What are the 4 general forms of authentication?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.

High level MFA

The main benefit of MFA is it will enhance your organization's security by requiring your users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties. Enforcing the use of an MFA factor like a thumbprint or physical hardware key means increased confidence that your organization will stay safe from cyber criminals.

MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are one-time passwords (OTP). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value.

Most MFA authentication methodology is based on one of three types of additional information:

Things you know (knowledge), such as a password or PIN
Things you have (possession), such as a badge or smartphone
Things you are (inherence), such as a biometric like fingerprints or voice recognition

Examples of Multi-Factor Authentication include using a combination of these elements to authenticate:

Knowledge

Answers to personal security questions
Password
OTPs (Can be both Knowledge and Possession - You know the OTP and you have to have something in your Possession to get it like your phone)

Possession

OTPs generated by smartphone apps
OTPs sent via text or email
Access badges, USB devices, Smart Cards or fobs or security keys
Software tokens and certificates

Inherence

Fingerprints, facial recognition, voice, retina or iris scanning or other Biometrics
Behavioral analysis

As MFA integrates machine learning and artificial intelligence (AI), authentication methods become more sophisticated, including:

Location-based

Location-based MFA usually looks at a user’s IP address and, if possible, their geo location. This information can be used to simply block a user’s access if their location information does not match what is specified on a whitelist or it might be used as an additional form of authentication in addition to other factors such as a password or OTP to confirm that user’s identity.

Adaptive Authentication or Risk-based Authentication

Another subset of MFA is Adaptive Authentication also referred to as Risk-based Authentication. Adaptive Authentication analyzes additional factors by considering context and behavior when authenticating and often uses these values to assign a level of risk associated with the login attempt. For example:

From where is the user when trying to access information?
When you are trying to access company information? During your normal hours or during "off hours"?
What kind of device is used? Is it the same one used yesterday?
Is the connection via private network or a public network?

The risk level is calculated based upon how these questions are answered and can be used to determine whether or not a user will be prompted for an additional authentication factor or whether or not they will even be allowed to log in. Thus another term used to describe this type of authentication is risk-based authentication.

With Adaptive Authentication in place, a user logging in from a cafe late at night, an activity they do not normally do, might be required to enter a code texted to the user’s phone in addition to providing their username and password. Whereas, when they log in from the office every day at 9 am they are simply prompted to provide their username and password.

Cyber criminals spend their lives trying to steal your information and an effective and enforced MFA strategy is your first line of defense against them. An effective data security plan will save your organization time and money in the future.

Adaptive MFA

MFA is often used interchangeably with two-factor authentication (2FA). 2FA is basically a subset of MFA since 2FA restricts the number of factors that are required to only two factors, while MFA can be two or more.

With the advent of Cloud Computing, MFA has become even more necessary. As companies move their systems to the cloud they can no longer rely upon a user being physically on the same network as a system as a security factor. Additional security needs to be put into place to ensure that those accessing the systems are not bad actors. As users are accessing these systems anytime and from anyplace MFA can help ensure that they are who they say they are by prompting for additional authentication factors that are more difficult for hackers to imitate or use brute force methods to crack.

Many cloud based systems provide their own MFA offerings like AWS or Microsoft’s Office 365 product. Office 365 by default uses Azure Active Directory (AD) as its authentication system. And there are a few limitations. For example, you only have four basic options when it comes to what type of additional authentication factor they can use: Microsoft Authenticator, SMS, Voice and Oauth Token. You also might have to spend more on licensing depending on the types of options you want available and whether or not you want to control exactly which users will need to use MFA.

Identity as a Service (IDaaS) solutions like OneLogin offer many more MFA authentication methods when it comes to authentication factors and they integrate more easily with applications outside of the Microsoft ecosystem.

An authentication factor is a special category of security credential that is used to verify the identity and authorization of a user attempting to gain access, send communications, or request data from a secured network, system or application.

Key takeaways

Individual authentication factors on their own may present security vulnerabilities, sometimes due to user behavior patterns and habits and other times, because of the limitations of technology.
Today, many organizations use multiple authentication factors to control access to secure data systems and applications.
The five main authentication factor categories are knowledge factors, possession factors, inherence factors, location factors, and behavior factors.

