Multi-Factor Authentication (MFA)

Table of Contents

1. Introduction............................................................................................................................ 1
2. Types of Authentication Factors............................................................................................... 1
2.1 Knowledge Factors....................................................................................................... 2
2.2 Ownership Factor......................................................................................................... 3
2.3 Biometric Factors.......................................................................................................... 4
3. Best Practice............................................................................................................................ 5
4. Conclusion............................................................................................................................... 5
References.................................................................................................................................. 6
1. Introduction

Multi-factor authentication (MFA) refers as a multi-layered protection framework

which provides an extra authentication method that validates user’s credentials during login
or other transaction. It often referred to as Two-factor Authentication (2FA), which is a
subset of MFA and becomes increasingly prevalent in securing today’s digitalization.

Multi-factor authentication is one of the most reliable ways to safeguard online

accounts from attackers. With MFA enabled on an account if a hacker has obtained the
username and password details, they will be unable to access said account as they will not
be able to receive or use the MFA data. It is therefore a quick way for a company to increase
the security of their users accounts without giving the user more information to remember.
MFA plays a crucial role in information security.

Figure 1: Evolution of Authentication Methods (Ometov, 2018)

Implementing MFA enhances security even if one of the authenticator is

compromised, unauthorized users will be unable to meet the second authentication
requirement and will not be able to access the targeted physical space or computer system.
MFA makes it more difficult for a threat actor to gain access to business premises and
information systems, such as remote access technology, email, and billing systems, even if
passwords or PINs are compromised through phishing attacks or other means. Adversaries
are increasingly capable of guessing or harvesting passwords to gain illicit access. Password
cracking techniques are becoming more sophisticated and high-powered computing is
increasingly affordable. In addition, adversaries harvest credentials through phishing emails
or by identifying passwords reused from other systems. MFA adds a strong protection
against account takeover by greatly increasing the level of difficulty for adversaries.

2. Types of Authentication Factors

Multi-factor authentication requires users to present two or more authentication

factors at login to verify their identity before they are granted access. Each additional
authentication factor added to the login process increases security. Authentication factors
typically divided into three categories which compromises of knowledge, ownership and
biometric (Ometov, 2018).
 Knowledge: Something the user knows, such as username, password, or personal
identification number (PIN)
 Ownership: Something the user has, such as bank card or a safety token

1
  Biometric: Something the user is, which can be demonstrated with fingerprint,
retina verification, or voice recognition

Figure 2: Categories of Authentication (Wallarm)

2.1 Knowledge Factors

Knowledge factors are the commonly used type of identity authentication. It

requires the user to demonstrate knowledge of hidden information. It is typically used in a
single-layer authentication processes which includes passwords, passphrases, PINs or
answers to secret questions (Wpengine, 2022). When implemented alone, knowledge
factors offer little security. Password is the most common way to authenticate users but it is
not fully secured and offers less security as it is susceptible to brute force attack. There is
variety of different cracking methods available. Passwords are susceptible to being stolen or
extracted by hackers using various methods, like impersonating someone the victim know or
trust to gain login information or personal details (Rafaeli, 2018). Careless practices such as
exposing hard or digital copies of passwords are also a major contributor to their becoming
compromised.

PINs or personal identification number are often implemented in card transaction or

as a mechanism to unlock mobile phones or gadgets. The use of PIN alone is less ideal for
online activity as it highly possible to be cracked by a brute force attack. However,
transaction activity involves with ATM machine or mobile phones is robust enough to stop
attacks due to the presence of lock out mechanism thst able to detect invalid login for
certain number of times before the device is locked out or the card will get shredded by the
ATM machine.

Security questions, are a method of authentication where the user is required to

answer one or more questions about themselves and these answers are then stored by the
service. The next time the user wants to access the service they will be prompted to answer
on or more of their questions correctly to authenticate themselves. Good security questions
should meet the following criteria.
• The question should be appropriate for many people
• The answer should be easy to remember
• There should only be one right answer
• The answer should be difficult to guess

2
 Figure 3: Apple ID Security Question (Hoffman, 2014)

Despite the guidelines for creating good security questions, users will forget their answers
and also answers can potentially be guessed.

