Authentication is a process of verification of a person's identity. Typically, authentication is realised by entering a name and password when logging on to a particular information system (e.g., an email account).
Multi-factor authentication (commonly abbreviated as MFA) refers to a process whereby simply entering a login name and password is not sufficient to verify identity and therefore additional confirmation is required (e.g., a one-time password delivered via SMS to a previously registered phone number).
Multi-factor authentication is sometimes referred to by other terms such as multi-factor authentication, two-factor authentication, etc.
Importance of MFA
Services that are not intended to be publicly accessible are typically secured using login credentials. These credentials consist of a login name and password. A password is a piece of information that only its owner is expected to have a knowledge of it.
However, the password may be compromised for several reasons. These situations usually include:
- Intentional disclosure of the password by its owner to another person.
- Inadequate manipulation with the password, e.g., writing it on a piece of paper placed near a monitor that can be read by anyone in the vicinity.
- Interception of unsecured internet communications.
- Succumbing to a phishing campaign
- Guessing based on knowledge of the person using the password.
If the password is compromised, anyone can use it to authenticate themselves as well as an authorised person. Any actions taken after logging in can then be attributed to the person whose login credentials have been compromised.
With the increasing trend of home office and from locations other than the regular workplace, there is a growing number of information systems that need to be accessible from the outside. In such cases, the disclosure of login credentials can present a serious situation, as misuse can be realized from the other side of the world, from places where the legal environment may not meet the standards we are used to.
Therefore, authentication using only a name and password is considered insufficient. There are ways to enhance login security, and MFA is one of them.
The MFA principle
Standard security using password presumes that the authorized user and only him knows something. That something is the login name and the password. If the assumption that only the authorized user has this knowledge fails, security based on this level also fails.
MFA is based on verification that the authorized user physically owns something; something that no one else has. This something could be, for example, a mobile phone with a specific phone number that was previously registered for the person.
After the user authenticates with knowledge (name and password), ownership verification is requested. For example, an SMS is sent to the phone number provided with a one-time generated code, which the user transcribes in the login form. This is a principle well known, for example, from internet banking.
If someone steals a person's login and password and tries to misuse them, an SMS with a one-time code is sent to the person's mobile phone. Without this code, the attacker cannot get any further. However, the authorized person should realise that if he has received a one-time code on their mobile phone and have not entered the password himself, something wrong is happening.
SMS verification
The MFA principle based on sending SMS is the simplest way to implement this type of security. It is considered less secure than some other methods but can still significantly increase the security level of login credentials compared to just a login name and password.
The prerequisite is the prior registration of the telephone number to which the additional code is to be sent. At UPCE, anyone can do this registration on their own using the website https://mypassword.upce.cz/.
There is a tutorial with the procedure for registering a phone number in the Knowledge Base on the University ServiceDesk.
The advantage of SMS authentication is that this method works independently of the device's connectivity to the Internet and that it is functional even on devices that do not allow the installation of additional applications (e.g., push-button phones).
Verification by application
This type of authentication is based on a special app that needs to be installed on a smart device. Therefore, it is necessary to have a device that allows the installation of applications. This device is typically a smartphone.
Again, the application must first be registered to the relevant account (on the UPCE website https://mypassword.upce.cz/). The app then allows for various additional authentication methods, e.g.:
- It can generate one-time codes that need to be overwritten when logging in (like SMS codes).
- It can display a login confirmation prompt on the device, where you usually only need to tap the confirm button without having to overwrite anything.
Such application is Microsoft Authenticator. There is a tutorial with the procedure for registering Microsoft Authenticator in the Knowledge Base on the University ServiceDesk.
The advantage of the application is that it is not dependent on a phone number, so it is useful when the user does not want to provide his/her phone number or does not have a phone but another device like a tablet. The disadvantage is that the device in question must have internet access.
Verification by physical device
MFA can also be performed using a dedicated physical device. This device must be physically connected to the computer via USB at the time of entering the login credentials or wirelessly via NFC if this technology is available. These are most often so-called security tokens resembling a USB flash drive.
The advantage of these tokens is that there is no need to own a mobile phone or register a phone number. The disadvantage is that they can be lost, which is usually detected much later than the loss of a mobile phone. It also represents some additional investment compared to a mobile phone, which most people already have.
