Information Security / 6 things that may surprise you about some multi-factor authentication solutions
6 things that may surprise you about some multi-factor authentication solutions
29 January 2019
Adrian Jones, CEO of Swivel Secure, shares 6 matters you may want to investigate when comparing multi-factor authentication solutions:
1. True multi-factor authentication or 2FA?
True multi-factor authentication consists of something that you have (hardware token or mobile app), something that you know (PIN), something that you are (fingerprint). However, some solutions market their offering as multi-factor authentication, despite only consisting of two of the three factors i.e. 2FA
2. Don’t wait for a man-in-the-middle attack
When a user authenticates access to an application, the window of opportunity to use the authentication code can last up to 45 seconds, or even twice that time with some (well known) hardware tokens. In this time, unauthorised access can occur including attacks such as ‘Man-in-the-middle’. Once successfully authenticated, the infiltrator potentially has access to the network and the ability to cause a catastrophic amount of damage.
3. Ensure a one-time code is a one-time code!
Typically, a one-time code (OTC) means it’s a code used on a device to authenticate access to a computer or application. The OTC can be delivered on a separate device such as a mobile phone or traditionally a hardware token. As the name suggests, a OTC is designed to be utilised only once for security purposes. Yet, some authentication suppliers provide the same code simultaneously, on different devices to authenticate access.
4. How and where is your data stored?
Part of today’s organisational security requirements often need authentication to support architecture that is on-premise, in the cloud or a combination (hybrid-cloud). Surprisingly, some solutions only support a cloud architecture and organisations are now starting to realise the negative security implications of storing data in a shared public cloud environment, choosing to move to an ‘on-premise / private hybrid hosting environment’, despite the perceived higher running costs, because the security benefits simply outweigh the cost factor.
An additional consideration for data storage is the impact on GDPR regulations. For example, you might subscribe to a “local” hosting service, only to find your access point is in another country and your data has been moved to another data centre (DC) in another country. Ensure you know where your data is being held geographically as well as structurally.
Also of interest: Do CISOs need an image makeover?
5. Public cloud-based multi-tenancy and multi-tiered architecture can restrict your options to secure your data
Sometimes, it just makes sense to host selected applications and databases in the cloud. However, most cloud instances reside in multi-tenanted and multi-tiered data centres. This often exposes your data to a range of variables that can affect the integrity, security and the operational stability. Most importantly, depending where it is implemented and how your cloud authentication software was designed, it can often restrict your options for protecting it because it compromises the integrity of the system i.e. a shared service, with minimal customisation, reduced integration and shared access and management control.
6. What do you need to integrate with today and tomorrow?
Adding flexibility to an organisation so they are supported as they grow and evolve, should be high on the checklist when looking for a multi-factor authentication solution. However, there are quite a few solutions that are restricted in their integration capability. They can only integrate with a limited number of software and hardware devices, usually because of their associations with other providers or their ownership. Organisations should look to solutions which provides:
- True multi-factor authentication
- No refresh rate because a new code is requested each and every time you authenticate
- A one-time code is only ever used once, on one device
- Authentication for cloud, on-premise and hybrid
- Multi-factor authentication for all configurations including single private instance per customer
- Hundreds of integrations to fully support an organisation’s growth