Multi-factor authentication is a technological solution that aims to inhibit cyberattacks. In practice, this security strategy uses at least two types of mechanisms to identify an individual trying to access a certain system online.

The methods can involve knowledge factors, such as passwords; possession factors, such as totems; or inheritance factors, including fingerprint and facial recognition.

Do you want to learn more about it? Keep reading the article we have prepared.

Multi-factor authentication is an intelligent solution that protects from cyberattacks to individuals and businesses. 

This strategy is especially important these days, considering the significant increase in hacking attempts.

A survey done by Kaspersky, an organization specializing in security, and published on CNN Brasil‘s website, points to alarming numbers. According to the survey, in 2020, there was a 330% increase in cyberattack attempts. Altogether, more than 370 million corporate systems were hacked.

With the adoption of remote work by most companies during the covid-19 pandemic, their systems became more vulnerable to hacking. 

This has increased the need for technologies such as multi-factor authentication, as discussed in one of the topics below.

In this article, we explain what this feature is, its importance, and how to implement it, among other information. To make it easier for you to understand, it is divided into the following topics:

• What is Multi-factor Authentication?

• How Important is Multi-factor Authentication?

• Are Companies Required to Use This Feature?

• Two-factor Authentication and Multi-factor Authentication: What is the Difference?

• Are Complex Passwords as Effective as MFA?

• Digital Authentication Types

• Methods Used in Attempts to Break MFA Security

• Multi-factor Authentication and Remote Work

Keep reading and enjoy it!

• What is Multi-factor Authentication?

Multi-factor Authentication (MFA) is a feature that inhibits attackers by putting together different mechanisms for user authentication. In this way, it guarantees the required security for data that could be accessed by the computing device, avoiding countless inconveniences and losses.

In practice, there must be a unique User ID that complies with PCI DSS Requirement 8.1.1, in addition to at least two of the three criteria outlined in PCI DSS Requirement 8.2. These are:

• Knowledge factor: something the user knows, such as a password;
• Possession factor: something they own, such as a token; and
• Inheritance factor: something that relates to who they are, as in the case of biometrics.

For multi-factor authentication to work as it should, the mechanisms must be independent of each other. That is, if one of the factors grants access to the other, the desired security will be compromised.

• How Important is Multi-factor Authentication?

Multi-factor authentication is a mechanism to combat data theft and cybercrime in general. For organizations, this protection is extremely important for several reasons.

It helps to avoid financial losses through theft and impact on productivity, as this type of occurrence can halt business operations.

In addition, it prevents the company from being exposed to legal proceedings arising from data leaks. 

This can occur, for example, by not complying with the General Data Protection Law (LGPD), which came into force on September 18th. This law requires companies to adopt a series of procedures in order to protect individual data. 

Failure to comply with the law can lead to administrative sanctions with eight different types of punishment, which include fines of up to R$50 million.

• Are Companies Required to Use This Feature?

Multi-factor authentication is not a mandatory solution for all companies. However, its use is strongly advised for companies of any size or segment, after all, it combats a series of risks.

Also, individuals can benefit from this feature as they are also targeted by malicious actions such as cyberattacks.

For some audits, however, it is already a must, and it may no longer be optional in different contexts soon.

• Two-factor Authentication and Multi-factor Authentication: What is the Difference?

Like multi-factor authentication, two-factor authentication (2FA) is intended to make it more difficult to hack an individual or legal entity’s accounts. Both require the user to use more than just a traditional password to log in.

The difference is that in two-factor authentication, the same method can be used more than once, such as a password and a security code, two factors of knowledge.

Multi-factor authentication is a more complex system, which requires at least two methods to allow access to a certain account. In practice, this means the individual will have to combine elements such as a password and the fingerprint scan. Note that we are talking, respectively, of a knowledge factor and an inheritance factor.

• Are Complex Passwords as Effective as MFA?

Experts recommend using multi-factor authentication whenever a service provider offers this mechanism. 

That is because the MFA makes it possible to block 99.9% of automated bot attacks, and studies show its effectiveness in stopping malicious actions. 

According to Google, simply linking a phone number to the Google account as a way to recover passwords makes it possible to block up to 100% of automated bots, 99% of mass phishing attacks, and 66% of targeted attacks.

