Most of us are now familiar with what Multi Factor Authentication (MFA) has brought to our daily lives.
Try accessing your bank account from a new computer or mobile device. Or from a location that is far from home. Or even when you try to log in in the middle of the night. All behaviors that could be deemed “suspicious” and potentially hacker generated.
MFA is the method that is commonly utilized to mitigate risks associated with these “out-of-the-norm” behaviors. Essentially it boils down to your bank, for example, saying “we’re just not sure this really you and we recognize that your account information could have been hacked, so we want more proof that you are who you say you are.”
So, let’s take a step back
In the digital world we live in, how do we “prove” we are who we say we are? Usually it’s via a username and password that is assumed to be known only by the user. But in these days of phishing attacks and other social hacks, usernames and passwords are not as secure as once thought. Hence the introduction of MFA.
MFA demands an additional form of identity validation. Username and password are something you know. MFA accepts that validated information, but also requires either something you have or something you are to provide that additional level of validation when needed.
What you “are” focuses on biometrics. Let’s discuss that in a future post.
What you “have” typically revolves around a phone that can receive text messages or uses an application to receive approval requests. You input a code you have been sent or you click on “Approve” in a phone application, and only then are you allowed access.
Works well. But, as the good guys get smarter, so do the bad guys.
MFA is subject to compromise when access to an application is generated via email or a malicious website link. Essentially, hack kits have been released that will allow the creation of a link that appears to be a legitimate site (a bank, organization’s ERP, etc), that when clicked, circumvents any additional identity validation that MFA provides.
It’s phishing on steroids and emphasizes the need for MFA protection within an application. Front door security is important and is an effective layer of protection. But in-application MFA represents an additional layer of identity validation that protects an enterprise from these front door phishing attacks.
Learn more about in-application MFA