In the first part of this series, we held an intervention over the widespread use of passwords, complete with the ever-widening list of arduous hoops to jump through that are imposed on users in the name of security. In the second, we revealed just how expansive the field of authentication methods really is, but with the caveat that no single method is without its flaws. In this third part, the gold standard of authentication—multi-factor authentication (MFA)—is presented.
Consider where you live for a moment. You would no doubt prefer to control who can access your home—you don’t just want everyone who fancies it to walk in off the street and start eating your Cheerios, let alone having to deal with all the cats and dogs and badgers who chance to wander in. Just think of the mess. Your house presumably has walls, and you come and go through holes in these walls. You place doors and windows in the holes, and you keep them closed when not in use.
Congratulations, you’ve stopped the cats and dogs. The people, however, are cleverer—they realise how to open the doors. Before you know it, you’re running dangerously low on Cheerios. Then, a brainwave: you add locks to the doors, and only you have the keys. Perfect, people stop wandering in. Luckily, the locks deal with 99% of your uninvited guests.
However, there are still a one or two who are more dedicated to getting into your house. They will stop at nothing to get your Cheerios. The windows are now the weakest point, so they simply break them and clamber in. Clearly, this extraordinary threat is going to require extraordinary measures. You install security cameras to view who comes onto your property. You get an alarm on the house that goes off if a window is broken. The alarm summons the police to deal with the Cheerios fiend. You befriend your neighbours, and you promise to keep an eye on each other’s properties when you are away.
Finally, your house is secure. All but the most determined attackers will be deterred, and for those brave enough to try you have a range of means to detect their intrusion and to bring them to justice after the fact.
The same goes for authentication, whether digital or physical. Asking someone to state their identity might keep out the badgers who wander around trying their luck with unsecured logins and doors, but will do nothing against a smarter miscreant. Adding a PIN will deter most, but better-resourced attackers will brute force it eventually. You add onto that the requirement to present a key card along with the PIN and only the most dedicated, technically adept attackers will stand a chance, and at this point you’re dealing with incredible unlikelihoods. At this point, you should be looking at intrusion detection tools, comprehensive logging, intelligence sharing with other businesses and notification procedures, in the same way you would be looking at something like flood recovery.
This is the ideal situation, but oftentimes the tools we use offer only traditional password authentication as an option. What can you do in such a scenario? The next and final part of this series will answer this question.