Managed IT Services ASIA - China, HK, Singapore, Taiwan, Japan | Break Fix, Remote Support
  • Multi-Factor Authentication (MFA) Solutions

    Multi-Factor Authentication (MFA) is a multi-factor authentication security practice that adds an extra layer of security beyond the username and password

    Brocent can provide enterprise customers with professionally tailored multiple identity solutions

Passwordless Authentication and Multi-Factor Authentication (MFA)

Passwordless authentication and multi-factor authentication (MFA) are no longer buzzwords in IT circles. They have long been a part of everyday life. Today, we unlock our phones with facial recognition, log into our work business systems with an authenticator app, or access sensitive documents with the Personal Identification Number (PIN) we receive in a text message on our phones.
And the technology doesn't stop there - both MFA and passwordless solutions are growing at a phenomenal rate. By 2026, the global MFA market is expected to grow to $23.5 billion. By 2030, the global passwordless authentication market is expected to reach $456.79 billion.
However, even with all the hype surrounding passwordless authentication and multi-factor authentication (MFA), there is still confusion about the purpose, effectiveness and difficult challenges of each security protocol. This article defines the two terms, explains the core differences between them and offers advice on how to choose the best authentication solution for your company's IT environment.

What's the Multi-Factor Authentication?

Multi-factor authentication (MFA) is a digital authentication system that requires the user to pass through multiple authentication checkpoints.MFA is similar to passwordless authentication in that it can make use of biometric or possession factors, but the difference is that MFA still uses a username and password.
To log in to a system configured for MFA, you will need to enter your username and password as you normally would. You will then be prompted to present or enter something else, such as a one-time access password sent via the authenticator app, a magic link sent to your email address, your fingerprint. Once you've passed these little tests, you're logged into the system.
You can think of MFA as a door with a lock, a retina scan and a password. Like a password, a lock may be easy to pick, but it is very difficult to replicate a retinal scan or crack a device that receives a one-time password. Having multiple layers of protection severely limits the damage that criminals can cause.

Multi-Factor Authentication (MFA)

Certification methods

MFA enhances the confidence of an enterprise organisation in authenticating and verifying a particular user by adding additional authentication factors on top of a static password. For example, an MFA-based system might prompt a user for a password, then use voice recognition as a secondary authentication factor and a one-time password as a third authentication factor.

MFA has a wide range of secondary authentication factors to choose from

1. One Time Password (OTP)

It's quite common to use SMS as a second identity verification factor. A random six-digit number is sent to the user's phone using an SMS, so theoretically only the person with the correct phone will pass the verification, right? Unfortunately, the answer is no. There are multiple methods that have been proven to hack OTPs. for example, in mid-June 2018, hackers were able to hack the news and entertainment website Reddit through SMS interception. while the hackers didn't get much personal information (Reddit's incident response efforts were great), it still exposed that SMS authentication codes aren't as secure as people often assume. The text messages could be intercepted by exploiting a cellular network vulnerability. Malware installed on the victim's phone can also redirect SMS messages to the attacker's phone. Social engineering attacks on cellular operators can allow the attacker to copy a new SIM card associated with the victim's mobile phone number to receive the victim's OTP text messages. In fact, the US Institute of Standards and Technology (NIST) disapproved of the use of SMS authentication in 2016, arguing that the method was no longer a secure method of authentication. Unfortunately, however, many companies and businesses continue to rely on SMS OTP, giving users a false sense of security

2. Hardware tokens

The big brother of the incumbent MFA methods, hardware authentication tokens often come in the form of key cards with OTP displays, with the hardware itself protecting its internal unique key. But the drawbacks of hardware keycards are also obvious. Firstly, the user has to carry this additional device with them; secondly, it is expensive; thirdly, it requires logistical delivery; and finally, it must be replaced from time to time. Some hardware tokens require a USB connection, which can be tricky when authentication from a mobile phone or tablet is required.

3. Mobile token

Mobile tokens are to a large extent similar to hardware tokens, but are implemented through a mobile phone application. The biggest advantage of a mobile token is that the user only needs to bring a smartphone, which is now basically a necessity and many people don't forget their keys without their phone. The real problem is to examine the way the key enters the phone, the "activation process". It is not a good idea to provide all keys and credentials in a QR code, anyone who can copy your QR code will have a copy of your token.

