Multi-factor authentication is all the processes that have to be followed to add more security when accessing an asset, involving several elements to, as I mentioned before, further secure the authentication process in an asset.
The most common authentication factor used in the world is the password, because it is the first security barrier between an asset such as an account in a service and unauthorized access by a cybercriminal, but it is clear that only a password is not something that guarantees much security, because most users do not use strong passwords and use the same password for all services, This means that if in one of those services the access credentials are leaked and a cybercriminal manages to read them, he can reuse those credentials to access several services with those credentials, with all the risks that this implies, so, if you use the same credentials for all the services, you would be indirectly giving access to a cybercriminal to all your accounts (if the credentials are leaked in any of those services), on the subject of leaked credentials, whether or not they can be easily read by a cybercriminal will depend on whether the service manages the credentials with a hash algorithm or if they manage them in plain text (which is the worst), but you cannot think things like “my password is stored encrypted in the service and even if it is leaked they will not be able to read it” because it is something very relative, the best is always to use strong, random and different passwords for each service, but still, even if you meet these requirements, cybercriminals can get your password for example, with social engineering attacks or even phishing if you are not able to detect them in time, so having only one authentication factor is not the best idea if you want to secure your assets as much as possible.
It is here where the concept of multiple authentication factors is introduced, that is, having more than one security barrier when accessing an asset, these multiple authentication factors are based on:
- What the user knows.
- What the user has.
- What the user is.
What the user knows could very well be a password, even if you have it written down and literally don’t know it by heart, it doesn’t matter, that is categorized as what you know.
What the user has, is “something” that the user possesses, something like, an authentication card, a mobile device, another email address, in short, any external asset that can be used to further validate the user’s identity, for example, that famous “two-step verification” or “two-factor authentication” that in almost all services is present, is usually based on what the user has, it consists in that, when the credentials are entered correctly, both username or email and password, a one-time code is sent either by text message or by call (and here we can see what the user has), This authentication method is known as TOTP, which stands for Time-Based One-Time Password, which is basically that, a unique password, in this case a code, which has a life time to be used and after that time is no longer useful for anything, so far so good, it is a good method, because if a cybercriminal wants to access your account, he would have to know your password and have, for example, your cell phone which is where you get the text message or call to receive the code, but of course, a cybercriminal could also redirect the messages you receive and thus be able to read them too, plus phone calls can also be compromised.
So even if we use two factor authentication, there is still risk, but there are ways to improve this second factor (talking about TOTP), because we see that the concept works, the problem may be the means by which they send us the code, in which case we should get a more secure means than calls or simple text messages and, yes it exists, they are called authentication applications, the most known and the one I recommend you to use is Google Authenticator, usually most services allow you to link one of these applications as a second factor of TOTP authentication, because yes, the concept is the same, in the case of Google Authenticator, after linking it with the service in question, the same authenticator application will start to generate single-use codes that will have a lifetime to be used, specifically the lifetime is 30 seconds and after that time new codes will be generated and so on, this greatly improves security, since this time the code does not come to us by text message or call, but is generated by an application, yes, keep in mind that the Google authenticator is not the only authentication application, but it is the one I personally recommend, it is also clear that many services will not allow you to link an application of this style as a second authentication factor and it will have to be either by call or text message or, even worse, there are services that do not even allow you to activate a double authentication factor, so the rule is very simple, use strong and different passwords for each service, if the service allows you to activate a double authentication factor and if it allows you to link an authentication application, link one such as Google authenticator, with this your account will be much safer.
So, we have already seen authentication factors related to what the user knows (password), what the user has (TOTP) and now we need to see how the authentication factors are related to what the user is, this is based on all these biometric data of each user and that are used to authenticate using systems such as voice recognition, facial recognition, fingerprint recognition, iris recognition and even the shape of the veins of hands, It is obvious that this type of authentication factor is much safer than the previous ones, because they are properties that you have, it is not a simple password that can be filtered or a code that can be intercepted, we are literally talking about elements that are part of you, but of course, not everyone has access to the necessary hardware devices to carry out any of these authentication factors at the domestic level, although it is true that at the enterprise level they are often used quite a lot.
In summary, you must have at least two authentication factors activated and, obviously, use strong and different passwords for each service, remember that your information is worth a lot, it is not possible for a person to buy a PlayStation 5 and take care of it more than your information, it does not make sense, so protect your information to the maximum, sometimes actions as simple as activating a double authentication factor can save you a lot of bad times in the future.