2.2 Ownership Factor

Ownership factors essentially described as a key to the security lock. It is the

physical entities possessed by authorised user to connect to the client computer or portal, in
other words, it is something only the user has. The authentication methods mostly via safety
tokens that are connected, disconnected and contactless. Connected tokens are items which
physically connect to a computer in order to authenticate identity. A connected token
usually comes in the forms of a smart card, a USB key or wireless tags which are used to
serve as a possession factor during a multi-factor authentication process.
Meanwhile, disconnect tokens are items which do not directly connect to the client
computer but instead requiring input from the individual attempting to sign in. Most
typically, a disconnected token device will use a built-in screen to display authentication
data which is then utilised by the user to sign in, where and when prompted. The
authentication code generated using a Time-based One Time Password (TOTP) algorithm
which uses a key and the current time to create a unique code. Disconnect tokens can be in
the form of software tokens which are much more common in today’s digitalization era as
most of it can be accessed through mobile applications like Google Authenticator. Another
example of disconnect tokens is SMS authentication which simply works by receiving the
code on a phone through a text message and then using the code received for
authentication purpose.
Contactless authentication works by authenticating the user’s identity via a device
they possess in close proximity without the need to contact a reader. There are a wide range
of contactless identification methods available, from the common technologies which are
Radio Frequency Identification (RFID), Near Field Communication (NFC), Bluetooth (BLE), QR
Code Scanning and Automatic Number Plate Recognition (ANPR). RFID is the most common
contactless radio frequency authentication method used in ID keyfobs and cards. However,
many will consider the RFID tag as an extra item to carry, which is susceptible to theft or
loss as well as the cost associated with buying RFID tags and readers that may limited to
machines with RFID readers (Aldwairi, 2017).
NFC is the most recent form of contactless RFID commincation. The same
technology is implemented for contactless payments made with credits and debit cards, as

3
well as a growing numbers from smart phone and smart watch. The advantage of NFC is that
it allows for short range, secure access authentication via smart phone as a keyless
identification device. Despite that, NFC can be vulnerable to eavesdropping and man-in-the-
middle attacks (Diakos et al., 2013). As NFC is a form of wireless communication that uses
radio waves to establish communication, thus there is a high possibility for attackers to
intercept the signals.

Figure 4: Touch ‘n Go (TnG) Near-Field Communication (NFC) card Free Malaysia today,
2022)

2.3 Biometric Factors

Biometric factors are metrics intrinsically owned by the authorised individuals. The
word biometric basically a combination of two words which are bio that means human and
metric refers to measurement. In simpler words, biometrics are any metrics related to
human features which make an individual different from other individuals. Biometric
authentication is growing more robust and commonplace in modern technology. Everyday
smart phones and laptops now boast biometric authentication technology, and its use in
multi-factor authentication will only continue to grow more sophisticated and more widely
used. Methods for biometric authentication include fingerprint scanning, face recognition
and retina scans. These unique biological features of individual is used to verify people are
who they claim to be.
Fingerprint authentication is the most widespread types of biometric identification
which commonly used in smart phones and laptops. The use of fingerprint scanners has high
reliability compared to other biometric authentication methods. This is most likely due to
the technology being much more established and that no two people have an identical
fingerprint. However, the scaling up of fingerprint scanner technology has not been without
growing pains. A study by Cisco Talos explored several methods of spoofing phone and
computer fingerprint scanners, and reported an 80% success rate. Although their methods
would be immensely difficult to replicate outside of the lab, the study demonstrates that it is
in fact possible to forge fingerprints and fool today’s most common type of biometric
authentication.

