The 5 factors of authentication, and what you should know about them
With social engineering scams specifically targeting login credentials, it’s no longer enough to protect your confidential data with passwords alone. All it takes is a successful phishing scam, and your whole network could end up being exposed to an attacker. That’s why you need an extra layer of security to verify users’ identities before they can access the system. This is especially important in the new era of workforce mobility, where employees routinely access business apps and data from different devices and locations.
Multifactor authentication (MFA) is the new standard in information security, though you’ll also hear it being referred to as two- or dual-factor authentication. Despite the technical-sounding nature of the term, chances are you’ve already used it hundreds of times. Perhaps the most common example is when you withdraw money from an ATM. The first authentication factor is the card in your hand, but since that can be stolen and misused, you also have to enter a PIN code, which is the second authentication factor.
#1. Something you know
By far the most common authentication factor is something you have memorized, such as a password or PIN code. Passwords have always been central to information security, but while they provide a basic line of defense, they’re not enough by themselves. The simpler our passwords are, the easier they are to guess by others, but the more secure our passwords get, the harder they are for us to remember. For example, it’s practically impossible to hack a long alphanumeric password by guessing all of the possible character combinations, but it can also be equally difficult to commit to memory.
#2. Something you have
This authentication factor refers to something that you physically carry around with you, such as the payment card in our previous example. Another common verification method is the one-time security token, such as those single-use passwords or codes you receive via SMS or on an authentication app when you log in to your online bank account or send money electronically. These often expire after thirty seconds or a minute, which means they’re far less susceptible to compromise by social engineering attacks.
#3. Something you are
You’ve probably already heard of biometric security, which is what this authentication factor refers to. This uses an individual’s inherent physical traits to verify their identity. A common method is a fingerprint scan, which you can use for unlocking most high-end phones and other mobile devices. Other methods include iris scans as well as face and voice recognition. But there is one severe drawback of biometrics: if someone steals the biometric data, there’s no way to replace it.
#4. Somewhere you are
This verification factor is used by default and is something that users aren’t usually aware of. For example, you might have noticed that when you try to access online services when you’re abroad, you’re asked if it’s really you who’s doing so.
The most common way of detecting your approximate location is by viewing your IP address, a unique identifier of the location of your device when it goes online. Other geolocation-based security checks include those which use the mobile networks themselves or GPS technology. Banks often use geolocation to detect potentially fraudulent purchases made in places you’ve never even been to.
#5. Something you do
By far the least common method for verifying a user’s identity involves AI software logging and recognizing oft-repeated actions and recognizable patterns of behavior. This actually serves more to flag actions that are uncharacteristic to the person doing them. For instance, if a dayshifter’s ID card is used to access the office at 3:00 a.m., then this is seen by the AI as suspicious and may warrant immediate suspension of the cardholder’s access rights.
Multifactor authentication is now a must for businesses seeking to reduce risk and achieve compliance in an increasingly connected world. Red Key Solutions can help you boost security and drive growth without leaving your organization open to attacks. Call us today to schedule a consultation.