Multi-Factor Authentication for Security Critical Systems

02.07.2013 Jordan West

If you were to secure a building with several layers of steel, a heavy duty bunker entrance, and a powerful laser to zap bad guys, would you give personnel access with a simple house key?
That's the physical equivalent of how many IT systems are secured - with a password playing the role of the house key. Firewalls, virus scanners, deep packet inspection - these are all useful security mechanisms but they mean nothing when an intruder has a valid password. There is now a trend towards longer, complicated passwords with all manner of restrictions (Must be at least 8 characters long! Must contain 5 numbers! Must contain upper and lowercase characters!). These difficult to remember passwords are more secure against brute-force attacks (where a computer tries to guess the password by trying millions of possibilities), but it doesn't help a bit when a user willingly gives away their password. It's often misunderstood that a large portion of attacks on computers are not due to a lack of security infrastructure, but rather users being fooled into opening their door and welcoming an attacker with a cup of tea and scones. A common example is an attacker creates a clone of a bank website, except that instead of sending your login details to the bank they are sent to the attacker. These attacks are known as phishing, and have created an underground black market for the sale of personal information.
Multi-factor authentication is a strategy to make compromising a user's credentials more difficult. For an authentication method to be considered 'multi-factor', a user must be authenticated with at least two of the following factors:

  • Something the user knows (eg., a password)
  • Something the user has (eg., secure key fob)
  • Something the user is (eg., a fingerprint)

To steal a password is easy - phishing has that covered. To steal a physical object is slightly more difficult. But stealing a fingerprint - I won't go there. Multi-factor authentication is a user-proof solution - it strengthens a security system where the weakest link of the system is the user.
Multi-factor authentication isn't without it's downsides though. It is not immune to man-in-the-middle attacks, where an attacker passes authentication information between the user and the secure system. However it should certainly be considered as part of any well-rounded security strategy.