Multi-Factor Authentication

by Connor White

     Multi-factor authentication (MFA) once was a luxury to have but is now a bare-bones necessity that all systems need in order to be secure. A survey two years ago revealed that only 57% of organizations use MFA. Unfortunately, more recent research suggests things have not changed much. MFA could have prevented some well-publicized recent breaches, for example, the Colonial Pipeline breach occurred as the result of one breached password. The attackers accessed the system through a VPN (Virtual Private Network) account. A simple MFA requirement would likely have prevented the attack by making VPN accounts more difficult to access.

     MFA is used to ensure that digital users are who they say they are by requiring that they provide at least two pieces of evidence to prove their identity. Each piece of evidence should originate from one of three categories: what they know (knowledge), what they possess (possessions), or what they are (inherence). A knowledge factor includes things that a user needs to know in order to log in, such as user names, IDs, passwords, and personal identification numbers (PINs). A possession factor is anything a user needs to possess in order to log in. For instance, one-time password tokens (OTP tokens), key fobs, smartphones with OTP apps, employee ID cards, and SIM cards fall into this category. Inherence factors include any biological characteristics the user possesses that support authentication. A range of biometric technologies are included within this category, including retinal scanning, iris scanning, fingerprint scanning, finger vein scanning, facial recognition, voice recognition, hand shapes, and even earlobe shapes.

     It is important to know that the reliability of authentication is affected not only by the number of factors involved but also how they are implemented. In each category, the choices made for authentication rules greatly affect the security of each factor. Poor or absent password rules, for example, can result in the creation of passwords like “guest,” which completely defeats the value of using a password. Best practices include requiring inherently strong passwords that are updated regularly. Facial recognition systems can in some cases be defeated by holding up a picture. More effective systems may require a blink or even a wink to register. Lax rules and implementations result in weaker security; alternatively, better rules can yield better security per factor and better security overall for multifactor authentication systems.

     MFA, if done right, can help prevent some of the most common and successful types of cyberattacks, including phishing, spear phishing, keyloggers, credential stuffing, brute force, reverse brute force attacks, and man-in-the-middle (MITM) attacks. MFA doesn’t stop all types of attacks, and it doesn’t guarantee security. However, it does add additional layers of authentication that make cyberattacks more difficult which can go a long way for the security integrity of a system. In fact, Microsoft reported that MFA can prevent over 99.9% of account compromise attacks.

     With the world in constant motion, it's important to have a security plan that can work outside the perimeter. But which authentication strategy is right for your organization? At Vala Secure, we can help ensure that your authentication strategy fits your best needs. We stress the importance of multi-factor authentication over 2FA and SSO and we have helped our clients find the right balance of end-user convenience without dropping the security integrity of their systems. Contact us at to learn more about how we can help protect your company.