By David Ashamalla, Director of Security Operations
Most everyone is familiar with using a username and password to sign in to services online. This typical sign in method is known as “single sign on”. The security with this is moderate since there is only one requirement you must satisfy to be given access.
Two factor authentication (also known as multi factor authentication, or MFA) provides additional security. This is when a service requires that you correctly submit a combination of two of the following: something you know, something you are, and something you have.
- Something you know: a username and password
- Something you are: generally known as “bio-metrics”- your fingerprint, retina, DNA, or whatever future items have yet to be thought of
- Something you have: a FOB, phone, USB key, smart card. Some physical device in your possession to help prove who you are
For example, you might first need to enter your username and password. When that is verified, you would be prompted to get a code off of your phone, then enter that code correctly to be signed in to the service. This second factor adds increased protection.
Standards reduce complexity, and the number of devices you may need
In the past, using MFA often meant carrying costly devices that generated 8 digits every minute. Devices were specific to the services they were used for, which meant you could be carrying 3 or more devices for the services your company used. We have come a long way since those days.
Luckily, the next development was the acceptance of the TOTP standard (time-based one-time password). This is a temporary pass-code, generated by an algorithm that app writers could use to code a single mobile application that would support multiple services. You have seen this when using the Google Authenticator, the Microsoft Authenticator, or the DUO App. The apps use the same standards for generating 8 digit pass codes for multi factor authentication. This simplified the process and meant that you could use one app instead of multiple costly code-generating devices.
A New Standard for the Web
The newest standard in two factor authentication is called U2F. This is sponsored by the FIDO alliance (Google, Microsoft, Intel, Facebook, Amazon, are some of the members) and promises to simplify MFA even further. In the U2F protocol, physical USB tokens are used. These are very cost effective and much more automatic. The U2F allows a web browser to access the keys and pass them to a web server automatically. Depending on the implementation there may be no need to press any button to confirm, and no need to type in a one-time password.
If you lose your device – delete it and provision a new one. If your credentials are compromised, your key protects your accounts.
So how can these new developments in MFA protocols be beneficial to your business? The U2F standard helps block phishing attacks. During Two Factor Authentication setup, a “site signature” is generated using the URL, Port, and TLS Certificate, and the key will only submit the onetime password to the site with that signature. This is behind Google’s announcement that since implementing physical keys with the U2F standard they have not had a single phishing incident lead to an account takeover. While this, and MFA in general, won’t protect against all types of attacks, it does provide an extra layer of security to help increase your business’ safety.