Facing MFA

It’s nothing personal. Well actually it is. Multi-Factor Authentication (MFA) goes beyond the standard username and password combination to increase the protection of your identity, your business, and you.

While the username and password combination has been successful in the past, today we have so many user names and passwords to access all sorts of things.  Pause for a moment and reflect how many yellow stickers you have seen with passwords on, how many times you have reused the same password for different applications. Perhaps, as users we have become a little too relaxed in our choice of passwords.

Undeniably, password security has improved by asking users to include special characters, numbers, phrases, and minimum length in their password. But how much has this helped? Even with these additional requirements, users can still use their pet’s name (Rover) with substituted numbers (R0v3r2014) and the pet’s birth date to meet the criteria.

Security administrators and auditors continue to improve levels of user security to protect their applications and their users from the consequences of misuse.However we all have a collective responsibility to take more  care in choosing a password.

How can factors help?

MFA can help to improve the security levels by adding new factors which the user must provide to prove their identity. What are the factors in multi-factor? They are categorized into types. The most common ones are:

  • Knowledge: Something you know. Examples would be a user name, a password, or a Personal Identification Number (PIN).
  • Possession: Something you own or have with you. Your mobile phone, your ID card, and a password token.
  • Biometrics: Something that you are. Fingerprints and retina scans, also other options such as facial recognition, voice recognition, and newly emerging factors using your personal geometry and mannerisms.

Do you need all of these? That depends on the level of security required for your application. There are different levels of MFA.  If only 2 levels of authentication are required (2LA) then items are selected from 2 of the above categories. If 3 levels are required (3LA) then items are selected from each of the 3 categories.

For completeness you might add other categories to create 4LA or even 5LA. For example:

  • Location: You must be in a specific place to be able to log on e.g. a laboratory or perhaps a known geographical location where you must be to conduct your business.
  • Time: You can only access an application between certain times. Any access attempt outside of designated times will be refused and the details recorded for subsequent audit purposes.

You may also choose to perform analytics on a combination of location and time (or any of the other categories) to see if it is possible for a user to have travelled that distance in a specific time. For example a login attempt is 30 minutes after the previous one from a location 2,000 miles away. How can this be?

The remainder of this blog entry we will relate to the first 3 categories but do not dismiss the others from your thinking when deciding on what factors you need.

One time passwords

While the user and password combination can set an expiry date on your password and ask you to change it, the change frequency might be every 3 months or whatever the security policy specifies.

There is another option, One Time Passwords (OTP). As their name implies, they are used only once to login to an application. The same password will not be accepted if you try to use it again. Typically you would have a token device with you, where you can enter your username (something you know) and use your token device (something you have) to generate a password. If you enter the displayed password correctly your login will be successful.  The token requests the password from a server specifically assigned to generate passwords for you. If you wish to login to the application again you must request another password.

Be aware!

There are different ways of generating OTPs. We will not go into the details here, but be aware that the password generated may only display for 30 seconds. The security administrator may select a different display time. The password is only valid for this period and as such will time out. If you have not entered the details in that time, you have to wait for the next one to be displayed and use that.


We are likely to see much more activities in this area as science progresses. Smartphones and MFA related applications have improved the chances of successfully authenticating the identity of a user requesting to login and use an application. If you have travelled through airport security you have probably already experienced fingerprint and retina authentication.

Using a smartphone and related application, it is possible to use the scanner on the smartphone to register your fingerprint. This can become part of your authentication when using your smartphone.

Now, let’s say you want to access a critical application running on a mainframe that requests users to login using MFA. You can use your smartphone to login to an MFA registration web application running on the mainframe. In addition the appropriate settings are put in place in the mainframe security software by the security administrator. This identifies you as a MFA user using biometrics along with other details. You are now in a position to login to the mainframe application by using your smartphone to request the OTP to use with your user name during the login procedure. This is a 3LA because it has used the 3 categories mentioned above.

Enhancing your security by using MFA requires careful thought and planning. There are many practical considerations and impact assessment to be carried out before migrating to an MFA environment.

The science and technology used by MFA offers improved security levels to protect both users and applications. MFA’s effectiveness can be further increased by users talking the responsibility to choose and protect their credentials.

Click on know more to see how we can help you understand more about MFA.