The 5 most common multi-factor authentication (MFA) methods
Multi-factor authentication (MFA) became a mainstay of the mobile device industry over the past decade. If you've ever had to enter an authentication code, receive an SMS, or scan some hardware, you've interacted with an MFA-enabled system.
While MFA is ubiquitous, it's far from perfect – whether you're the business or the end-user. Here are the 5 most common MFA methods, and where each of them falls short.
1. Hardware OTP (one-time password) tokens
What are they?
Hardware-based devices which generate one-time codes based on a cryptographic key stored inside the device. The same cryptographic key is also held by a server -- which can generate the same OTP to verify that the value provided by the user is correct.
User interfaces (UIs) can vary: common types include a physical token that presents a one-time password on a built-in screen, or a device with a keypad which require a user to enter a PIN code before a one-time password is displayed.
Common issues:
- Poor user experience (UX) – users restricted in executing operations/verifying identity on-the-go, which is incompatible with today's always-on lifestyle
- High maintenance and operating costs – businesses require large staffs to handle support questions and a high budget for the deployment, maintenance, and upgrade costs for tokens
- Tokens are vulnerable to theft or social engineering attacks (e.g. impersonation).
2. Standalone OTP mobile applications
What are they?
In a word: authenticator apps.
Common issues:
- Poor user experience (UX) – users must switch constantly between apps to authenticate identity/transaction; user loses access with every change/loss/upgrade of their smartphone; no secure backup options
- Lack of support for businesses relying on third-party apps
- Potential for maliciously-built apps to produce and then steal OTPs and impersonate their users.
3. Soft token Software Development Kits (SDKs)
What are they?
This is software that can be embedded into mobile apps and utilizes cryptographic operations to authenticate the user and device. These solutions usually provide a smoother UX; there's no need to switch between apps or rely on a hardware device. From a security perspective, there are significant advantages, as soft-token SDKs support advanced cryptography, e.g. digital signatures.
Common issues:
- Poor user experience (UX) – users must switch constantly between apps to authenticate identity/transaction; user loses access with every change/loss/upgrade of their smartphone; no secure backup options
- Lack of support for businesses relying on third-party apps.
4. SMS-based OTPs
What are they?
This is a user-friendly method that does not require users to install any app. Rather, in order to authenticate, a one-time password is sent by SMS to the user's registered phone, and this is used to authenticate them.
Common issues:
- UX issues – OTPs often have a time limit, and limited mobile carrier reception can cause issues for users in remote areas.
- Vulnerable to malware, SS7, and SIM-swapping attacks.
5. Smartcards and cryptographic hardware tokens
What are they?
Physical devices that can perform cryptographic operations like decryption and signing, while providing strong physical protection of the keys inside a fully isolated secure enclave. They can be used for logon to PCs (e.g. via Windows Smartcard Logon) as well as to digitally sign transactions to verify that the authentic user indeed authorized this specific transaction. Smartcards require a dedicated reader or may be contactless; cryptographic hardware tokens are typically connected via USB.
Common issues:
- Operational headaches for businesses – high cost of deployment, maintenance, upgrade, and replacement
- Similar UX issues as OTP hardware tokens.
While each MFA method has its flaws, what you can see above is one single trend: a trade-off between security and usability.
There is hope, however – with cutting-edge cryptographic key storage and management methods built for enterprises.
To learn more about this cryptographic breakthrough, click here.