What exactly is multifactor authentication (MFA)? What technologies are available for implementing it, and what are their pros and cons? This blog answers all these questions.
What exactly is authentication?
Let’s start with the basics. What is authentication? Basically, it’s verifying that an individual is who they claim to be. It’s one of the two key functions of Active Directory and Azure Active Directory. (The other is authorization, which involves deciding what a user is allowed to do once they’re authenticated. I won’t talk about authorization at all in this post.)
In the early days of computing, authentication was simple: If you wanted to log in to an IT system, you had to enter your username and password. If what you entered matched what the system had stored in its directory, it decided that you were who you claimed to be and granted you access; otherwise, you were denied access.
This approach grew in sophistication over time. For example, modern password-based authentication systems like Kerberos don’t actually transmit passwords anymore; they generate an authentication token that is submitted instead.
But even with these enhancements, a username-and-password based approach to authentication still has a key weakness: If someone learns another user’s password, they are indistinguishable from the true user. This is a real and pressing security problem, since there are many ways of getting a password, from educated guesses to technical attacks to targeted social attacks such as phishing. In fact, it’s difficult for a system to prevent a user from re-using a password across multiple systems or using a password that is easy to guess.
Moreover, even if an attacker doesn’t know a user’s password, most username-and-password authentication systems are vulnerable to tactics like replay attacks (in which an attacker simply listens for the authentication traffic and replays it) and Golden Ticket attacks (in which the attacker dumps a valid authentication token from the memory of a vulnerable system).
What is multifactor authentication?
So, what is multifactor authentication? Well, username-and-password authentication is single-factor: You verify you are who you’re claiming to be using just one method, or factor — providing your username/password combination.
Two-factor authentication, as its name implies, involves requiring two different factors. It is the most basic type of multifactor authentication, which requires two or more different factors. This often (though inaccurately) described as combining “something you know” (your password) with “something you have” (such as a code from an app on your phone). I’ll be using the term “multifactor authentication” since it includes two-factor.
Multifactor authentication benefits
Multifactor authentication benefits both organizations and their users by addressing the key weaknesses of username-and-password authentication. For example, suppose I have used my super-secret password of “CovidSux2021!” across multiple websites, including my corporate network and a forum for cute cat photos that I frequent. Unfortunately, the cat photo forum stored my password in an easily hackable format and they suffered a breach — now my username and password for that forum can be had on the open web for a few pennies.
Without multifactor authentication, an attacker could purchase that username and password, do a little bit of research about where I work, and surmise that I might have used the same password there. If that guess is right, then it is game over — they have access to everything I can do at work. Similarly, they might try using the same username/password combination on various banking sites; if they manage to log in, I could end up with my account cleaned out.
But with multifactor authentication, simply knowing my password does them no good. They are missing the other factor (or factors) the system requires to prove they are me. Thwarted!
So, how can you reap these multifactor authentication benefits? The following are the most common multifactor authentication technologies and how they work in the real world.
One-time passcode (OTP)
You have probably experienced this: You go to a website (such as your bank) and enter your username and password; then the system sends you a code that you must provide within a short time period in order to be granted access. Each time you authenticate, you have to provide a new one.
There are several ways of providing OTPs, including:
- SMS text — Texting is one of the simplest and most ubiquitous forms of multifactor authentication.
- Hardware token — Some businesses will issue users a device that generates an OTP upon request. For those of us of a certain age, the RSA key fob with a little LCD screen was a common sight.
- Smartphone app — Smartphone apps such as Google Authenticator, Authy and Microsoft Authenticator have largely replaced the physical key fob in recent years.
A smart card is a physical device that typically stores a cryptographically signed digital certificate, which is read by the system you’re authenticating to when you insert it or, in some cases, simply hold it close to the reader. Modern versions of smart cards include devices like Yubikeys.
With biometric authentication, your unique physical aspects are the “something you have” part of the MFA equation (sometimes, it is referred to as “something you are”). In years past, this usually took the form of fingerprints, using technology like Apple’s TouchID. More recently, facial feature identification has come of age with options like Apple’s FaceID and Microsoft’s Windows Hello.
It is important not to confuse biometrics as convenience with biometrics as a second authentication factor. For instance, Microsoft specifically calls out the difference between Windows Hello as a convenient way to access your device and Windows Hello as a component of an MFA strategy.
Passwordless authentication is the frontier of authentication, and Microsoft has committed to a roadmap to moving its enterprise customers in that direction.
