Multi-Factor Authentication (MFA)
- Tim Scott
- 1 What is Multi-Factor Authentication (MFA)?
- 2 Why is MFA important?
- 3 How does MFA work?
- 4 Three main types of MFA Authentication methods
- 5 Other Types of Multi-Factor Authentication
- 6 When will I get prompted?
- 7 In what situations will I not be prompted?
- 8 I got prompted, but I’m not trying to login.
- 9 What authentication methods are supported?
- 10 Are any of these methods better than another?
- 11 I need help, how can I get support?
- 12 What Apps are currently supported?
- 13 What devices are supported?
- 14 Where can I manage my MFA options and devices?
- 15 If I install one of these apps, what can the college see about my device?
What is Multi-Factor Authentication (MFA)?
An authentication method that requires the user to provide two or more verification factors to gain access to a resource. It requires at least one additional security prompt beyond a password of something that is unique to a person.
Why is MFA important?
The main benefit of MFA is it will enhance your organization's security by requiring your users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties. Enforcing the use of an MFA factor like a thumbprint or physical hardware key means increased confidence that your organization will stay safe from cyber criminals.
How does MFA work?
MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are one-time passwords (OTP). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value.
Three main types of MFA Authentication methods
Most MFA authentication methodology is based on one of three types of additional information:
Things you know (knowledge)
Password/PIN
Answers to personal security questions
Things you have (possession)
One-Time Passwords - Generated by a Smartphone App or Device
One-Time Passwords - Sent via test message (SMS) or Email
Access badges, USB Device, Smart Card, NFC Fob, YubiKey etc
Software token/Certificate
Things you are (inherence)
Fingerprints, facial recognition, voice imprinting, retina or iris scanning, other biometrics
Behavioral analysis
Other Types of Multi-Factor Authentication
As MFA integrates machine learning and artificial intelligence (AI), authentication methods become more sophisticated, including:
Location-Based
Location-based MFA usually looks at a user’s IP address and, if possible, their geographic location. This information can be used to simply block a user’s access if their location information does not match what is specified on a whitelist or it might be used as an additional form of authentication in addition to other factors such as a password or OTP to confirm that user’s identity.
Adaptive Authentication or Risk-Based Authentication
Another subset of MFA is Adaptive Authentication also referred to as Risk-based Authentication. Adaptive Authentication analyzes additional factors by considering context and behavior when authenticating and often uses these values to assign a level of risk associated with the login attempt.
For example:
From where is the user when trying to access information?
When are you trying to access company information? During your normal hours or during "off hours"?
What kind of device is used? Is it the same one used yesterday?
Is the connection via private network or a public network?
The risk level is calculated based upon how these questions are answered and can be used to determine whether or not a user will be prompted for an additional authentication factor or whether or not they will even be allowed to log in. Thus another term used to describe this type of authentication is risk-based authentication.
With Adaptive Authentication in place, a user logging in from a cafe late at night, an activity they do not normally do, might be required to enter a code texted to the user’s phone in addition to providing their username and password. Whereas, when they log in from the office every day at 9 am they are simply prompted to provide their username and password.
When will I get prompted?
You will be prompted to authenticate with MFA when you meet the conditions that ask for it as designed by our implementation. Currently these conditions are:
First time logging in to anything.
First time logging in with a new device.
Periodically based on the last time you were authenticated on that device or in that App.
Any time your login is marked as “risky” or Machine Learning algorithms suspect that it may not be you logging into the system. A risky login might be:
A login from outside of the country.
A login from a known malicious source.
When it is an impossible travel scenario (You have a login recorded in Toronto and within minutes another login in another country).
In what situations will I not be prompted?
You will not be prompted when you meet certain criteria as well that allow us to confirm you are indeed logging in from a trusted source.
When logging in from a trusted network location.
When your device is currently within threshold of a previous MFA request.
I got prompted, but I’m not trying to login.
If you received a text message, and you were not expecting to receive it, you can just ignore it. If you are using the app you can either ignore it and it will time out, or you can press the Deny option. If you are actively trying to login you should always deny.
What authentication methods are supported?
Currently we support a variety of MFA options, but primarily these are:
App Notification
TOTP (Time based one time passwords)
Text Messaging (SMS, including international)
Phone Call
Are any of these methods better than another?
While all of these methods do give the same ultimate result, some of them are less compatible with all of the technology that will be put in front of it.
At this time we currently recommend the use of the Microsoft Authenticator App and it’s “Notify me through app” method as the preferred option as it is the most compatible.
https://www.microsoft.com/en-us/account/authenticator
I need help, how can I get support?
Support is available through our Global Service Desk. You can create a ticket at https://gateway.trios.com/support/ .
What Apps are currently supported?
Almost any app that supports MFA will also support our MFA implementation. While there are many apps out there, our official support stance is that we support only the Microsoft Authenticator App.
The Microsoft Authenticator app as it is extremely reliable and offers many different features that you may be able to use to help secure your personal accounts and devices as well.
https://www.microsoft.com/en-us/account/authenticator
What devices are supported?
The Microsoft authenticator app is available on the Google Play store for Android and the AppStore for iOS. This does not have to be setup on a smart phone, although that is most convenient. These apps can also be setup on a WIFI based Tablet or iPAD.
Where can I manage my MFA options and devices?
All MFA options and devices can be managed from a single portal. You will be asked to sign in and will be asked to complete MFA if required during sign in.
https://account.activedirectory.windowsazure.com/Proofup.aspx
If I install one of these apps, what can the college see about my device?
The app that we recommend, is built by Microsoft and is held to their privacy standards. It does not offer any visibility into anything that is installed on or accessed by your device.