MFA (Multi-Factor Authentication) is an authentication process in which a user has to provide multi factors in order to gain access to the particular resources. Resources here means an internet site, an application, network, or a VPN. Rather than just asking for a username and password, MFA (Multi-Factor authentication) adds additional verification factors (OTP, push notifications, fingerprint etc) which indirectly halts cyber attackers activities like phishing, Malware, etc providing a high level of assurance and security. In simpler terms you need to convince the system or online service your identity more than once, so the system can detect if you have the rights to obtain the data services that you're trying to retrieve.
The goal of leveraging MFA is to make a layered defense so even if one factor (username-password) is stolen or targeted cyber attacker still has at least one more barrier to breach before successfully breaking into the actual targeted device.
Why to use MFA?
Passwords might be one of the supreme measures we use on a daily basis but what the newest cyber threat reports depict has raised concern regarding security issues. Regardless of how complex your password or the password management system is, it is never enough to prevent account takeover because all it takes is one simple phishing email or database breach and your password is out in the world.
Users also make it easier for hackers by choosing weak passwords, using the equivalent password for multiple applications, storing passwords in insecure locations and keeping the same password for long periods of time. These practices may help users remember their login credentials, but they invite hackers in through the front entrance. The 2019 Data Breach Investigations Report found that 81 percent of account breaches could be put right down to passwords that were either leaked or passwords that were easily feasible approximately weak (e.g., "passw0rd, admin").
- 92% of organizations have credentials for sale on the Dark Web.
- 81% of data breaches are the result of weak or stolen passwords.
- 90% of passwords can be cracked in less than six hours.
These all factors sum up the solution to why you ought to have an MFA as your daily asset whether it's a corporation, institution, or any company. By combining your username and password with Multi-Factor Authentication methods your access becomes safer and impossible for an attacker to to pass it even if they have your password.
What are different authentication factors used by MFA?
MFA Authentication is based on various authentication factors. Multi-Factor Authentication takes help of these factors to authenticate a particular individual.
Knowledge FactorIt is something that a user remembers like “First Password”, “First School Name” ,“A Pin” etc.
Possession FactorIt is something the user has, such as a mobile device, smartphone app, security token to approve authentication requests.
Inherence FactorIt is mainly referred to as biometric factor , is something different in the user's physical self. These could also be personal attributes like fingerprint, retina, or voice.
Location factorIt usually denotes the location from which an authentication attempt is being made. Location based MFA methods can limit user access when a user breaks out from the given location. Location based MFA can also limit the authentication attempts made by the user to specific devices by tracking their Internet Protocol (IP).
Time factorRestricts user authentication to a specific time panel in which logging on is granted and restricts access to the system outside of that window. In simpler terms we called it Time based OTP (TOTP). Mobile Apps like Microsoft Authenticator, Google Authenticator and miniOrange authenticator provide a key code that’s time dependent up to limited seconds.
Adaptive Authentication or Risk-Based AuthenticationCombining all the given MFA factors adaptive authentication makes the way. Adaptive Authentication togetherly analyzes additional factors while authenticating. What adaptive authentication does is cross check basic factors before providing access.
- Which device particular user is using? Is it the same device registered on the whitelist of the administrator?
- From where the user is trying to access particular services (checking geo - location)?
- Checking whether a specific user is granted access to the given allocated time?(On-Hours and off hours)
- Check if the network is secured and private ?
What adaptive authentication does is, it tracks these questions and according to user behavior it prompts different multi-factor authentication and depending on their authentication identity users will be allowed to log in. Adaptive authentication adds another advantage to MFA.
How does Multi-Factor Authentication (MFA) Works ?
Multi-Factor authentication (MFA) workflow basically revolves around:
- Something you know
- Something you have
- Something you are
As the user attempts to gain access to a specific resource, they are prompted with multiple authentication factors, instead of only one. The user credentials are then verified by a core identity provider (IdP) or directory services platform. Once authenticated, the user gains access to the requested resource.
The most common MFA systems use the unique One Time Passcode commonly known as OTP with every login attempt that you simply make. miniOrange also provides a more modern and secure sort of MFA which is “Push notification” on your smartphone. A push notification is sent to your registered smartphone and in order to gain access to your account, you've got to approve that notification.
The authentication process using Multi-Factor Authentication ( MFA ), takes place within following steps:
- User navigates to the application login page. For instance www.example.com/login.
- User enters a username and password. This is called the first factor of authentication. When a user submits the login credentials it’s checked whether the user exists within the database.
- If the login credentials match with the user the second factor of authentication is shown to the user. E.g Pop up asking for OTP sent over SMS /Email
- When the user enters the second factor like OTP or Push notification it’s checked against the database system if the second factor is correct.
- After successfully completing the second-factor user is granted access to the system.
- In the same manner if you have lined up more authentication methods, it will ask authentication for all of them and final permission will be granted.
