Authentication has been a part of digital life since MIT set up a password on their shared-access computer in 1961. Today, authentication covers virtually every interaction you can have on the internet. But up until 2010, the security of most online shopping sites and services only required a basic password. Since then, online spending has grown to over $1 trillion annually in the US alone.
Along with the growth in spending has come a corresponding increase in identity theft and stolen passwords. To stem the rising tide of online crime and prevent cybercriminals from taking your money, many banks and online retail stores demand more than a password for account access. If you want to participate in today's online marketplaces, you'll need multifactor authentication.
What is multifactor authentication?
Authentication verifies the identity of a user or system. A password or fingerprint can be used to authenticate A site that requires a password and a fingerprint uses multifactor authentication. Simply put, multifactor authentication uses two or more methods to verify a user.
Knowledge factors are the foundation for 2FA
Usernames and passwords are perfect examples of knowledge factors. If you don't, you can't access your Gmail account. Knowledge factors were the foundation of security for the early internet, but making good passwords is hard, and passwords are generally easy to guess, buy, or crack.
Many websites (especially social media) use at least two knowledge factors to verify your identity if you forget your password: your email address and the answer to one or more security questions like "What street did you grow up on?" This is known as two-step verification rather than two-factor authentication because even though two questions are asked, the second factor of authentication isn't different from the first.
Possession factors are something you have
A possession factor is any object or physical device that can be used to authenticate you. Everything from keys to credit cards to your driver's license can be considered a possession factor. More and more, your smartphone is considered a possession factor. If you want to get into your GitHub account, a one-time password is sent to your phone, and you need it to access your account. The disadvantage of only using possession factors for authentication is they can be stolen (in the case of credit cards) or hijacked (in the case of SMS messages sent to your phone).
Inherence factors are something you are
Inherence factors rely on something inherent to you to prove your identity. Inherence factors, or biometrics, are the authentication factors used by smartphones from almost every major manufacturer, including a fingerprint reader or facial recognition in the case of the iPhone. The benefit of biometric authentication is that it's nearly impossible to replicate. The drawback is that it can be difficult to implement well.
Behavior factors are something you do
Behavioral biometrics is on the cutting edge of authentication. Instead of relying on retinal scans and fingerprints (physical biometrics), some companies are looking at behavior patterns as a way to identify you. The way you type, the way you talk, the way you walk, and the way you carry yourself or use your mouse can be used to identify you.
Location factors are somewhere you are
This is still on the horizon as far as implementation goes, but it is being looked at. Where you are or where you go will be used when verifying your identity. The idea is that if someone steals your password and spoofs your smartphone to intercept your SMS messages, they can't access your accounts if they're not in the right place (sorry, call center scammers).
How is multifactor authentication used?
The most common form of multifactor authentication is two-factor authentication, involving the use of a possession factor and a knowledge factor. This level of security has been the gold standard since 1965 when the first ATM was installed. Today, we use a plastic smart card as our possession factor at the ATM, but 50 years ago, they used bespoke personal checks. As for the knowledge factor, like today, the original ATM used a four-digit personal identification number, which is likely the origin of using a PIN as a knowledge factor.
Most types of two-factor authentication involve the use of a one-time password. An OTP is an additional password you must enter to authenticate yourself that's only good for one use. Its earliest implementation involved a key fob (possession factor) that displays a six-digit passcode that changes at fixed intervals. The user has to append the OTP to their login credentials to access their account.
Another common example of two-factor authentication used today involves sending a time-based OTP as an SMS text message, email, or automated voice call to a user's device to be input after entering their username and password. Although this method of OTP distribution is popular, it's fallen out of favor in the security community because of the prevalence of phishing attacks and SIM-card hijacking.
To mitigate the risk of your phone number being compromised, several services use software to generate the OTP on your phone or computer instead of sending it to you. Other services offer authenticator apps on the Android Play Store, with Authy and Google Authenticator among the most popular.
Hardware tokens like YubiKey and Nitrokey have been rising in popularity. Similar to the key fobs that display an OTP, hardware tokens (sometimes called security keys) generate an OTP and automatically enter it for you. Unlike the original security tokens, which were primarily distributed at the enterprise level for employee access to work networks, YubiKey and its competitors are available to consumers. They can be integrated with Amazon and other major online service providers.
A popular alternative to sending OTPs to your mobile device is to use app-based push notifications to authorize account access. Google and Apple are industry leaders in this regard and have used push authentication for the past five years. Push authentications are popular because they remove some of the security vulnerabilities of SMS-based OTPs, and it's easier to tap a notification than it is to enter a password.
The future of multifactor authentication
As more of the world's business moves online and the sophistication of hackers continues to grow, the need for security will grow along with it. Given that over two billion passwords were compromised in 2021 (a number that has been growing since we began keeping count), using a simple password is no longer sufficient to lock down sensitive data like medical records and credit card information. From where we stand now, the future of online authentication looks like it will be shaped by two paradigms: passwordless authentication and passive authentication.
Security professionals don't like passwords as an authentication method. People are bad at picking them (the top passwords of 2022 were "password" and "123456"), and they're not user-friendly. Good passwords are also hard to remember. Even if you have a strong password that you can remember, passwords are vulnerable to numerous methods of hacking, from phishing and social engineering to data breaches and brute-force attacks.
In the future, public-key encryption will likely supplant passwords, verification codes, and OTPs for most services. Instead of relying on an easily compromised knowledge factor to keep your PayPal account safe, your private encryption key will be stored on a possession factor like your mobile phone or a key fob, which will be locked behind an inherence factor like your fingerprint or a face scan.
If security professionals don't like passwords, users don't like logging in or onerous login requirements. Soon, you likely won't realize you're authenticating yourself as more businesses adopt passive authentication schemes that rely on behavioral and physical biometrics. Instead of logging in to your computer after it goes into sleep mode, your computer will analyze your typing rhythm and perform periodic face scans to authenticate you continuously.
Stay safe online!
These cybersecurity measures aren't something you'll see in the far future. They are being used at the enterprise level right now. As the profile of online crime continues to rise, look to banks and retailers to lead the way in implementing and requiring these new, more stringent means of MFA to lock down your online accounts to prevent unauthorized access. It's not a matter of if you get on board with MFA account security. It's a matter of when. Until then, activate two-factor authentication on your Google account and wherever possible.