Multi-Factor Authentication (MFA) – How to securely protect your passwords​

Multi-Factor Authentication (MFA) – How to securely protect your passwords​

Multi-Factor Authentication (MFA) - How to protect your passwords

Multi-factor authentication (MFA) is a security measure that requires users to provide multiple forms of identification in order to access a system or service. The goal of MFA is to make it more difficult for an attacker to gain unauthorized access to sensitive information by requiring multiple forms of authentication, rather than just a single password.

There are several different types of authentication factors that can be used in MFA, including:

  1. Something you know, such as a password or PIN
  2. Something you have, such as a security token or a smartphone
  3. Something you are, such as a fingerprint or facial recognition

The most common forms of MFA are a combination of something you know and something you have. For example, a password and a security token, or a password and a smartphone. These forms of authentication are considered two-factor authentication (2FA).

When a user attempts to access a system or service that uses MFA, they are first prompted to enter their password, also known as a knowledge factor. Once the password is verified, the user is prompted to provide a second form of authentication. This can be a token generated by a security token, a code sent to their smartphone via SMS or an app, or a biometric scan such as a fingerprint or facial recognition.

The security token or smartphone acts as a possession factor, as it is something that the user physically possesses. The biometric scan, such as fingerprint or facial recognition, is considered an inherence factor, as it is something that is unique to the user.

One of the most common forms of MFA is the use of a password and a security token. In this scenario, a user would enter their password as usual, but would also be required to enter a code that is generated by their security token. This code is typically only valid for a short period of time, usually around 30 seconds, which makes it much more difficult for an attacker to use a stolen password to gain access to a system or service. The security token usually uses time-based one-time password (TOTP) algorithm, which is an open standard, and can be used with various authenticator apps.

Another common form of MFA is the use of a password and a smartphone. In this scenario, a user would enter their password as usual, but would also be required to confirm the login attempt on their smartphone. This can be done through a push notification, a text message, or an app-based authentication. The push notification is delivered via a mobile app, and the user needs to confirm it in order to proceed with the login. The text message is delivered via SMS, and the user needs to enter the code in order to proceed with the login. The app-based authentication uses a specific app, such as Google Authenticator or Microsoft Authenticator, to generate a code that the user needs to enter in order to proceed with the login.

Facial recognition and fingerprints are also becoming increasingly popular as a form of MFA. They are considered something you are, which is considered a strong form of authentication. These forms of authentication are harder to replicate, but they also require specific hardware or software. They are usually integrated into the device, and can be used for unlocking the device or for logging in to apps or services.

Another important aspect of password security is the use of salting and peppering. Salting is a technique where a random value, called a salt, is added to a user’s password before it is hashed. This makes it much more difficult for an attacker to use a precomputed table of common passwords, also known as a rainbow table, to crack the hashed password. Peppering is similar to salting, but it involves adding a secret value, called a pepper, to the password before it is hashed. The pepper is usually stored separately from the hashed password and is only known to the server. This provides an additional layer of security, as even if an attacker is able to obtain the hashed password, they still wouldn’t be able to crack it without also having access to the pepper.

When a user creates a password, the salt and pepper values are added to the password and the resulting value is hashed using a cryptographic hashing algorithm such as bcrypt, scrypt or Argon2. This hashed value is then stored in the server’s database. When the user attempts to log in, the password they enter is salted and peppered and hashed again. The resulting value is then compared to the stored hashed password. If the values match, the user is granted access.

Salting and peppering provide an additional layer of security to the password-based authentication process. Even if an attacker is able to obtain the hashed password, they still wouldn’t be able to crack it without also having access to the salt and pepper values. Additionally, if the salt and pepper are unique for each user, it makes it much more difficult for an attacker to use a precomputed table of common passwords to crack multiple user’s passwords.

In conclusion, Multi-factor authentication (MFA) is a security measure that requires users to provide multiple forms of identification in order to access a system or service, making it difficult for an attacker to gain unauthorized access to sensitive information. Salting and Peppering passwords before hashing them provide an additional layer of security to the password-based authentication process and make it more difficult for an attacker to use a precomputed table of common passwords to crack multiple user’s passwords. It is a highly recommended method to secure accounts and system in order to prevent cyber attacks.

Looking for assistance with setting up MFA for your organizations’ information security?

We can help! Contact Us for more information

Categories

Ready To Get Started? We're Here To Help

Do you have an idea in mind? Just fill out our contact form and we will be sure to contact you as soon as possible!

Contact us

Copyright © 2023 M-TECH Business Solutions All Rights Reserved.