4
3. Best Practice

Different business requirements demand different security levels, achieved by

carefully choosing or combining various authentication methods available. When it comes to
user experience, it plays a significant role in user satisfaction during online transactions.
Therefore, the authentication method applied must provide convenience and security at the
same time. There are few factors that need to take into consideration when implementing
the best multi-factor authentication method:
• User experience: How convenient is it to use?
• Security: How easy is it to compromise?
• Cost: Is it cost efficient to implement?
• Support: How widely can it be used?

MFA with any method is better than no MFA at all. In terms of technologies used for
best practice, the biometric factors will provide the most reliable method for authentication
as the user does not have to remember any information or carry anything with them in
order to access their data. Biometric authentication offered an improved level of security as
the users were required to present the evidence of their identity, which relies on two or
more different factors. It is also the hardest methods for attackers to crack so they are much
more secure than knowledge factors and ownership factors. Despite the robustness,
biometric factors will not be suitable for every situation as users may not have the required
technology to use them. In any case, ownership factor should be an alternatives option. ould
be used. Out of possession factors the two most secure to use are the connected and
disconnected tokens as it is a common and convenient authentication type to be used in
most platforms. Therefore, it can be concluded that the best option for security is to use a
combination of two or more of these biometric and ownership authentication methods.

4. Conclusion

Authentication can be accomplished with one factor, two factors, or multiple

factors. However, multi-factor authentication being used in one form or another is much
more secure than only using a username and password. With users becoming increasingly
aware of security issues and the importance of protecting their online data, their first steps
in increasing the security of their accounts should be to enable multi-factor authentication.
As the technologies continue to develop and become more reliable and secure, the
implementation of multi-factor authentication methods should only increase year by year
allowing it to become as normal to technology users as usernames and passwords are today.

5
References

1. Diakos, Thomas & Briffa, Johann & Brown, Tim & Wesemeyer, Stephan. (2013).
Eavesdropping near-field contactless payments: a quantitative analysis. IET Journal of
Engineering. 7. 10.1049/joe.2013.0087.

2. Wallarm. (n.d.). What is Multifactor Authentication (MFA)?Benefits, examples 🔎. RSS.

Retrieved November 1, 2022, from https://www.wallarm.com/what/what-is-
multifactor-authentication-mfa

3. Rafaeli, R. (2018, March 7). Passwords are scarily insecure. here are a few safer
alternatives. Entrepreneur. Retrieved November 2, 2022, from
https://www.entrepreneur.com/science-technology/passwords-are-scarily-insecure-
here-are-a-few-safer/309054

4. S. Ibrokhimov, K. L. Hui, A. Abdulhakim Al-Absi, h. j. lee and M. Sain, "Multi-Factor

Authentication in Cyber Physical System: A State of Art Survey," 2019 21st International
Conference on Advanced Communication Technology (ICACT), 2019, pp. 279-284, doi:
10.23919/ICACT.2019.8701960.

5. Ometov, Aleksandr & Bezzateev, Sergey & Mäkitalo, Niko & Andreev, Sergey &
Mikkonen, Tommi & Koucheryavy, Yevgeni. (2018). Multi-Factor Authentication: A
Survey. Cryptography. 2. 10.3390/cryptography2010001.

6. Wpengine. (2022, June 27). What are knowledge factors, possession factors and
inherence factors? ProofID. Retrieved November 2, 2022, from
https://proofid.com/blog/knowledge-factors-possession-factors-inherence-factors/

7. Hoffman, C. (2014, March 28). Security questions are insecure: How to protect your
accounts. How. Retrieved November 3, 2022, from
https://www.howtogeek.com/185354/security-questions-are-insecure-how-to-protect-
your-accounts/

8. Free Malaysia today (fmt) | free and Independent. (2022, September 28 ). Retrieved
November 4 , 2022, from https://www.freemalaysiatoday.com/

9. Aldwairi, Monther & Aldhanhani, Saoud. (2017). Multi-Factor Authentication System.

Retrieved from: https://www.researchgate.net/publication/319312344_Multi-
Factor_Authentication_System