What is Multi-Factor Authentication?
Multi-factor Authentication (MFA), which includes Two-factor Authentication (2FA), is an authentication method that requires you, as a user, to provide two or more pieces of evidence to verify that you are the “real you”. Verifying who you are is the purpose of authentication, the computer systems we are trying to access must assume we are who we say we are based on the input we provide. If we look at a webmail login, the standard details typically provided are a username and a password.
Multi-factor, including 2FA, requires at least one more piece to the puzzle. Let’s take a look at just what we can provide to authenticate.
Something you know – This is a secret that only you should know. Your password is an excellent example of this.
Something I am – In a person-to-person interaction, the person you are communicating with can see that it’s you. They can recognize who you are. The verification process happens mainly behind the scenes. A computer can’t recognize this on the same level, but we can use biometrics for this, fingerprints, retinal scans, etc…
Something I have – This could be any number of things. A mobile phone where we can get an SMS message, asking us to verify that it’s us, an authenticator app that generates a random key to input into an MFA system, or some sort of physical token that generates a similar key.
Multi-factor Authentication relies on more than two of these methods to allow access to our systems and applications.
Why is this important?
The most significant advantage of this is that it will enhance your organization’s overall security by requiring more than the bare minimum of a username or username and password for your users to verify they are who they say they are. While a username and password are essential pieces to the puzzle, they are vulnerable to attack. Usernames and passwords are susceptible to data breaches and all forms of compromise by third parties. Enforcing more can provide increased confidence that your organization can be safe from these threat actors constantly looking and waiting for any avenue to your data.
How does MFA work?
Multi-factor authentication works by requiring more than the bare minimum, often just username and password, and adding another level of security to this. This additional security could be biometric, “something I am” or a One Time Password “something I have,” possibly in the way of an SMS message or through the use of an authentication application, such as Google Authenticator, Authy, LastPass, or Microsoft Authenticator.
Examples of Multi-factor Authentication
What are some examples of this?
Something I know:
- Answers to personal security questions
- One Time Passwords (I include this here as this could be looked at as either as “something I know” or “something I have.”
Something I have:
- One Time Password sent via SMS
- One Time Password sent via email
- One Time Password sent via App (authenticator app)
- Access badge or security token generator
- Software-based certificates or tokens
Something I am:
- Biometric: Fingerprint, iris or retinal scan or voice recognition
How do we use this?
Typically, we would see in addition to entering your username and password, you would be prompted with a request to enter a One Time Password (OTP), which would then allow you access to your webmail account. The atmail cloud uses an authenticator-based application for this OTP. To enable 2FA in your atmail cloud account, you need to visit the settings menu from the drop-down in the upper left.
From the settings menu, select Accounts. Here you will be able to select “Enable two-factor authentication.”
Once selected, you will be prompted to scan the QR code with your authenticator app and input the key provided. I use Google Authenticator for this:
Once this step is complete, you will then be asked to provide this code, in addition to your username and password, each time you log into your webmail account.
Once you input this OTP, you will be allowed access to your email account.
Potential problems with Multi-factor Authentication.
Why did we choose to use an authenticator-based solution for the atmial cloud? There are problems due to vulnerabilities in SMS messaging in general. This is not a SIM Swap based problem, although this is a potential issue, and it is something to consider. This is an issue with third-party applications that monitor SMS messages based on a simple Letter of Authorization (LOA), which can easily be forged. While this is a genuine concern and something that you need to be aware of, I believe it is important to be mindful that so long as you know the risk involved, an SMS-based One Time Password is still more secure than simply using a username and password.
MFA is one of many steps that are available to help you keep your information secure. It is not the be-all, end-all security solution, but it is moving in the right direction. By enabling Multi-factor Authentication whenever it is available, you are not only choosing to take your security more seriously, but by helping the adoption rate of this process trend up, you are showing other users and companies out there that this is something they should take seriously and consider enabling for their sites. Last year, Alexander Weinert, the Director of Identity Security at Microsoft, spoke at the RSA conference, saying that among enterprise cloud users, there is only an 11% adoption rate of Multi-factor Authentication… 11%! That means that 89% of users have not enabled this when it is available. Choosing to enable this will make a difference in the global security landscape.
Need more help with email security?
Do you have a specific need for your organization’s email security policy? Do you need advice or guidance on setting up Two-factor Authentication? Our team of email security experts here at atmail is available to assist you with your security policy needs and answer any questions you might have.
With 22 years of global email expertise, you can trust us to deliver an email hosting platform that is secure, stable, and scalable. We power more than 170 million mailboxes worldwide and offer modern, white-labeled, cloud-hosted email with your choice of US or (GDPR compliant) EU data centers. Talk to us today.