You might be thinking, “But wait — how can passwordless authentication be MFA, since it removes the password, which is one of the axes of MFA?” While it’s true that MFA often uses a password as one factor, that’s not required. Passwordless MFA uses a different combination of factors: device registration plus a second factor, such as a PIN or biometrics. Specifically, the device being used, whether it is a mobile device or a workstation, becomes securely known to the system being authenticated to. A PIN or biometrics is then used locally on the device, and the device then vouches for the end user to the system being authenticated to. The actual authentication happens locally on the device, not on the remote system being accessed!
Let’s look at this in action with Azure AD. I download the Microsoft Authenticator app and then register my phone using the app into Azure AD using my current authentication flow (which might be username/password + SMS OTP). As part of this registration, the app ensures that I have a passcode or biometric unlock enabled locally on my phone. This makes the phone known to Azure AD.
Then, I can convert my Azure AD account to passwordless. When Azure AD needs to authenticate, it sends a notification to the phone, and I unlock the phone using my PIN or my face to confirm the authentication. Two factors are used: the device I have and either the PIN I know or the face I have.
Notice that at no time have I ever transmitted authentication information to Azure AD after my initial registration; it is all local on the device.
For a desktop computer, Windows Hello for Business works in a very similar way. The PC gets registered into Azure AD, and then my PIN or face is used to unlock the PC. Again, two factors are used.
Choosing an MFA technology
As you might guess, any MFA is usually superior to just a username and password. However, the various multifactor authentication approaches have different tradeoffs associated with them.
OTP via SMS is the least secure, even though it is the most widely implemented. To defeat SMS-based multifactor authentication, an attacker can steal a user’s phone or convince the carrier of the phone to move the user’s phone number to one controlled by the attacker. Additionally, SMS MFA is vulnerable to social attacks, where an attacker convinces a user to provide the SMS code over the phone by impersonating a support person.
Hardware tokens are also vulnerable to physical theft and social attacks, and are inconvenient for users who might not have the token with them when they need to authenticate.
OTP via a phone app is probably the current “sweet spot” in multifactor authentication — it is ubiquitous, easier to set up than smart cards and fairly secure. Yet it too has its negatives. Users can usually self-enroll multiple devices to provide the passcodes, which is convenient but increases the attack surface. Worse yet, many modern password managers (like 1Password or Apple’s Keychain) integrate OTP generation into the password manager itself for convenience’s sake, so if an attacker gets access to the password manager, it’s all over.
Smart cards are considered a very strong form of authentication because the cryptographic keys stored on them are well protected. Indeed, smart cards are often used by government agencies because they help ensure compliance with regulations like the Defense Federal Acquisition Regulation System (DFARS). But smart cards are inconvenient for the users who have to carry them around, and they are vulnerable to physical theft. Plus, implementation tends to impose significant administrative overhead. To help mitigate these drawbacks, modern versions of key cards like Yubikeys, integrate biometrics and are compatible with a wider range of devices.
Biometrics are increasingly popular. They are extremely convenient for users; I’ve never left home without my fingerprints or my face — though a cut or other injury could make it impossible for the system to authenticate me. Biometrics are also difficult to hack because they are so complex — but if they are compromised, you’re in a tough spot, since you can’t swap out your fingerprints the way you can reset a password or replace your phone. Also, someone could physically force you to provide your fingerprint or scan your face; whether local and federal law enforcement can use your biometrics without your consent to access your devices has been decided differently in various court cases but has not yet reached the Supreme Court.
Finally, passwordless authentication is an exciting option that is currently secure and delivers a great user experience. However, it is not supported by many identity systems. Furthermore, a key technical component to making passwordless authentication work are “secure enclaves” on the registered device. As we know, endpoints are vulnerable to attack from malware, so for the device registration to mean much, we need to rely on a “computer within the computer.” On iOS devices, this is the Secure Enclave; on Macs, it is the T2 chip; and on Windows computers, it is the Trusted Platform Module (TPM) chip (though it is currently possible for administrators to set up Windows Hello for Business without a TPM!). If a widespread flaw were to be found in one of these systems, it could render device registration meaningless for whole categories of endpoints.
There’s no question that multifactor authentication benefits organizations and users by dramatically strengthening security. Indeed, Microsoft reports that its telemetry shows that 99.9% of organization account compromise could be stopped by simply using MFA. But requiring multifactor authentication for everyone all the time is pretty much guaranteed to frustrate users and hurt productivity. It’s important to take a balanced approach.
Indeed, multifactor authentication is best understood as one aspect of your organization’s broader security strategy. Many experts now recommend developing a security strategy based on Zero Trust principles and using tools like Azure AD Conditional Access, which gives you a lot of flexibility to apply MFA judiciously.