A Guide to Multi-Factor Authentication Methods
As we have already covered what MFA is and why businesses should use it, let's dive into the details now. In this post I will describe various methods of MFA, and provide details of their strengths and weaknesses, sharing knowledge that may help choose the best matching one for your application.
Different types of MFA
Authentication methods can be categorized into three main categories:
Knowledge (“something a user knows”) - refers to a password or PIN known by the user.
Possession (“something a user has”) - refers to a software or hardware token, mobile phone, or any other device that the user is equipped with.
Inheritance (“something a user is”) - refers to unique biometric details of the user, such as fingerprint, retina verification, or voice recognition.
A well-designed MFA process should use factors from different categories to ensure maximum security.
Smartphone based MFA Solutions
Mobile phones are one of the most commonly used smart devices, making them an excellent MFA device for publicly available solutions. Using smartphone based MFA means that users of your application won’t need to have any additional device. Most of the security methods used with mobile phones fall into the ‘something a user has’ category.
SMS Code
SMS is one of the most basic ways of performing MFA with a phone. The driving application sends a message containing a verification code to the user's mobile phone.
Cons:
Requires obtaining the user's phone number.
Susceptible to SMS hijacking and eavesdropping.
Requires the user to leave mobile applications they use for SMS codes, leading to a poor user experience.
No cryptogrqphic security.
SMS delivery is unreliable.
Pros:
Simple to implement.
Widely used and understandable to users.
The negative user experience of having to switch to an SMS app while using a mobile app or website can be mitigated with the use of message auto-filling. For browser based applications there is WebOTP standard for that supported by major browsers. For mobile native applications, the same effect can be achieved with requesting permission to read user messages (not recommended) or autofill service permission.
TOTP
Time-based One-Time Password (TOTP) is a cryptographic method that uses a secret key shared between a MFA provider and token device. A new code is generated every short time (usually 30 or 60 seconds). This code can be obtained by a software application such as Google Authenticator or a dedicated hardware token and compared with the code generated by the server. The process of code generation and comparison is fully offline, requiring no connection to the internet.
Cons:
Requires a dedicated application or token from the user.
Usually involves a complex setup process (sharing TOTP secrets between users).
Prone to desynchronization errors - client and server have to use the exact same time.
The same code can be reuse within time window.
Pros:
Cannot be eavesdropped.
Works well with offline applications.
Cryptographically secure.
Can be used with a hardware token.
Clock skew errors may be somewhat limited by extending the code validity window size. However, remember that this reduces the security of the solution, as there is a probability of the code being eavesdropped and used once again.
HOTP
HMAC-based One-Time Password is a cryptographic method that is very similar to TOTP. However, instead of using time, the code is calculated using the HMAC algorithm, where the secret and iteration number are hashed. After each verification, the number must be incremented in the security device and OTP verifying application.
Cons:
Requires a dedicated application or token from the user.
Usually involves a complex setup process, such as sharing HOTP secrets between users.
Prone to token desynchronization.
Pros:
Cannot be eavesdropped.
Works well with offline applications.
Cryptographically secure.
Can be used with a hardware token.
Prevents reuse of the same code.
Resilient to clock skew errors.
This authentication method bring huge value by being independent from the time. That means that eavesdroped token cannot be reused, but HOTP desynchronization leads to total unusability of the token. Therefore, the HOTP algorithm defines a synchronization window that can be used to resynchronize devices. If you are implementing this solution, remember to provide means of token synchronization.
RSA SecurID
RSA SecurID is a proprietary solution that works similarly to TOTP. There is a dedicated software application or hardware token responsible for generating codes, but most of the setup and management is improved compared to TOTP.
Pros:
Provides strong security against eavesdropping.
Works well with offline applications.
Cryptographically secure.
Can be used with a hardware token.
Convenient token setup and management with dedicated tools.
SecurID app supports MFA by push notifications.
Cons:
Expensive solution, targeted at large organizations.
Requires a dedicated application or token from the user.
Prone to desynchronization errors - the client and server must use exactly the same time.
