The basic concept of Authentication is the process by which a user proves to a system that they are who they are claiming to be, by providing information that, in theory, only that user should know. The most popular method of authentication for many years now has been the traditional password. The username identifies you as a user of the system, and the password proves that you are that user.
As technology advanced, cyber threats evolved alongside and it became easier and more common for cyber attackers to steal passwords from users, or guess the password belonging to the user, and as such the need to provide an additional layer of authentication became necessary.
Three Factors of Authentication
It is widely accepted that there are three different factors of authentication, and the more factors that are implemented in user authorisation the harder it becomes to impersonate any given user:
Something You Know
This is the most common factor in use. This is a piece of information that only you should know and use to identify yourself to a system. Passwords are the most common example of “Something You Know”, but other methods such as PIN Codes or Swipe Patterns on a mobile phone also fall into this category.
Something You Have
“Something You Have” is the most seen form of authentication added to passwords when implementing Two-Factor Authentication (2FA) and is regularly implemented as a short code sent to a user’s mobile phone or generated via a mobile application. This works because while a password is something that could be stolen or guessed, the person’s mobile phone is harder to steal or impersonate and so reduces the risk that a cyber criminal could impersonate a user.
Something You Are
As the capabilities of cyber criminals advanced, it became possible for greater attacks against mobiles phones to take place, including hijacking a number to redirect SMS messages. This meant that whilst not a trivial attack to perform, stealing a 2FA code from a user was possible. This brought a third factor of authentication: Something You Are.
This is also commonly known as biometrics, and uses security features such as face recognition, fingerprints, and retinal scans. Attacks against biometrics are possible, but the difficulty is so high that they would only ever be employed against very high-profile individuals.
How Does MFA help protect my organisation?
As more organisations move towards a more cloud-based approach where their key systems such as email or case management solutions are openly accessible over the internet, the threat of credential theft or user impersonation increases significantly.
As these platforms will often now contain highly sensitive company data, the need to protect access to this becomes more critical. Using Multi-Factor Authentication helps to minimise the risk that someone gains unwanted access to your data via these online platforms, ensuring that when someone tries to access your data, only approved individuals will succeed.