Multi-factor authentication (MFA) methods have steadily increased in popularity as the security industry and the public have continued to recognize the weaknesses associated with passwords. But, did you know that not all MFA methods are equally secure? Most people think of MFA as receiving a one-time password (OTP) via an SMS text message. However, this method is actually no longer recommended by NIST because of how easy it is for an attacker to steal or intercept the SMS with the password.
Dark Reading recently published an article by WatchGuard’s Director of Authentication, Alexandre Cagnoni, that explains several different MFA methods and rates the security of each. Each method has strengths and weaknesses, so it’s important for businesses rolling out MFA solutions to be aware of exactly which method they’ll be using. For example, push-based authentication tokens offer a highly secure and usable way for users to authenticate using mobile phones, but require a data connection. If users need to regularly log in from places that lack a data connection, consider a QR code-based token method instead.
Here’s an excerpt from Alex’s article where he explains how push-based authentication works in more detail:
Unlike SMS, the push message won’t carry the OTP. Instead, it will carry an encrypted message that can be opened only by the specific app on the user’s phone. So, the user will have contextual information to decide if the login attempt in question is genuine, and then can quickly approve or deny the authentication. If approved, a unique OTP should be generated internally by the token on the user’s phone and sent back with the approval to verify it. Not all MFA solutions do this, which increases the risk of a push approval message being mimicked or spoofed.
To make multi-factor authentication available to companies of all shapes and sizes, WatchGuard offers AuthPoint, a fully cloud-based MFA solution. Unlike on-premise MFA solutions that require considerable upfront expense and a large staff to deploy and manage, AuthPoint offers secure authentication services entirely through the cloud, for a few dollars per user per month.