protection for accounts by providing a second stage of verification during the login process — entering a code. One such application is Google Authenticator. It can generate a code on your phone even when there is no internet connection.

When setting up a security system in an enterprise, it is recommended that there are several stages of verification. How much verification is required depends on how serious an operation is to be performed. For day-to-day activities, a complex one-time password is sufficient; for something more serious, a second stage of verification should be enabled. But if you're talking about accessing a diamond vault/Swiss bank/secret military base, you're better off with a three-step verification process.

Achieving 100% protection is an impossible task, as all sorts of phishing attacks (scams to obtain personal user data) and malware appear and improve on a daily basis. However, you need to keep up with the times and not neglect data protection. Use two-factor authentication when it comes to securing business email, your online banking account and your social networking page with compromising correspondence. On sites and accounts that don't store anything important, a passphrase will be sufficient for authorisation, a multi-level verification system will simply take time.