In 2022, over 80% of data breaches were attributed to compromised passwords.
Although email-password based authentication has become the de facto method for authentication, it is very vulnerable to attacks. Through phishing, keylogging or simple brute-force attacks, traditional authentication mechanisms can be exploited to gain access to a users account. This is why modern platforms like Google, Amazon and Netflix have moved towards MFA or multi-factor authentication.
With Multi-factor authentication, the user would have to prove their identity through multiple forms of identification. The basic idea is that adding challenges to the authentication flow exponentially increases the difficulty of the account being compromised.
These additional forms of authentication can be based of the following types:
- What you know. Example: An email and password combination
- What you possess: A credit / debit card, a hardware key (Yubikey)
- What you are: Biometrics such as fingerprints or retinal scans
The implementation of additional factors is a tradeoff between security and user experience. While not always true, higher security leads to a more cumbersome user experience. We’ll evaluate the security and UX tradeoffs associated with different authentication factors
According to the Verizon data breach investigation report of 2022, “There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the past four years.”
Further, exploiting vulnerability attributes for almost 20% of methods to access an organization. And finally, brute force attacks still contributed to more than 10% of all attacks.
Once a hacker obtains a user’s login credentials, they can access sensitive information which they can abuse to get more information about the user, often leading to financial losses and reputational damage.
For instance, thousands of high-profile YouTube accounts got hacked in 2019-2020 through session hijacking and using privilege escalation to change account owners. That is why protecting sensitive actions like “changing account ownership” behind secondary factors is important. This common strategy used by many applications can reduce the fallout of a compromised account.
Let’s explore the different types of second factors in multi-factor authentication.
- SMS and Email Passcodes
- Time - Based One - Time Passcodes (TOTP):
- Biometric authentication
- FIDO (Fast Identity Online) Authentication
SMS and email passcodes are familiar and easy choices for users. However, they do have their drawbacks.
Pros: Mobile phones are everywhere, and SMS is a widely recognized communication method. Additionally, email clients can be used on various devices, making both of these methods highly accessible.
Cons: SMS passcodes have a high risk of being intercepted. SIM card hacking software is cheap. You can buy such software for 30-50 dollars. A hacker can use this software if they are in close proximity to your mobile phone. The software will create a false cellular station to intercept SMS messages to restore access to your account.
Besides, users are vulnerable to SIM swap attacks in which social engineering convinces the mobile operator to carry over the phone number to a new SIM card. In August 2023, Bart Stephens, cofounder of crypto fund Blockchain Capital, lost $6.3 million of Bitcoin due to a SIM swap attack. An anonymous hacker seized control over Stephens’s cellular network account and then ported Stephens’s number to a new SIM to gain access to his crypto account.
Additionally, emails are also subject to latency and email deliverability can also have issues.
With TOTP, an authenticator application uses a shared secret key generated by the authentication server to create a one-time password that changes at a very short interval.
Pros: Codes are being generated dynamically every 30 seconds. This limited time window makes it harder for hackers to steal your codes. When a new code is created, the previous code is invalidated.
Cons: Although TOTP solves the downsides associated with email/SMS passcodes, if the authentication server’s database is breached and the secret key is compromised, the attacker could generate codes and gain access to the user’s account. Additionally, an attacker can intercept the code you send to the server and use it to gain unsolicited access to your account.
Using unique biometric markers like fingerprint, voice, or face to authenticate the user.
Pros: Biometrical authentication provides the most organic experience since the user does not need to remember credentials or enter an OTP.
Cons: Hardware for biometrical authentication is expensive.
FIDO, which stands for Fast Identity Online, is not a specific authentication method but rather an open authentication standard. Its primary objective is to unify secure login factors such as biometrics and passkeys under a common standard. When employing FIDO, you require a physical device like a Yubikey. A Yubikey generates cryptographic secrets to complete the authorization process.
Pros: It is hard to compromise because an attacker needs access to your physical device to retrieve the token. Furthermore, FIDO devices often incorporate local authentication methods like fingerprint recognition, which is not vulnerable to phishing attacks.
Cons: One drawback is registering your physical device with each service. Additionally, FIDO is still an emerging standard and has yet to be universally adopted. Therefore, when FIDO is not supported, you may still need to resort to different authentication methods.
A good example of an MFA is corporate data protection. Companies use Security Assertion Markup Language (SAML) for Single Sign-On (SSO) authentication to allow employees to access multiple applications with one set of credentials.
Integrating MFA with SAML adds an extra layer of security. When employees access resources, they not only enter their credentials but also authenticate via a second factor. For example, an SMS or email passcode, or biometric verification. Adding a second factor ensures that only authorized personnel can access sensitive corporate data.
The same is true for Lightweight Directory Access Protocol (LDAP). Many organizations use LDAP to store and manage user access to different systems. Integrating MFA with LDAP means that when users try to access a system, they must provide additional authentication like an SMS or email passcode. Integrating LDAP with MFA is particularly useful in large organizations with complex access control requirements.
It’s almost certain that multi-factor authentication (MFA) will grow in popularity. Here’s what you can expect for MFA in the future:
- Biometric Integration
While biometric factors are already a part of MFA, they are expensive. However, market growth in biometric technology is projected to reach $55.42 billion by 2027, and including biometric sensors in mobile devices makes this technology more accessible than ever.
- Adaptive and Contextual Authentication
One downside of MFA is the friction it can add to the authentication experience. Multiple factors increase the likelihood of the user dropping off during the login process. Adaptive and Contextual MFA analyze patterns such as device use, location, and access times to dynamically increase the number of factors a user must go through to authenticate. If the system sees that the user is accessing his account from his personal computer from his usual IP address he may be presented with a single factor during authentication. If the user tries to authenticate from a different device and timezone, then additional factors may be provided to prove the user’s identity.
In short, the future of MFA is expected to be more integrated with a strong focus on context and biometrics.
SuperTokens MFA offering allows you to add email/SMS-based OTP or magic link as a second factor with TOTP support.
You can try out our demo that uses social login/email password as the first factor, and SMS OTP as the second factor. Here’s how:
- Clone the GitHub demo repository
- Install its dependencies
- Run the application using
npm run start
Traditional authentication methods have become susceptible to cyber attacks. MFA acts as a roadblock, making it exponentially harder for an attacker to compromise an account. For this reason, many companies have made MFA a requirement. SuperTokens is on a mission to make it easier for developers to add MFA capabilities to their applications.