System Administrators are tasked with guarding digital secrets and various types of sensitive information. In cases where the data being protected is especially sensitive, an administrator may choose to implement multi-factor authentication (MFA). But are all MFA implementations created equal?
Multi-factor Authentication requires a combination of at least two of the following three factors:
- Something You Know (a pin or a password)
- Something You Have (a physical token or a one-time password)
- Something You Are (a fingerprint or other biometric)
Of the three options, only the “Something You Are” option provides ‘Proof-of-Presence.’ So why is this important? Simply put, it provides for higher security.
The inherent challenges with a pin or password are that they can be guessed, stolen or socially engineered.
For example, in the cyberattack on the FBI in February of 2016, the hacker gained access to the Department of Justice web portal via a social engineering attack. The criminal called the help desk with a legitimate DOJ email address and asked for help to get logged on. They asked if he had a token, he said no and they simply gave him one! If the DOJ web portal had required a “Something You Are” factor, this attack could have been thwarted.
The problem with a physical or soft token is that they can lost, stolen or compromised via a Man-in-The-Middle (MiTM) attack.
For example, in June 2015, Europol’s European Cybercrime Centre (EC3) and Eurojust coordinated a raid that led to the arrest of 49 suspects spread throughout Europe. The investigation uncovered fraud totaling $6.8M.
The suspects used social engineering to plant malware onto the websites of legitimate businesses, then set up MiTM attacks by sending emails to customers asking for payments. The customers clicked a link which led to fake (‘in the middle’) sites and the criminals captured their one-time-passwords which they used to log onto the legitimate sites. These attacks would also have been prevented if the businesses required a “Something You Are” factor.
In addition to offering higher security when used as a second factor, “Something You Are” also provides for less friction to the end user. A fingerprint, for example, allows for the quickest and easiest way to prove one’s identity when compared to the other factors.
Finally, there are situations where you want to be sure that a particular user was actually ‘present’ during an authentication event. For example, when tellers authenticate transactions at a bank, a system administrator can be sure a specific teller authorized a transaction and that someone didn’t borrow or steal their PIN number.
In summary, the “Something You Are” factor allows for proof-of-presence, higher security and less friction when used as a second factor.