Different Multi-Factor Authentication (MFA ) Methods:
miniOrange supports a variety of methods for Multi-Factor Authentication. We support the following authentication methods that ensure you to have secure access to your site, application or a network.
- OTP Over SMS
- Out of Band SMS
- Google Authenticator
- Mobile Authentication
- Push Notification
- Soft Token
- OTP Over Email
- Out of band email
- Display Hardware token
- Yubikey hardware token
- Security Questions
- Phone verification
- Voice verification
Multi-Factor Authentication ( MFA ) Use Cases:
There are multiple use cases where multi-factor authentication is employed. You can use MFA for organizations and institutions websites, applications, network, VPN. miniOrange provides the answer for various use cases, a number of them are, Multi-Factor Authentication (MFA) for VPN login, Multi-Factor Authentication (MFA) for Stripe, and Multi-Factor Authentication (MFA) for office 365 using Yubikey.
1.Multi Factor Authentication (MFA) for VPN login:
miniOrange provides Multi-Factor Authentication (MFA) on top of VPN Authentication. This secures the access to protected resources rather than counting on only the VPN username & password. To accomplish this miniOrange uses the RADIUS Protocol.
RADIUS stands for Remote Authentication Dial-In User Service, it's a client/server protocol that gives client authentication and authorization.
RADIUS server is liable for authenticating the users, while RADIUS clients are nothing but the Network Access Servers (NAS) which authenticate users with RADIUS servers and supported responses from RADIUS server grants/denies the access.
The Multi-Factor Authentication (MFA) for VPN login takes place as shown in the above figure.If you're taking a glance at the steps below you'll get a transparent understanding of how it happens.
- The user enters the login credentials to the VPN.
- RADIUS Clients sends the login details to the miniOrange RADIUS server.
- User details are check with the help of Active Directory.
- When the AD finds the user it sends the response to the miniOrange RADIUS server. First-factor authentication is completed here.
- A challenge response is sent to RADIUS clients for second Factor Authentication.
- RADIUS client prompts the user with MFA challenge. (e.g.OTP over SMS/Email).
- When the user validates himself with MFA. The authentication response is sent to the miniOrange RADIUS server.
- After checking the response RADIUS server grants access to the user.
2.Yubikey as a Multi-Factor Authentication (MFA) for Microsoft Office 365:
Microsoft provides MFA only via their default application with limited MFA methods and you can not configure any additional MFA authentication method. In some cases you need to spend an enormous amount for licensing and the user differentiation, and if you need to activate or deactivate for the particular user you have.
If you are looking to use Yubikey or any other hardware token as an authentication method while accessing Office 365, it's supported by miniOrange and can be integrated quickly.
miniOrange allows you to use Yubikey (or the other method from 15+ available MFA methods) as the multi factor to login into your Office 365 or any of your Microsoft Application.
3.Integrating MFA/OTP Verification for Payment Gateways:
According to the recent guidelines, new requirements for authenticating online payments is introduced in Europe as a neighborhood of the second Payment Services Directive (PSD2).
All online businesses will need to ensure they’re compliant with the Payment Services Directive 2 (PSD2) legislation. The EU directive mandates that any online transaction over €30 requires Strong Customer Authentication (SCA).
To meet new EU regulations, payment gateways/businesses will have to build an extra layer of authentication (MFA) into online card payments.
miniOrange has helped many businesses and payment gateways to integrate MFA in their applications. We provide access to our MFA APIs with which MFA are often integrated into any application very quickly without much effort.
Payment gateways that operate in Europe like SecurionPay, Skrill, Stripe, PayU, Authorize.Net, Amazon Pay, PayPal are going to be Strong Customer Authentication (SCA) very soon.
Benefits Of Multi-Factor Authentication (MFA):
Enhanced security:Multi-Factor Authentication (MFA) decreases the probabilities that an attacker can mimic a user and may gain access to the system. miniOrange Multi-Factor Authentication (MFA) solution allows users to log in using Username and OTP thus, preventing the necessity to enter Password.
More productivity and flexibilityOrganizations are accepting mobility because it helps in increasing productivity. With mobile MFA employees can securely login and access corporate applications and resources from virtually using any device and from any location, without putting the corporate network to risk.
Fraud Prevention:Multi-Factor Authentication verifies who you say you're before letting you progress forward. It prevents unauthorized access to your website by providing a further layer of authentication.
Improved customer trust:MFA lets users assure about their personal info without extra efforts.
Reduced operating costs:Implementing MFA reduces probability of data breaches which, resulting in reduced investment.
Difference between MFA and 2FA:
Major difference between 2FA and MFA is : In 2FA there are only two authentication methods: one traditional username-password and another one like (OTP, Push notifications). While in MFA there are no such restrictions you can opt for multiple authentication methods according to your way.