What is Multi-Factor Authentication?

When you access a protected resource, you authenticate against a data store with your credential information. It consists of a claimed identity and a secret associated with it. Traditionally that's been done with just a simple username and password, and is the most common authentication method today. Unfortunately, username/password authentication has been shown to be quite vulnerable to phishing and credential hacking. Since passwords can be hard to remember, people tend to pick a simple one and reuse it across their various online and cloud services. This means that when a credential is hacked on one service, malevolent outsiders test it across other personal and professional digital services. 
Multi-factor authentication (MFA) is designed to protect against these and other kinds of threats by requiring the user to provide two or more methods of verification before they are able to gain access to a specific resource like an application, data storage, or private network.

The term “factor” describes the different authentication types or methods used to verify someone’s claimed identity. The different methods are:

• Something you know – like a password, or a memorized PIN, or challenge questions.
• Something you have – while historically it was a hard token, today more commonly it’s a smartphone or a secure USB key.
• Something you are – common biometrics are fingerprint, facial recognition; less common are biometrics like voice or other recognition technologies.

How do I decide how many factors I should configure for a protected resource?

Security and usability requirements dictate the process used to confirm the requester’s identity claim. Multi-factor authentication allows security teams to respond to the context or situation of the requestor (person or programmatic process), removing access being the most common scenario. Beyond determining how many types of authentication should be required, IT also needs to balance the cost of usability requirements with the cost of implementing them.

Single-Factor Authentication (SFA)

SFA has been and still is the default for securing access to mobile, online, and other secured information and facilities. Because it’s so ubiquitous and inexpensive, the most common type of SFA is username and password. Still, passwordless technologies are being adopted at an increasing rate to avoid threats posed by various phishing attacks. For example, the majority of mobile-based apps allow the use of fingerprint or facial recognition in place of the traditional username and password. 

Today, online services offered by Microsoft and Yahoo offer a passwordless SFA option, and other vendors such as Apple and Google will deliver the same option this coming year.

Because they are used to verify identities, authentication tokens need to be protected against outsiders. In addition to strong token security, they are often configured to expire fairly frequently, increasing their refresh rate. While implementing short-lived tokens used underneath the passwordless interface raises security, it doesn’t meet the level offered by two-factor authentication.

Two-Factor Authentication (2FA)

2FA strengthens security by requiring the user to provide a second type (know, have, are) for identity verification. One proof of identity might be a physical token, such as an ID card, and the other is something memorized, like a challenge/response, security code, or password. A second factor significantly raises the bar for malfeasant and other outside actors to successfully breach through security. 

Here is a common list of popular authentication methods: 

• One-time passwords – TOTP, HOTP, YubiKey and other FIDO compliant devices
• Other out-of-band – voice call, mobile push
• PKI – certificates
• Biometrics – fingerprint, face, voice recognition
• Proximity – cards, mobile app geo-fencing
• What you know – passwords, challenge questions
• Social credentials

Three-Factor Authentication (3FA) 

Adds another factor to two-factor for further difficulty in falsifying one claimed identity. A typical scenario might be to add biometrics to an existing username/password plus a proximity card login. Because it adds a notable level of friction, it should be reserved for situations that require a high level of security. Banks may find situations where 3FA makes sense, as would various government agencies. Specific high control areas within a part of an airport or hospital are also areas where security teams have deemed 3FA as necessary.

---

Where is MFA typically used?

Although many organizations view user verification as an afterthought, it’s important to note that Verizon’s annual DBIR consistently shows credential hacking as a top breach strategy. It’s simply a matter of time before virtually every organization suffers an event where they lose sensitive information that results in a tangible financial loss and potential loss of customer trust.

What makes these trends notable is that there has never been a time when multi-factor authentication is as convenient and affordable to implement as it is today. Traditionally, organizations have been limiting their MFA implementations to a small subset of specialized users who work with information that poses a higher level of risk to the business. Cost and usability have often been the limiting factors preventing wider deployments of strong authentication technology. Historically, strong authentication methods were expensive to purchase, deploy (including enrolling the users), and administer. But recently, there has been a sweeping set of changes across industries, within the organizations themselves, their customers (or patients, citizens, partners, etc.), and the technology that they have access to.

What are the main business drivers for implementing multi-factor authentication?

While each organization has their own concrete requirements, there are high level business drivers that are frequently common across them: 

• Most industries must comply with some type of privacy law concerning customer, patient, or financial information. In addition, government agencies continue to firm up their policies requiring MFA for user identity verification.
• Remote work – more than ever, professionals are doing work outside the office, either as road warriors or as remote employees. Whether it’s part of their risk management practices or as part a compliance initiative covering information (customer, patient, citizen, HR, etc.) that are subject to government authentication mandates.
• Power users and the organizations they work within do so in a pervasively connected world, meaning when their credentials are breached the exposed vulnerability to their employer is a compelling force to securing their accounts with MFA.
• Virtually everyone has a connected computer (smartphone) in their pocket from which they conduct their lives: social media, consumer personalized content, and e-commerce. Because customers expect to interact with businesses digitally on their devices, organizations often pursue an aggressive mobile app strategy that need MFA to manage their risk. 

Which mandates require that organizations use MFA to be in compliance?

