Multi-Factor Authentication (MFA)
Authentication is an action that proves something to be true or valid. In information security, authentication normally refers to the login process, during which one or more pieces of evidence (known as ‘factors’) are presented in order to show that whoever is attempting to log in to a computer resource – which might be a device, website or VPN connection – is who they say they are. Factors are normally, but not necessarily, used in conjunction with a username (sometimes only one factor might be required – for example a fingerprint). The main types of factor are:
Knowledge based: A piece of information known by the user such as a password or PIN
Possession based: A physical object in the hands of the user such as a bank card or mobile device.
Biometric: A physical characteristic of the user such as a fingerprint or walking pattern (gait)
Location: Evidence of where the user is, such as GPS location or IP address
The single main problem with authentication is that it is most commonly done by using a (username, password) pair, and this method has become vulnerable to automated attacks, including the following:
Brute force and dictionary attacks
In a brute force attack, an adversary uses a computer application to attempt unauthorised login by combining a known username with all possible password combinations. Despite the fact that there may be trillions of possible combinations in an eight character alphanumeric password, hackers are able to access supercomputing processing power that can work through them in minutes.
Dictionary attacks are a refined form of brute force attack that restricts the guessed passwords to valid words in one or more languages, or variants of those words (for example monkey, MonKeY, M0nk5y and so on) and other non-random permutations such as 123456 and so on. This massively reduces the search space and the time taken to guess the password.
Similar to a dictionary attack, in this type of attack a group of commonly used passwords is tested on a large number of accounts (usernames).
In this form of attack, (username, password) pairs that have been stolen elsewhere, or purchased on the darknet, are tested on commercial websites and applications such as shopping sites, social media and gambling sites.
In each of these cases the intention is to access and abuse accounts (‘Account Takeover’) – often with the result that businesses and individuals are inconvenienced and lose money. When applied against resources that can allow access to corporate networks such as RDP and VPN, the attacker may be able to infiltrate and insert malware (for example ransomware) and/or steal data.
Multi-Factor Authentication is an efficient way to mitigate all these types of login attack: At login the user has to enter their username and password along with one or more of the factors mentioned above (e.g. a pin number sent to their mobile phone or a fingerprint). Attackers that do not have access to this additional factor are unable to access the resource. MFA is such an effective tool of information security that it is generally required by all security frameworks, and strongly recommended whenever there is a risk of account takeover attacks on unregulated venues (for example on a cryptocurrency exchange or gambling website). Apart from phishing, login attack (particularly on RDP) is the most common attack vector for ransomware.