Multifactor Authentication For Online Services

As the world’s digital connectivity grows exponentially through the proliferation of people on devices accessing online services, any device at any location with access to wireless internet can be used to access any data, software or services anywhere in the world. This makes it possible to start work at home on a laptop, pick it up at the office on a desktop, and then sign off on it at a restaurant with a smartphone.

However, the convenience of online services also means an increase in vulnerability- especially when outside the “perimeter”. The access “anytime, anywhere ,on any device across any network“ is why regions like Europe are moving toward mandatory implementation of multifactor authentication in online services.

The Password Problem

Today’s legacy knowledge-based security and access (KBA) systems that require passwords are a mature deployment path with no-added cost for offering passwords as the primary access method, beyond the cost of the security and authentication infrastructure. Unfortunately legacy KBA security methodologies are primarily reliant on a single password for accessing an online service which exposes significant vulnerabilities while expanding the attack surface for cybercriminals.

Effective or “strong” passwords are a random string of alphanumerics, which are hard to remember and impossible to guess. This often causes many people to resort to “easier” passwords that are easy to remember, making them easier to guess and steal.

When the vulnerability of a password is extended to an online service, anyone anywhere can access information online on any device once they have stolen a legitimate password. When an account is takeover via stolen or phished user credentials the convenience of KBA-based online services becomes a massive liability.

How Multifactor Authentication Helps

Key-based Multifactor authentication, or MFA, adds additional checks beyond needing a password. Key-based Multifactor authentication can completely replace legacy security, identity and authentication systems, with modern passwordless identity verification. Key-based biometrics such as a face, voice, or thumbprint cannot be stolen by others when protected and enabled by asymmetrically encrypted private keys in user’s devices. Other mechanisms, such as encrypted USB keys, can be used to reinforce passwords by requiring an additional check beside the password, such as the presence of a USB key, or sending an additional text/SMS message to another device, like a phone, and entering in a second code.

By introducing more than one requirement for identity verification and authentication, online services are less vulnerable when someone has a legitimate password and user credential.

For this reason, federations like the European Union and even large tech companies like Google are implementing key-based multifactor authentication on a wider scale. With proper integration, MFA can be faster and easier to use than an hard-to-know, hard-to-user password while providing even more security since a key-based thumbprint, face, or voice can’t be guessed or stolen the way a password can. By providing more options and, perhaps more importantly, ensuring these options are convenient and easy to use, key-based multifactor authentication can make online services safer than ever, while dramatically lowering user friction during registration, login and even payment transaction.

If you’re interested in using the FIDO protocol and moving to a modern, key-based passwordless authentication system and zero-trust operating environment, read here to learn more.