Blog / Multi-Factor Authentication Methods Are Important Tools

Let’s talk about different multi-factor authentication methods

When it comes to computers, user authentication is nothing new. It’s existed in one form or another since the beginnings of computer sciences. Back then things like storage space, memory, and CPU power had to be closely managed, so the many different multi-factor authentication methods we take for granted today weren’t available, and authenticating was a much simpler process. It took two pieces of information: one bit of public information—the username, and one bit of private information—a password.

Usernames were, and still generally are, public knowledge, so all of the security rested on the password. Since there were hard limits on hardware capabilities, passwords were limited to only eight characters for a long time. It wasn’t until the late ’80s or early ’90s that computers became powerful enough to allow for anything longer. In any case, the  best way to get security out of a single password was to make it complicated and random.

Eventually computers became powerful enough that passwords on their own simply weren’t good enough (even though they were allowed to be much longer). This lead us to multi-factor authentication (MFA), which simply means adding another form of authentication beyond just a password.

There are plenty of forms of MFA; most phones, for example, include some form of biometrics like fingerprint and/or facial recognition. This doesn’t mean the password is no longer important but that it’s now responsible for only part of a device’s security.

So let’s talk a bit about the multi-factor authentication methods available these days and do a comparison.

Modern Multi-Factor Authentication Methods

1. Text message/SMS: Users are sent a code via text message that they then enter into the login portal’s security prompt. SMS texts are easy to intercept, so this MFA method should only be used as a temporary last resort.
2. Email: Again, users receive a code to enter into the login prompt, but via email instead of text. A clickable link may also be sent with the code, but while email is generally secure, there are still multiple ways for it to be compromised. Moreover, because they often contain important information making them high value targets for hackers, email as a communications method is generally under constant attack, making it a similarly bad idea to rely on for MFA.
3. Hardware/Software tokens: These are periodically generated codes that are only effective during the a certain window of time, usually the following 60 seconds. After that minute, a new code is generated, and can only be used for the following minute, and so on. This method relies on specialized hardware like a FOB and related software, with some pure software options available, but either way it’s important the application is configured correctly so the codes are generated and predicted properly.
4. Push Applications: Similar to software tokens but rather than a code, the user receives a push notification to their mobile device from an installed app that they must then approve, again usually within a certain fairly short time frame. Microsoft’s Authenticator app is likely the best known example.

Text- and email-based multi-factor authentication methods are perfectly functional but really shouldn’t be relied on over the long term, especially for protecting data that is at all important. For those use cases, push applications are generally considered the most secure, though token generators of either kind (they both have their pros and cons) are an acceptable alternative.

If you’d like help evaluating, implementing, and configuring any of these multi-factor authentication methods for your organization, contact a TRINUS cybersecurity expert and we’ll be happy to help out with some stress-free IT.

This Shakespeare quote comes from Troilus and Cressida: “Who shall be true to us, when we are so unsecret to ourselves?”