Cloud IPP & Security Issues and Risk Managment Matrix

profilematador
MultifactorAuthentication.pdf

2/9/22, 11:24 PM Multifactor Authentication

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 1/5

Multifactor Authentication

It is often a good idea to use two-level or multifactor authentication, instead of single-

level authentication, for network security. For example, organizations can make it

mandatory for all employees to use both a PIN and a password to log in.

A multifactor authentication system authenticates users via a combination of factors:

something they know (for example, a password), something they have (for example, a

smart card or token), and something they are (for example, as proven with a biometric

characteristic such as a fingerprint).

Multifactor Authentication Scenarios

After a security breach where an intruder gained access to the network by using an

employee's password, Programmers, Inc., has decided to move to a multifactor-based

authentication system. Programmers, Inc., installs a smart card reader at the entrance to

the office. This reader acts as the first authentication mechanism. The employees'

usernames and passwords act as the second mechanism. The IT security team installs

biometric systems at the entrances to the office, the data center, and the server rooms,

and those systems act as the third authentication factor.

The multifactor authentication system is easy to use and tough to break. However, it is

expensive to implement and maintain.

As for single sign-on, most banks provide their customers with a unique username and

password combination so that they can access their accounts online. However, usernames

and passwords are easy to obtain, making this a less than ideal solution (Imprivata, 2009).

A multifactor authentication system is the most secure authentication system the bank

can implement. Such an authentication system would authenticate users based on a

combination of factors: something they are (for example, a unique username that

identifies the user), something they have (for example, a USB token or certificate that the

Learning Resource

2/9/22, 11:24 PM Multifactor Authentication

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 2/5

bank provides to its customers), something they know (for example, an SMS code the

bank sends the user on his or her mobile phone and that the user enters to access the site

or carry out a transaction).

Multifactor Authentication Overview

Often passwords alone do not provide adequate protection. One way of strengthening

security is to deploy more than one authentication method before users are allowed to

access a system. The process of using more than one means of authentication for added

security is known as multifactor or strong authentication.

The most commonly used form of multifactor authentication is two-factor authentication,

in which a combination of two separate security elements are used in tandem before

access is granted.

In general, authentication is based on three factor types:

Type 1: Something you know

Type 2: Something you have

Type 3: Something you are

For organizations that need to guard mission-critical data, additional factors should be

evaluated. An emerging approach to authentication is called adaptive authentication. This

approach evaluates the behavior of the user pre- and post-authentication, considering a

number of risk-based factors. Machine learning based on heuristics and user profile

characteristics might be employed with this approach.

Two-Factor Authentication

Two-factor authentication combines two security elements before allowing access to an

asset. Security elements may include a password, authentication tokens, or digital

certificates, and physical characteristics such as fingerprints. A two-factor authentication

is useful in safeguarding extremely sensitive information such as a confidential customer

data.

An extra layer of authentication can prevent unauthorized access to data.

Three-Factor Authentication

2/9/22, 11:24 PM Multifactor Authentication

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 3/5

Three-factor authentication combines three security elements before allowing access to

an asset. Security elements may include a password, authentication tokens, or digital

certificates, and physical characteristics such as fingerprints. A three-factor authentication

is useful in safeguarding extremely sensitive information such as confidential customer

data.

The use of three factors can drastically reduce incidents involving phishing, Trojan attacks,

and identity theft.

Security Tokens

Security tokens are a commonly used multifactor authentication mechanism. A token is a

piece of hardware or a physical device that generates one-time security passwords

composed of strings of random numbers and characters, set to sync with the server.

Tokens are typically set to expire in one minute, so if the password is not entered in that

time, a new password will be generated by the token. It is important that passwords are

completely random to ensure the security of this method.

Smart Cards

Many organizations use smart cards to provide multifactor authentication mechanisms. A

smart card differs from a computer memory card in that it can read, store, and process

data. They can be created with programmable magnetic strips to allow the user to swipe

the card for access (Smart Card Alliance, 2004).

Biometrics

Identity theft and data fraud are huge security challenges for organizations around the

world. With the increase in online financial transactions, identity theft is also on the rise.

Even as organizations step up efforts to mitigate security threats, criminals find new ways

of breaching security.

Because identity theft is so prevalent and breaches are occurring at a higher frequency,

organizations are gravitating toward increased use of multifactor authentication

mechanisms. Biometrics are an attractive option because they offer a way of uniquely

identifying individuals based on physical and behavioral traits that do not change.

Biometric devices are designed to provide authentication by verifying a unique

physiological or behavioral characteristic that belongs to the user.

2/9/22, 11:24 PM Multifactor Authentication

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 4/5

Selecting Strong Authentication Methods

In addition to considering an organization's unique security requirements, it is important

to weigh the benefits and costs of various strong authentication choices.

Cost

When considering total cost of ownership, there are two primary considerations: the

initial cost and the operating cost. It is also important to consider the types of incremental

costs with adding users to expanding the authentication model to other aspects of the

organization's enterprise.

Usability

Authentication methods should be as transparent as possible and not negatively affect the

way users are able to carry out their jobs.

Manageability

The application of authentication along with the management of user accounts and the

monitoring of their use plays an important part in the overall security of information

resources. The authentication method should provide centralized management along with

advanced capabilities including tracking events, auditing, and reporting capabilities.

Flexibility

Where there are differing requirements, an organization may deploy alternative

authentication methods. The authentication method should be capable of addressing

multiple functional requirements while also matching the risk profile of user groups.

Integration

The authentication mechanism should be capable of integrating with existing enterprise

applications such as single sign-on (SSO), virtual private network (VPN), internet protocol

security (IPsec) and public key infrastructure (PKI) authentication, and Remote

Authentication Dial-In User Process (RADIUS).

References

2/9/22, 11:24 PM Multifactor Authentication

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 5/5

Imprivata. (2009). A more secure front door: SSO and strong authentication.

https://www.imprivata.com/sites/default/files/resource-

files/a_more_secure_front_door.pdf

Smart Card Alliance. (2004). Logical access security: The role of smart cards in strong

authentication. http://www.library.ca.gov/crb/rfidap/docs/SCA

Smart_Cards_and_Logical_Access_Report.pdf

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.