A few months ago on the SSLs blog, we discussed the difference between authentication and authorization. These frequently mixed-up terms are both very important but very different elements of security.
Just in case you need a reminder of what they are, here’s a quick primer. Authentication is a process that identifies whether a person, process, or device is genuine. Authorization, by contrast, permits (or doesn’t permit) a person, device, or process to gain access to something, in addition to the type of access they’re allowed to have. If you’re still unsure of the difference, check out the original article.
Simply put, authentication is proving that you are who you say you are. Authentication, much like authorization, can come in many forms. Today we’re going to zero-in on a type of authentication that is becoming more pervasive across the Internet as a whole, and with good reason: multi-factor authentication (MFA).
How MFA works
MFA is a form of account security that involves digital users verifying their identities via multiple (two or more) forms of evidence in different categories of “factors”. These factors include something you know, something you have, or something you are.
To use an everyday example, when you log in to most online banking services, you are required to authenticate yourself via something you know (such as an online ID and password credentials) and something you have (such as an app on your phone or a special card reader).
MFA essentially provides a layered defense to digital logins.
Why MFA is important
The benefits of MFA might seem self-explanatory to some, but for others, the trend towards this kind of authentication screams inconvenience. On the user side, most people just want to log in to sites and services quickly and easily, without having to use any extra gadgets or apps. For website owners, it can be an expensive undertaking. Despite this, implementing MFA is undeniably worth it for security and peace of mind on all sides.
Having a layered defense of multiple factors when logging in means that if a malicious actor has compromised one factor somehow, it’s unlikely that another factor will also be exploited, meaning that the user account won’t be compromised overall. Many popular services, such as Google and Facebook, notify users via text or email if they notice a suspicious login attempt (for example, through an unfamiliar device or different geographical location). It’s unlikely that hackers will also have access to the user’s email or phone, so users can quickly change their password if something seems amiss.
It’s evident that by implementing a login system where users must authenticate themselves via two or more factors every time, the chances of account compromise are low. When there is only a single layer of defense, any compromise can result in stolen user accounts.
For instance, the most basic and widespread form of authentication is password-based user authentication, where users log in to websites or services only by using a username and password. Unfortunately, this isn’t a secure method of authentication on its own because passwords are easy to compromise, whether they’re stolen via phishing attempts, or simply guessed through brute force, since most people don’t practice good password hygiene. (Here’s your regular reminder that “123456” and “password” are not good passwords.) In this case, if a user account isn’t linked to another device in some way, it might be hard to know if their password has been stolen (though this site is a good place to start).
Should you implement MFA?
If you run a website or online service that requires logins, whether that be for customers or staff members (or both), the answer to that question is yes. No matter what your business’s vertical, niche, or size, cybercriminals don’t discriminate. According to Forbes, cybercriminals have even begun to favor targeting small businesses over larger enterprises, specifically because their security systems tend to have more technical weaknesses and fewer layers of defense when compared to their larger counterparts.
Implementing MFA is often considered a costly undertaking, but fortunately, there are plenty more affordable, and even free options coming onto the market, especially in the realm of 2FA (two-factor authentication), such as Duo, auth0, and Google Authenticator.
These days, MFA is essential for any business with dealings online, for protecting customers and company interests alike. Websites and online services that only depend on a single layer of defense for logins are leaving themselves vulnerable to exploitation.
Interested in more security essentials for your website? Why not take a look at the selection of affordable SSL certificates SSLs.com has to offer.