Authentication has been a part of digital life since MIT implemented a password system on their shared-access computer in 1961. Today, authentication covers virtually every interaction you can have on the internet. But up until 2010, the security of most online services only extended as far as requiring an eight-character traditional password. Since then, online spending has grown to over $1 trillion annually in the U.S. alone (you don’t have to spend much to get a top-tier 5G phone).
Along with the growth in spending has come a corresponding growth in identity theft and stolen passwords. To stem the rising tide of online crime and prevent cybercriminals from taking your money, many banks and online retail stores demand more than a password for account access. If you want to participate in today’s online marketplaces, you’ll need multi-factor authentication.
What is multi-factor authentication?
Authentication is proving you are who you are: your authenticity. A factor of authentication is a general method of authentication. Multi-factor authentication is using more than one method to prove your identity. Generally, most security systems use a combination of two or more factors of authentication.
Knowledge factors are something you know
Passwords are the perfect example of a knowledge factor. Either you know it or you don’t. If you don’t, you can’t access your Gmail account. Knowledge factors were the foundation of security for the early internet, but making good passwords is hard, and passwords are generally easy to guess, buy, or crack.
Many websites (especially social media) use two knowledge factors to verify your identity if you forget your password: your email address and the answer to one or more security questions like “What street did you grow up on?” This is known as two-step verification rather than two-factor authentication because even though two questions are asked, the second factor of authentication isn’t different from the first.
Possession factors are something you have
Source: Wikimedia Commons / jarmoluk
A possession factor is any object or physical device that can be used to authenticate you. Everything from keys to credit cards to your driver’s license can be considered a possession factor. More and more, your smartphone is considered a possession factor. If you want to get into your GitHub account, a one-time password is sent to your phone, and you need it to access your account. The disadvantage of only using possession factors for authentication is they can be stolen (in the case of credit cards) or hijacked (in the case of SMS messages sent to your phone).
Inherence factors are something you are
Source: Wikimedia Commons / U.S. Customs and Border Protection
Inherence factors rely on something inherent to you to prove your identity. Inherence factors, or biometrics, are the authentication factor used by smartphones from almost every major manufacturer, including a fingerprint reader or facial recognition in the case of the iPhone. The benefit of biometric authentication is that it’s nearly impossible to replicate. The drawback is that it can be difficult to implement well.
Behavior factors are something you do
Source: Wikimedia Commons / janeb13
Behavioral biometrics is on the cutting edge of authentication. Instead of relying on retinal scans and fingerprints (physical biometrics), some companies are looking at behavior patterns as a way to identify you. The way you type, the way you talk, the way you walk, and the way you carry yourself or use your mouse can be used to identify you.
Location factors are somewhere you are
This is still on the horizon as far as implementation goes, but it is being looked at. Where you are or where you go will be used when verifying your identity. The idea is that if someone steals your password and spoofs your smartphone to intercept your SMS messages, they won’t be able to access your accounts if they’re not in the right place (sorry, call center scammers).
How is multi-factor authentication used?
The most common form of multi-factor authentication is two-factor authentication involving the use of a possession factor and a knowledge factor. This level of security has been the gold standard since 1965 when the first ATM was installed. Today we use a plastic smart card as our possession factor at the ATM, but 50 years ago, they used bespoke personal checks. As for the knowledge factor, like today, the original ATM used a four-digit personal identification number which is likely the origin of using a PIN as a knowledge factor.
Source: Wikimedia Commons / Raysonho
Most types of two-factor authentication involve the use of a one-time password. An OTP is an additional password you must enter to authenticate yourself that’s only good for one use. Its earliest implementation involved a key fob (possession factor) that displays a six-digit passcode that changes at fixed intervals. The user has to append the OTP to their login credentials to access their account.
Another common example of two-factor authentication used today involves sending a time-based OTP as an SMS text message, email, or even an automated voice call to a user’s device to be input after entering their username and password. Although this method of OTP distribution is popular, it’s fallen out of favor in the security community because of the prevalence of phishing attacks and SIM-card hijacking.
To mitigate the risk of your phone number being compromised, a number of services use software to generate the OTP on your phone or computer instead of sending it to you. Other services offer authenticator apps on the Android Play Store, with Authy and Google Authenticator among the most popular.
Hardware tokens like YubiKey and Nitrokey have been rising in popularity. Similar to the key fobs that display an OTP, hardware tokens (sometimes called security keys) generate an OTP and automatically enter it for you. Unlike the original security tokens, which were primarily distributed at the enterprise level for employee access to work networks, YubiKey and its competitors are available to consumers and can be integrated with Amazon and other major online service providers.
Source: Yubico.com
A popular alternative to sending OTPs to your mobile device is to use app-based push notifications to authorize account access. Google and Apple are industry leaders in this regard and have used push authentication for the past five years. Push authentications are popular because they remove some of the security vulnerabilities of SMS-based OTPs, and it’s easier to tap a notification than it is to enter a password.
The future of multi-factor authentication
As more of the world’s business moves online and the sophistication of hackers continues to grow, the need for security will grow along with it. Given that over two billion passwords were compromised in 2021 (a number that has been growing since we began keeping count), using a simple password is no longer sufficient to lock down sensitive data like medical records and credit card information. From where we stand now, the future of online authentication looks like it will be shaped by two paradigms: passwordless authentication and passive authentication.
Security professionals don’t like passwords as an authentication method. People are bad at picking them (the top passwords of 2022 were “password” and “123456”), and they’re not user-friendly. Good passwords are also hard to remember. Even if you have a strong password that you can remember, passwords are vulnerable to numerous methods of hacking, from phishing and social engineering to data breaches and brute-force attacks.
Source: Wikimedia Commons / B_A
In the future, public-key encryption will likely supplant passwords, verification codes, and OTPs for most services. Instead of relying on an easily compromised knowledge factor to keep your PayPal account safe, your private encryption key will be stored on a possession factor like your mobile phone or a key fob, which will be locked behind an inherence factor like your fingerprint or a face scan.
If security professionals don’t like passwords, users don’t like logging in or onerous login requirements. Soon, you likely won’t realize you’re authenticating yourself as more businesses adopt passive authentication schemes that rely on behavioral and physical biometrics. Instead of logging in to your computer after it goes into sleep mode, your computer will analyze your typing rhythm and perform periodic face scans to authenticate you continuously.
These cybersecurity measures aren’t something you’ll see in the far future. They are being used at the enterprise level right now. As the profile of online crime continues to rise, look to banks and retailers to lead the way in implementing and requiring these new, more stringent means of MFA to lock down your online accounts to prevent unauthorized access. It’s not a matter of if you get on board with MFA account security. It’s a matter of when.
