Skip to content
Prueba RSA Cloud Security Gratis

Comienza tu prueba de ID Plus ahora.

Empezar

With stolen or compromised credentials accounting for 80% of data breaches in 2024, stopping credentials-based attacks is critical to guarding access to an organization’s data, applications, and other resources. The key to repelling these types of attacks is multi-factor authentication (MFA), which requires multiple factors of verification to gain access to secure resources.Translated

As the name implies, MFA methods of authentication require authentication using two or more factors from different categories: something you know (like a password, PIN, or answer to a security question), something you have (such as a physical or virtual authenticator), and/or something you are (a biometric characteristic unique to you). Two-factor authentication (2FA) is a subset of MFA that requires exactly two factors from different categories. If additional factors are added beyond two, it remains MFA.Translated

While 2FA is more secure than having just a single factor of authentication, MFA methods make the authentication environment even more secure—especially when it comes to stopping increasingly sophisticated phishing campaigns and other types of attacks.Translated

The three types of MFA factors Translated

  1. Something you knowTranslated

    Passwords, PINs, security questions: these knowledge-based factors have all been around for as long as secure resources have needed protection. Although they involve information that only a legitimate user should know, it’s often the case that a bad actor has found a path to that information, too—whether by phishing, brute-force attacks, data leaks, or simply taking advantage of poor password hygiene (such as a user employing the same credentials over and over again for everything).Translated

    It’s hard to fault users for writing down or re-using credentials for attackers to exploit. With as many business resource-related passwords as they need to keep track of—now averaging 87, according to one study—it’s almost impossible without help of some kind. And that makes humans the weakest link when it comes to cybersecurity.Translated

    Given the inherent weaknesses associated with relying on passwords, more organizations are prioritizing passwordless authentication, often using passkeys that rely on biometrics and other non-password mechanisms for authentication. Organizations are also implementing the use of dynamic security questions tied to real-time context.Translated

    To the extent that passwords continue to be used today, they are now almost always—particularly in security-sensitive industries—coupled with additional authentication factors. For example, logging into a banking app today is likely to require a user to sign in with a password and also use a biometric mechanism like facial recognition, particularly if unusual activity has been detected.Translated

  2. Something you haveTranslated

    The “something you have” factors, formally known as possession factors, require a user to possess a physical or virtual object that can be used for authentication. Examples include:Translated

    • Hardware authenticators that generate one-time passwords (OTPs), especially in high-security environments where mobile devices are not availableTranslated
    • Security keys that are based on the U2F standard and that also support NFC wireless technology, so they can be used in either USB or wireless environmentsTranslated
    • Smart cards with authentication credentials stored on them for secure access to resourcesTranslated
    • Phishing-resistant FIDO passkeys that enable users to sign in with device biometrics or a PIN instead of using a passwordTranslated
    • Device-bound passkeys associated with specific devices (in the interest of maximizing security, these cannot be synced across multiple devices)Translated

  3. Something you areTranslated

    Whenever you unlock your smartphone using facial recognition, or gain access to a secure app by scanning your fingerprint, you’re using an inherence-based factor, i.e., “something you are.” It’s hard to imagine a better defense, given that this form of authentication relies entirely on your own unique biometric characteristics, which are nearly impossible—or at least extremely difficult—to reproduce. Fingerprint or facial recognition, retinal or iris scans, voice pattern detection, even behavioral biometrics like typing speed—they’re all ways of proving that you’re really you.Translated

    While inherence-based factors can raise some privacy concerns, especially with regard to how (and how securely) the biometric data is stored, it’s hard to deny the power and value of security that’s based on what you are instead of what you know or have (and can therefore forget or lose). It’s also an area that invites innovation, including emerging trends like continuous authentication based on environmental factors (a key pillar of Zero Trust), as well as behavioral biometrics that focus on keystroke dynamics and mouse movement patterns.Translated

Key MFA methods and examplesTranslated

Push to approveTranslated

  • Definition: On-device notification asking the user to tap to approve an access requestTranslated
  • Benefit: Quick, convenient way to provide an additional factor for real-time authenticationTranslated
  • Scenario: Access to secure mobile applicationsTranslated

One-time passcode (OTP)Translated

  • Definition: Automatically generated code that authenticates a user for one login sessionTranslated
  • Benefit: Authentication mechanism that can only be used once, increasing securityTranslated
  • Scenario: Online banking or other security-sensitive transactionsTranslated

BiometricsTranslated

  • Definition: Use of a device or application that recognizes a fingerprint or other biometricTranslated
  • Benefit: Convenient authentication that’s extremely difficult to spoof or imitateTranslated
  • Scenario: Secure access to a device or applicationTranslated

Device-bound passkeyTranslated

  • Definition: Authentication method based on a biometric or other non-password mechanismTranslated
  • Benefit: Lower security risk than synced passkeys that are used across multiple devicesTranslated
  • Scenario: Enterprise-level applicationsTranslated

Hardware authenticatorTranslated

  • Definition: A token in the form of a small, portable, OTP-generating authenticatorTranslated
  • Benefit: Physical possession as an added layer of securityTranslated
  • Scenario: Secure environments where mobile devices are not an option for authenticationTranslated

Software authenticatorTranslated

  • Definition: A token that exists as a software app on a smartphone or other deviceTranslated
  • Benefit: Portable and easy to deployTranslated
  • Scenario: Wherever company-issued or personal devices can be used for authenticationTranslated
Choosing the right MFA methodsTranslated

There are several factors to consider as you think about which MFA methods will work best for your organization, including the risk level and sensitivity of data; user convenience and accessibility; and cost and implementation requirements. The following are specific questions to consider with these factors in mind.Translated

Critical questions and recommendations to considerTranslated

  • Do you need multiple MFA methods to address the needs of multiple environments—onsite, remote, or a combination of both? Using multiple MFA methods chosen strategically and delivered by one provider will help control costs and streamline implementation.Translated
  • Do you have a remote workforce using unmanaged personal devices to authenticate to secure resources? Be sure one of the MFA methods available to you is designed specifically to detect and manage threats on BYOD devices.Translated
  • Are you operating primarily in a high-security environment (like a clean room) where mobile phones are not permitted? MFA methods that include hardware token authentication using tokens that can be managed in the cloud will make it possible to meet the need for both secure authentication and ease of management.Translated
  • What are your plans for business continuity, specifically around maintaining strong authentication and access, during an outage? Consider a hybrid environment that can failover to on-premises MFA methods when necessary.Translated
  • Are you required to comply with specific regulations or directives prescribing phishing resistance or other specific qualities in your MFA methods? Do your due diligence to ensure that the MFA methods you choose are designed specifically to meet regulatory and other requirements.Translated
Explore your options for MFA methodsTranslated

It’s impossible to overstate the importance of MFA methods in modern cybersecurity, especially given the diversity and complexity of authentication environments and threat environments today. Multiple MFA methods make it possible to take a layered approach to authentication, in which the use of more than one method creates multiple layers of security, making it harder for unauthorized users to gain access. Having multiple methods available can also improve the user experience, by providing a broad range of choices to tailor authentication to different users’ needs and circumstances. Contact RSA to start exploring the range of comprehensive MFA solutions available to you today.Translated

OSZAR »