Major breaches to corporate information systems, such as Equifax’s 2017 data breach,1 have shown the vulnerabilities of many data security practices. These highly public failures have created some of the most significant headlines of the early twenty-first century,2 forcing data security experts to rethink their methods for securing personal information. One method receiving a renewed focus is multifactor authentication—a process by which institutions use multiple steps to verify a user’s identity. Some forms of multifactor authentication (such as requiring a personal identification number (PIN) when using a bank card) have been reliable for some time, and consumers now consider the practices to be second nature. However, the security of these methods has been substantially eroded in recent years, demonstrating the need for businesses and governments to respond to increasingly sophisticated threats that face a highly digitized society.
Data security threats are primarily the responsibility of governmental agencies and financial institutions, which collect and store significant amounts of confidential information. The government has recognized this responsibility and enacted guidance through the Federal Financial Institutions Examination Council (FFIEC), the National Institute of Standards and Technology (NIST), and the Department of Homeland Security (DHS). This guidance has raised the standards to ensure best practices are adopted to protect confidential data.3
WHAT IS MULTIFACTOR AUTHENTICATION?
Multifactor authentication is a process by which online accounts and services confirm the identity of a user through a series of verification steps (known as “factors”), each of which provides additional evidence that the user is who she claims to be. Each additional factor required for authentication significantly increases protection. There are three primary types of authentication factors: (1) knowledge factors (something the user knows), (2) possession factors (something the user has), and (3) inherence factors (something the user is).4 While some information systems use multiple steps of the same type of factor, the FFIEC, among others, has criticized such use as inadequate, recommending the use of different authentication factor types for more effective protection.5 Although multifactor authentication can also refer to non-digital factors (such as fingerprints or retinal properties), this paper uses the term in the digital sense unless otherwise specified.
Knowledge factors are perhaps the most familiar form of authentication;6 a user must prove that they know a certain piece of information, such as a password, passphrase, or PIN to access an account. Although useful and easy to implement, knowledge factors can vary greatly in the level of protection they provide, depending on the strength of the password, or phrase. Greater length or variability in the types of characters used (i.e., uppercase/lowercase, special characters, numbers) and the exclusion of common words or names strengthen passwords and makes them more difficult for malicious third parties to crack. Knowledge factors that are easily discoverable through public record (a user’s legal name, for example) are best avoided, given the ease with which a third party may access that information and seek to breach the secured system.
Possession factors are items within the user’s possession.7 A key, for example, would be a possession factor in the physical world for a user authenticating her identity at a locked door. With the advent of computer technology, possession factors known as tokens have become an important facet of multifactor authentication. A digital token is simply a form of code that represents the identity of the user and serves as a physical identifier for whichever system the user seeks to access.8 A token will often use constantly changing authorization credentials to match the constantly changing access code for the system. The token and program are synced to change their credentials just as two watches can be synced for time, and each follows the same sequence as its counterpart.
There are two primary types of tokens: Hardware (hard) tokens and software (soft) tokens, each with their own advantages and disadvantages. Hard tokens are physical items that can provide a user with access to a system, for example, a security access card.9 The credentials are stored in that device alone which must be physically carried with the user. In contrast, soft tokens are stored on electronic devices and can be duplicated and shared across devices.10 More frequently, smartphones are used to store soft tokens and provide users with a convenient way to authenticate their identity but can subject them to potential cyber threats if the device the token is accessed on is compromised.
Inherence factors are those inherent in the user as an individual.11 Biometric technology is used to analyze the user’s physical characteristics and authenticate their identity. This can include any number of identifiers; however, commonly used identifiers include fingerprints, retinas and irises, voice patterns, and facial recognition. These identifiers, usually subjected to a scan, are then compared to a database containing a stored sample for confirmation of the user’s identity. Inherence factors are incredibly difficult to duplicate because they require the unique physical features of the user for access. The systems used to implement biometric data scans can be costly, however, sometimes limiting the attractiveness of their use. TouchID, the fingerprint recognition technology used by Apple, Inc. on its devices, stores fingerprints locally on the device to prevent external access to fingerprint information while still providing the ease of access and protection of an inherence factor.12
Location and time, although not strictly considered authentication factors, may also be used to confirm the identity of a user. The user’s normal geographic location (for example, access from a user’s office) and the time of access can help identify a user and protect them from malicious third parties. For instance, if a user makes a withdrawal from their bank in New York at 6:00 PM, a subsequent, same-day withdrawal in Florida at 6:05 PM could alert the user’s bank to potentially fraudulent activity. As it is not possible that the user could be in both places at once, many systems automatically acknowledge this impossibility and react by shutting out the second user or by providing the user with an alert of the potentially unauthorized access.
For firms wishing to implement multifactor authentication, the primary concerns relate to the greater expenses associated with more sophisticated authentication systems. Often, deploying more sophisticated systems may require using several different software programs, as well as potential hardware in the issuance of tokens. Both are frequently issued on a subscription basis, requiring monthly or annual fees. In addition to deployment costs, multifactor authentication often carries significant additional support costs. The price of such a process being put in place increases based on the number and complexity of the factors implemented.13
There are also some practical concerns with the implementation of multifactor authentication: no system is free from human error. It is possible to forget a password, and tokens (or the hardware with access to tokens) can be lost, stolen, or otherwise compromised. Additionally, information may be properly secured by one institution, but the data may still be compromised if other firms sharing the information are breached. It is therefore important for entire industries to maintain a certain level of protection on their confidential data for their sake and the sake of their affiliates.
A firm wishing to implement multifactor authentication will need to balance its interests in ease of access, expense, and data security to suit its needs. Although multifactor authentication provides great value to those seeking to protect digital information, criminals are still able to compromise systems implementing multifactor authentication. Phishing schemes, man-in-the-middle, man-in-the-browser, and other malware attacks can bypass certain processes by taking advantage of human error, gleaning authentication factors from unsuspecting users to infiltrate otherwise secure systems.14 While multifactor authentication can be effective, other measures, such as employee training on data security or the creation of a guide for technology best practices within the firm, should be taken to ensure proper treatment of authentication credentials and to provide greater protection for confidential information.
MULTIFACTOR AUTHENTICATION’S OUTLOOK
Multifactor authentication has been implemented across many platforms and is nearly ubiquitous in our modern society. Used as a security measure, it can help to protect users against identity theft, fraud, and brute force hacking. The practical approach to multifactor authentication requires finding the proper balance between expense and the need to keep information secure. Not every circumstance will necessitate an intensive multifactor system, nor will every institution be able to justify the costs of keeping one in place. Still, understanding the options available to protect confidential information can help create awareness about the potential risks and ways to manage them appropriately.