Each authentication factor represents a category of security controls of the same type. Within each category, security analysts can design or choose a feature that fits their needs in terms of availability, cost, ease of implementation, etc. Increasing the number of authentication factors required to access a system can make the login process more cumbersome, and may generate increased numbers of user requests for assistance accessing the system. Still, the authentication process helps to ensure that only authorized users can access the network or application.

Here are the five main authentication factor categories and how they work:

Knowledge factors

Knowledge factors require the user to provide some data or information before they can access a secured system. a password or personal identification number (PIN) is the most common type of knowledge-based authentication factor used to restrict access to a system. Most generic applications or network logins require a username/e-mail address and a corresponding password or PIN number to gain access. The username or e-mail address on its own is not considered an authentication factor - this is how the user claims their identity to the system. A password or PIN number is used to authenticate that the username or e-mail address is being provided by the correct person.

Possession factors

Possession factors require the user to possess a specific piece of information or device before they can be granted access to the system. Possession factors are typically controlled through a device that is known to belong to the correct user. Here's how a typical process flow works for a possession-based authentication factor:

The user registers an account with a password and their phone number recorded at the time of registration.
The user logs in to their account with the username and password.
When the user requests to access the system, a one-time password is generated and sent to the user's mobile phone number.
The user enters the newly generated one-time password and gains access to the system.

One-time passwords can be generated by a device like the RSA SecurID, or they may be generated automatically and sent to the user's cellular device via SMS. In either case, the correct user must be in possession of the device that receives/ generates the one-time password to access the system.

Inherence factors

Inherence factors authenticate access credentials based on factors that are unique to the user. These include fingerprints, thumbprints, and palm or handprints. Voice and facial recognition and retina or iris scans are also types of inherent authentication factors.

When systems can effectively identify users based on their biometric data, inherence can be one of the most secure types of authentication factors. The drawback is that users may lose flexibility with how they access their accounts. A system that requires a fingerprint scan to access can necessarily only be accessed on devices with hardware that supports that specific authentication factor. This restriction is useful for security, but may negatively impact user convenience.

Location factors

Network administrators can implement services that use geolocation security checks to verify the location of a user before granting access to an application, network or system.

Imagine a technology company with 100 employees, all based in San Francisco, California. A security analyst for this organization might recognize that a user attempting to access the network with an IP address originating from outside of that state is likely to be a cyber attacker or another unauthorized actor. Geolocation security can be used to ensure that only users within a specific geographic area can gain access to the system.

IP addresses are a useful factor for assessing the origin of network traffic, but hackers can use VPNs to obscure their location. MAC addresses, which are unique to individual computing devices, can be implemented as a location-based authentication factor to ensure that a system is only accessed from a limited number of authorized devices.

Behavior factors

A behavior-based authentication factor is based on actions undertaken by the user to gain access to the system. Systems that support behavior-based authentication factors may allow users to pre-configure a password by performing behaviors within a defined interface and repeating them later as a method of identity verification.

Have you seen mobile phone lock screens where the user is required to draw a specific pattern onto a grid of dots? How about the Windows 8 picture password feature? These are examples of behavior-based authentication factors.

Individual authentication factors on their own may present security vulnerabilities, sometimes due to user behavior patterns and habits and other times because of the limitations of technology.

A knowledge-based authentication factor requires users to memorize passwords and pin numbers. This can lead to users who use overly simplistic passwords and change them too infrequently, making them easy to guess or hack.

A location-based authentication factor can be foiled by technologies that make it difficult to accurately authenticate the origin of network traffic.

A behavior-based authentication factor could be observed and replicated by a malicious actor.

Biometric and possession-based authentication factors may be the strongest means of securing a network or application against unauthorized access. Combining these methods into a multi-factor authentication process decreases the likelihood that a hacker could gain unauthorized access to the secured network.

Sumo Logic secures its platform using a two-step verification process that incorporates the third-party Google Authenticator (for Android, iOS, and Blackberry), Duo Mobile (for Android and iOS) and Authenticator (for Windows) mobile applications.

The combination of knowledge and possession-based authentication factor security significantly decreases the likelihood of credentials being compromised and makes it difficult for attackers to gain unauthorized access to your Sumo Logic account. Sumo Logic's security reputation and commitment to protecting user data are exemplified by our PCI 3.2 DDS compliance.

Reduce downtime and move from reactive to proactive monitoring.