Multifactor Authentication: An Overview
the past few decades, systems and their data were protected by usernames (IDs)
and passwords. However, this is not considered as safe anymore. An attacker can
impersonate a user easily when a password or the password database is stolen. Even
if the passwords are safely kept, an attacker can still crack a password by
trying many passwords in the hope of guessing a correct one (also known as
brute-force attack). Nowadays, the low hardware cost and high hardware
performance make password cracking much less tedious than before, for example,
cracking a 9-character alphanumeric with special character password would only
take few hours.
of using the password alone for authentication, multifactor authentication
(MFA) is introduced, where users have to present 2 or more factors during the
authentication process. With multifactor authentication in place, the
difficulty for an attacker to impersonate a user is significantly increased: even
if one authentication factor is compromised, the attacker has to get the rest
of the authentication factors correct before he/she can impersonate a user and
access the system.
most common factors are:
- Knowledge factor (something you know)
to security questions
- Possession factor (something you have)
A hardware tool that
generates a one-time password
A mobile application
installed on smartphone or computer that generates a login request or a
To receive a one-time
password over SMS
It is usually stored in a
USB drive. User has to insert the USB drive to the device during authentication.
- Inherence factor (something you are)
of the retina
of the iris
are also two less common factors:
- Time factor
Users can only access the system during a specific period,
e.g. office hours, or the access rights would be expired after certain period,
e.g. 15 minutes.
- Location factor
can only be accessed from certain countries (e.g. its home country).
each authentication factor adds an extra layer of protection to the
authentication process that can help to defend against impersonation and data
theft, multifactor authentication is widely adopted in critical systems.
of use in our daily lives are:
- Online banking system
You are asked to provide your account password (something you
know), an answer to a security question (something you know) and a one-time
password generated by your token (something you have)
- The e-Channel service of the Immigration
have to present your HKID (something you have) and fingerprint (something you
some single-factor authenticated systems would turn to multifactor
authentication systems when abnormal behaviour is detected. For example, when the
system receives a logon request originating from a new device or unusual
country, the user then has to provide an additional factor for identity verification.
the growing number of cloud applications as well as the wide adoption of
information technology in business, we believe that the application of MFA will
become increasingly commonplace and more advanced yet user-friendly
authentication factors will evolve in the near future.
- A tool that estimates the time needed to crack a