Using only a password as a security mechanism is already an inefficient action, however complex it can be, as hackers have access to increasingly sophisticated cyber tools and the number of breached accounts is shocking.

In contrast, using multi-factor authentication inhibits these intrusions because, in addition to the password, it is necessary to use an additional authentication method.

Furthermore, compromising MFA tokens is so expensive that it only generates interest in hackers who wish to gain access to exorbitant amounts.

• Digital Authentication Types

There are numerous efficient ways to stop malicious online actions through digital authentication with different levels of complexity. In this topic, we cover the best known. Check them out:

• Passwords: Passwords are the most common authentication mode. In order to fulfill their function and provide security, some services require compliance with criteria such as the minimum number of characters and the use of numbers or special characters.

• Personal Information: Certain systems may request information from the user, such as the mother’s name, date or city of birth, and full name.

• PIN: this is a code generated to identify the user of a website, for example. As mentioned earlier, this information is sent to a specific smartphone.

• Token:  As a possession factor, the token is an item widely used by banks to generate passwords and prevent fraud. This method has the disadvantage of allowing shared access, which can reduce security, especially if not combined with another authentication mode.

• Face Recognition: This highly advanced form of authentication can identify a person’s face through algorithms and software. First, the features are detected by a camera. Then, sizes, formats, proportions, and distances are analyzed. 

All this information is stored in a database and used for identification.

You might be asking yourself: what about when we get older or present ourselves with a different angle and lighting? In reality, this technology, which was limited before, has evolved more and more, and recognition in three dimensions is now possible.

In addition, the camera captures the shape of the user’s head, precisely to identify their features, regardless of the angle they are at.

• Voice Recognition: There are certain applications to identify users’ voices. Audios are split into bits, converted into digital format, and transformed into text.

Voice recognition fulfills its purpose by analyzing intonation, pronunciation, and vocabulary, among other characteristics of the user’s speech. Its weakness lies in contemplating accents and changes in voice tone, for example.

• Fingerprint: This form of authentication is very common among inheritance factors. It consists of the unique pattern each person has at their fingertips and can differentiate them from others.

No type of digital authentication is 100% secure if applied alone. For this reason, multi-factor authentication is strongly recommended.

• Methods Used in Attempts to Break MFA Security

Multi-factor authentication is widely used by companies to prevent attacks. However, not even this mechanism, with all its complexity and effectiveness, guarantees 100% protection. Here are some methods used by hackers to breach your security:

• Disabling the MFA

Malicious users can change settings in order to disable the multi-factor authentication application. That way, they do not need to go through a second authentication step when connecting.

• Bypassing Multi-factor Authentication

In this case, the hacker applies techniques that allow access without MFA. They can do this in two ways: by controlling a maliciously downloaded, user-authenticated application, or by taking advantage of some multi-factor authentication vulnerability.

The possibility of intercepting an SMS message with the authentication code is an example.

• Taking Advantage of Authorized MFA Exceptions

This happens when the malicious agent finds accounts operating without the MFA’s criteria. They take advantage of legacy applications that do not provide this protection mechanism. This is the case with POP/SMTP email servers.

• Stealing SAML Signing Certificate

This technique is well known and very difficult to detect. It consists of stealing the private key or having a forged key for signing certificates and shows how important it is to have constant monitoring. 

• Reusing a Session

It is possible to compromise a system with an authenticated session because most MFA features default to a 30-day timeframe to require re-authentication of a user, system, or application. This leaves enough time to access an account.

• Multi-factor Authentication and Remote Work

The use of multi-factor authentication has become more urgent with the covid-19 pandemic. This is because most organizations had to adapt to a home office mode, with employees accessing the systems from any environment and device.

According to this publication, 90% of companies operating in Brazil have adopted remote work due to covid-19. Also, many will maintain this working mode even after the end of the pandemic.

This new condition brought vulnerability to companies, as it facilitated the actions of malicious individuals.

In this article, you have seen what multi-factor authentication is and its importance to individuals and corporations. If our content has answered your questions, please share it with others who are also interested in the subject.

Read other texts on senhasegura’s blog

HIPAA: Five Tips for Complying with the Certificate

ISO 27001: 4 Reasons to Implement It in Your Company

An Overview of Saudi Arabia’s Personal Data Protection Act (PDPL)