RSA SecurID is software that is available in the market for years. Because of it being proprietary solution there is already big stack of supportive tools available. One of them is RSA SecurID has a built-in synchronization mechanism. When using it the authentication server remembers the clock skew of each device separately, but a separate flow for synchronization has to be implemented in solution.
Mobile Push Notifications
In this solution, the user receives a notification on their phone and simply has to accept the action to proceed with authentication. This leads to creating flows very convinient for users, but requires them to have application installed on mobile.
Cons:
May be complex to implement.
Requires the user to have an integrated mobile application.
Custom solutions are prone to implementation errors.
Pros:
Very convenient and understandable to users.
If the mobile application is our business application, the user does not leave the flow.
Implementing mobile push does not require you to have your own mobile application. Even if you don’t have one, you can use the power of MFA push notifications with authentication solutions available on the market (for example, from Auth0). Trusting an established provider is a great idea, as it limits the risk of implementing faulty solution.
OIDC CIBA
OpenID Connect Client-Initiated Backchannel Authentication is a new extension to OpenID Authentication standard for confirming user authentication using OpenID Provider. This enables applications to execute MFA through Provider, and limit the own implementation to API execution. This limits the complexity of implementation to minimum, by reusing MFA authentication methods already prepared by IdP.
Cons:
Pros:
Requires the user account to be set up at the IdP.
Incorrectly implemented can lead to using two 'Knowledge' authentication factors, and may be vulnerable to phishing attacks.
Good understanding of OIDC is required.
Mobile push is very convenient and understandable to users.
If the mobile application is our business application, the user does not leave the flow.
A public or internal IdP may be used.
Established security standard.
Allows to use existing MFA implementations provided by IdP.
Stanbdard ensures independence from any proprietary API.
Tips:
Using an IdP for federated identity has become a standard nowadays. Therefore, even if you have your own application, using OIDC CIBA flow inside it is a good idea. Adhering to already existing and well-described standards limits the probability of implementing insecure solutions.
U2F
Universal 2nd Factor is a method that uses a physical token to authenticate the user. The token has to be connected with the user's device for example with NFC and requires user action (for example hardware key press) to complete the authentication process. There are already some phones with built in security keys that may be used as U2F device.
Cons:
Hardware device may be lost.
Designed mostly for users with at least moderate security awareness.
Pros:
Very high level of security.
Single device can be used in many authentication processes.
Customer centric.
U2F is a process that requires user interaction to complete. Because of that it is crucial to provide tips on how to complete the MFA process and confirm the operation.
Additional means of securing MFA process
Each of the popular methods listed here can be strengthened with the usage of another factor, introducing an additional layer of security to guard against unauthorized access. This additional factor can be required when opening the security application or confirming a security action.
Pin Code
The easiest way to add additional security is to use a PIN code. Built-in security APIs make it easy to add PIN code verification to the process on mobile phones.
Biometrics
Most of the new devices have a built-in fingerprint scanner, and even if they don't, the camera can be used for facial recognition. APIs built into mobile operating systems can simplify the usage of biometric data. This method greatly increases security, as it involves factors from all three categories: knowledge, possession, and inheritance.
Alternatives to the smartphone MFA
Apart from smartphone solutions, there are many MFA alternatives. They can be divided into two main categories:
Ones that reuse the authentication by "knowledge" category, such as PIN codes, email OTPs, security questions, etc. These methods do not increase the total security of the process as much as using authentication factors from other categories.
Ones that require users to have an additional device, such as hardware tokens, security cards, code lists, etc. These methods provide great security but are suitable mostly when there is a limited number of end-users.
Understanding the business needs
As seen, there are numerous available MFA methods, and each one has its own merits. Choosing an improper one may lead to problems such as lowered security and bad user experience. Therefore, it is advised to first understand the customer and process needs before choosing a solution.
At Craftspire, we have a good understanding of the methods available on the market and the experience required to choose the best one for the process. Therefore, contact us if you would like to add MFA to your product but have doubts about the best options. We will help you make decisions with the best possible outcome for your business.