• Federal Financial Institutions Examination Council (FFIEC) issued guidance in October 2005 requiring banks to reassess their login protocols consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access or the movement of funds, and to enhance authentication based on the risk of their service. Beyond the mandate, financial institutions are also subjected to a high bar to gain their client’s trust.
• Gramm-Leach-Bliley Act (GLBA) – U.S. financial institutions must ensure the security and confidentiality of their customer records.
• Section 404 of the Sarbanes-Oxley Act (SOX) requires the CEO and CFO of publicly traded companies to certify the effectiveness of the organization's internal controls.
• PCI DSS Requirement 8.2 defines authentication requirements which include MFA for remote access of the Cardholder Data Environment (CDE).  It also recommends which methods should be used.

---

What are some ways to make MFA less intrusive on the user experience?

IT has access to a few technologies to reduce the friction that MFA can potentially impose on users:

• Single sign-on.
• Risk assessment of an access request.
• Match the best authentication type to the user.

Single Sign-On (SSO)

Single sign-on (SSO) allows a user to authenticate to multiple resources from just a single interaction from the user, meaning that the user enters a single credential from which the infrastructure beneath it authenticates to each of the protected resources on his behalf during that session. The most secure approach to SSO is for the authentication engine to use a unique set of credentials for each resource that is set up for SSO. This builds up security to a high level because:

• The user doesn’t know the actual credential of the resource, but rather just the credential used provided to the authentication gateway. This forces the user to use the authentication gateway rather than going to the resource directly. It also means that each resource has a unique credential so if the identity store of one of them is breached it doesn’t compromise the others. This approach allows IT to comply to MFA requirements while performing serial authentications to protected resources.  
• By leveraging the user context, risk-based (RBA) technology can be used to invoke MFA only when needed. Whether it’s to comply to a government mandate or enforce the organization’s risk management policy, RBA can be used to decrease the instances that an authentication request is imposed onto a user. Policies are commonly a mix of location, device, and time of access. 

Low friction authentication options

While the traditional OTPs/TOTPs will continue to be the most common type of 2nd-factor authentication, there may be other options that make more sense for a situation. Out-of-band push mobile apps offer a low friction option to OTP because all the user needs to do is hit the accept button. For higher-risk situations, some push apps have the option Push mobile apps may be configured to require a fingerprint to verify the person’s identity as well as a confirmation of information, such as a number, presented on the desktop to further verify that the user possesses both the desktop and smartphone.

Facial recognition is quickly becoming the biometric authentication of choice. The low friction nature of Windows Hello, noting that it gets better over time, offers a convenient user experience. The biggest challenge is that Windows Hello doesn’t work well with various lighting situations. This failure to recognize faces across lighting can be managed with additional facial registrations. More recently, some mobile apps offer the ability to register a person’s iris patterns in their eyes. Used together (facial, fingerprint, iris), biometric authentication options raise the security bar quite high for an outsider to defeat. Biometric methods are also an excellent option for organizations looking for a low-friction way to protect against phishing attacks.

Voice recognition has gained popularity in the financial services sector. Institutions like it because it’s entirely passive for customers as they speak with a service representative. The representative is notified when the customer’s identity has been verified. They use voice recognition in place of challenge questions with customers who frequently have difficulty remembering the correct responses to them. In this case, security and usability are optimized.

FIDO/FIDO2 are attractive options for where users roam across multiple devices. Part of what makes FIDO an attractive authentication option is its broad vendor support and their focus on usability. FIDO has gained notable traction in universities that deal with a large number of students who use a variety of digital services. FIDO allows the portability of passwordless authentication across different devices and platforms.

The profiling of smartphone gestures is a type of behavioral analytics that performs heuristics on how the owner handles and physically interacts with their device. The output are confidence ratings based on the tracking gesturing patterns. Over time, profiling increases in confidence the builds out gesture fidelity. While initially not strong enough to be the primary form of identity verification, gesture profiling could serve as a suitable method used in conjunction with other authentication types.

---

How is NetIQ different than other MFA solutions?

Security teams often implement the supporting software that came with the authentication the are adopting. This seems to work well until different devices are purchased that requires a different software implementation, creating yet another silo. In large organizations, it’s quite possible to have multiple silos of passwordless technologies used for either multi-factor authentication or to satisfy some other authentication requirement. The weakness of this situation is that each authentication silo has its own set of policies. Keeping these multiple policy stores up-to-date requires higher administrative overhead and introduces risk of having uneven policies.

The NetIQ Advanced Authentication (AA) framework is designed to serve even the largest organization’s multi-factor authentication needs. It’s standards-based approach provides an open architecture free from the risks of vender lock-in. The framework supports a variety of devices and additional methods out-of-the box but can also be expanded as new technologies are delivered to the market.

Regardless of the platform (web, mobile, client) AA also provides out of the box support for the most common platforms and applications. Beyond serving as the central policy engine corporate wide authentications, AA also offers a risk-based engine to control when MFA is invoked as well as control which authentication types are offered under different risk levels. Beyond its own built-in engine, AA integrates with NetIQ Access Manager that provide a robust set of single sign-on options and risk metrics that can be used as part of an adaptive access management use cases.