4. Push-based authentication tokens

An authentication token, stripped down from common mobile tokens and SMS verification codes, uses secure push technology for authentication and is popular with users for its increased ease of use. Unlike SMS, push messages do not contain an OTP, but instead contain encrypted information that can only be opened by a specific app on the user's phone. As a result, the user has context-sensitive information to determine if the login attempt is genuine and then quickly agrees or rejects the authentication. If consent is given, the token on the user's phone should generate an OTP which is sent back for authentication along with that consent authorisation. Not all MFA solutions do this, which also increases the risk of the push consent message being copied and forged.

5. QR code based authentication tokens

While push-based tokens require a data connection from the phone, QR code-based authentication works offline, providing contextual information through the QR code itself. The user scans the QR code on the screen with a mobile authentication app and then enters the OTP generated by the app based on the key, time and contextual information. the speed and convenience experienced by the user in this process is important and is the reason why push-based and QR code-based tokens have been able to spread so quickly.

More details on Multi-Factor Authentication (MFA)

Safety

There is no doubt that both MFA and passwordless authentication bring a higher level of security to enterprise organisations, but they do have limitations. Because MFA systems use usernames and passwords as the primary authentication method, they are vulnerable to phishing and brute force attacks. A second or third authentication method may deter cybercriminals from going further, but these authentication methods must be very tight to prevent a full-scale attack.

Ease of use

MFA is more time consuming and time sensitive, but users don't have to commit passwords to memory or files, which only adds to the risk.
MFA and the need to use only one authentication method certainly makes it easier for business users with multiple passwords.

Brocent offers a wide range of popular Multi-Factor Authentication (MFA) software and corresponding solutions

Cisco Duo

Cisco's pairing of passwordless authentication with Duo SSO enables enterprises to consolidate hundreds of passwords and authentication into one simple user login to cloud applications, effectively reducing the risk of password-related threats and vulnerabilities such as phishing, stolen or weak passwords, password reuse, brute-force, man-in-the-middle attacks and password database compromise.

ESET Secure 

Computer security software company ESET, which has been working on anti-malware and endpoint protection products, has launched ESET Secure Authentication, a full-featured MFA solution: support for VPN and RADIUS; a browser-based management console; integration with existing LDAP directories or cloud-based identity stores; and flexible multi-factor ESET even offers APIs and SDKs for enterprises wishing to integrate their applications more tightly with services.

HID Approve

HID Global had a strong foothold in the market for its physical security solutions long before MFA became mainstream. In addition to hardware and smart card solutions, HID offers a reliable software-based multi-factor authentication solution, HID Approve, which can be deployed quickly without the need for hardware investment. self-protection (RASP) mechanism that monitors authentication attempts and helps enterprise organisations prevent dynamic attacks.

Mircosfot Entra Azure AD

Azure AD is now part of the Microsoft Entra product family. Azure AD is an integrated cloud authentication and access control solution that is the leader in managing directories, supporting application access and protecting identities Azure AD helps users defend against 99.9% of cyber security attacks.

Okta Adaptive MFA

Okta Adaptive MFA starts with a security platform that uses data gathered from previous attacks to automatically prevent identity attacks. Okta can also use this threat data to score the risks involved to dynamically manage the need to respond to stronger authentication factors. In addition to proactive analysis-based defence, Okta also supports users in streamlining threat reporting and sending notifications or automated mitigation measures to administrators. In addition, Okta Adaptive MFA offers a wide range of options and flexibility to meet the different authentication needs of users.

RSA SecurID

US information security company RSA's RSA hardware token with rotating numeric keys is one of the original multi-factor authentication solutions for protecting corporate VPNs and remote access. The company offers RSA SecurID which not only supports mobile and hardware-based authentication factors, but also seamless authentication paths. It also supports dynamic risk-based authentication policies to balance the need for additional security and more.

Silverfort

Silverfort may be a name that enterprise organizations have not heard of before, but their MFA product is on the must-have list. silverfort not only offers features such as anomalous behavior detection, pattern-based threat detection and escalated authentication based on risk scores, but also the ability to implement multi-factor authentication for common management tools such as remote PowerShell sessions, remote desktops and SSH ) to implement multi-factor authentication

Twilio Authy

The main selling point of Twilio Authy is its flexibility through a robust API backed by extensive documentation and community support. authy is different from some other "plug and play" solutions, but if an enterprise organization needs a highly flexible and scalable solution for custom business applications, it may be just what the enterprise Services that organisations need

Ask BROCENT for more Multi-Factor Authentication (MFA) solutions

Contact Us