No matter the industry you’re in if you’re collecting information, you should be protecting that data. And to protect that data, you’ve undoubtedly run into phrases like single-factor, two-factor, and multifactor authentication – and the responsibilities that go come collecting all that data. In nearly every instance that breaches occur, the missteps can be boiled down to simple problems like weak credentials and poor security standards. (Go ahead and take the sticky notes with your passwords off of your computer monitor before you read the rest of this.)
So if all two-factor is multifactor authentication, what are the actual differences between two-factor and multifactor authentication, and how can one better protect your business than the other?
Well in this blog, we’ll clear up what factors and authenticators even are before diving into the reason multifactor authentication is the superior selection over two-factor authentication for your business.
What are factors and authenticators anyway?
Okay, time for a couple of definitions.
First of all, understanding what a factor is can seem simple, but even seasoned IT pros can misunderstand.
There are four different groupings of factors:
Knowledge | Something that you know, like a PIN or passphrase.
Possession | Something you have, like a one-time password generator or smartphone.
Inherence | Something that you are, especially biometric like a fingerprint or facial scan.
Context | Something that you do in your life, like how you react or a pattern.
Single-factor authentication is exactly what it sounds like – one of these factors, typically a password, is required to go along with a username or account number. Nothing more, nothing less. Using single-factor authentication on any type of account is highly discouraged in today’s tech world and has since made its way into the hall of infamy on CISA’s List of Bad Practices. For more secure accounts, like the ones you’re trying to protect by reading this very blog, require more proof you are who you say you are.
Authenticators, which are device tokens or other kinds of software utilized to achieve the specific factors of authentication, are often items like security keys, wearable one-time-password providers, and plenty more. Authentication, then, is the act of confirming that the person or end-user attempting to gain access is who they say they are, which is provided using authenticators of some kind.
So, two-factor authentication (2FA) is when two factors of authentication are required to gain access, and multifactor authentication (MFA) is – you guessed it – when there are more than two factors required.
Why multifactor is superior to two-factor authentication
Whether you realize it or not, you’ve probably been using 2FA for a long time. When you utilize your credit card with a PIN and zip code, you’re using 2FA right there. And any kind of authenticator app on your cell phone works the same way, leveraging biometrics and other unique identifiers to provide codes to specific accounts.
But if businesses are using 2FA, there must be some redeeming qualities, right?
Well, sure! For the most part, 2FA is a way to put a wrench in the gears of most entry-level hackers looking to get into your information, especially if you utilize a program like Google Authenticator… right?
But as hackers proved by easily slipping through 2FA protocols to gain access to Twitter CEO Jack Dorsey’s account through a fairly low-tech SIM swap that fooled Dorsey’s mobile provider into thinking he needed his mobile service switched.
“Wait, what was that? A SIM swap?”
Basically, SIM swapping is when a scammer calls your specific cell phone provider to say ‘Hey, this is (the person they are attacking) and I need a new SIM card for the phone I misplaced/had stolen.’ Suddenly the hacker has access to messages intended for you, including your secondary authentication codes, in addition to the stolen passwords, PIN, or otherwise.
How to avoid SIM swapping, according to the FTC:
1. Don't reply to calls, emails, or text messages that request personal information. 2. Limit the personal information you share online. 3. Set up a PIN or password on your cellular account. 4. Consider using stronger authentication on accounts with sensitive personal or financial information
So, while 2FA is absolutely better than nothing, it should be a little more than a start if you’re serious about protecting your data. But because there are overlapping factors that can easily be exploited together, MFA is the superior choice.
Adding at least one additional layer to 2FA, such as combining a PIN and texted passcode with a biometric layer like a facial scan, creates a tremendous barrier between the attempted hacker and protected information. Rather than simply mining one piece of information after stumbling upon the other and having full access, MFA means you’re in full control of all security, especially when an MFA hardware cryptographic device is used as recommended by NIST for AAL 3.
A truly unshakeable solution to your data protection requires your team to approach your unique security situation with multifactor authentication on the brain. Not only do multifactor authentication solutions better help prevent theft and unauthorized access, but it also affords your team a higher degree of confidence that only your team is seeing your sensitive and confidential data.
If you made it this far, we’re guessing cyber security might be important to you. We take topics like MFA and cyber insurance and break them down into bite-sized, actionable snippets in our PTG Tech Talks. Click here to sign up and learn how to better protect your company!