Multi-Factor Authentication(MFA) has been recently advocated by most security standards as being one of the primary compliance requirements. MFA brings forth strong layers of security, helps companies achieve compliance, and increases flexibility and productivity by removing the burden of passwords. Even with its increased popularity, many of the benefits mentioned above have been overshadowed by some of the commonly recognized drawbacks.
- Increased log in time when using out of band factors such as SMS OTP or tokens
- Complex deployment and integration
- Dependence on third parties when malfunctions occur
- High maintenance resources, including high costs of database management
The factors used in multi-factor authentication can be grouped based on the following criteria: knowledge, possession, and inherence based. Companies must take into consideration the most suitable ones not only to comply and meet budget expectations but also to avoid a burdensome user experience. Taking this into consideration, most of the downsides can be avoided by integrating typing biometrics with other authentication factors.
These are the most common drawbacks of factors in an MFA system:
Something you know – such as a password or passphrase.
The method involves verifying the information a user has provided in the past – password, PIN, or answering a secret question. Passwords have been used since the millennia in various contexts ranging from biblical mentions in the Old Testament to the Roman army. In recent years of computer development, Fernando Corbato introduced passwords at the Massachusetts Institute of Technology(MIT) in 1960. Users sharing the few available computers and the same disks had to authenticate to keep files private.
Today, most people opt for simple passwords that are easy to guess and infer. When choosing a password, users must bear in mind that computational power has increased in recent years, and it would take only 10 minutes to break Arthur Scherbius’s Enigma. Choosing a complex password might prove a good idea, but even the most diligent of users will have a hard time remembering it.
For corporate and even personal accounts, relying solely on a password is a mistake. In a corporate environment, centralized password repositories represent an authentication layer centrally located and accessible by anyone, including cyber attackers. A savvy multi-factor authentication implementation includes at least another factor that provides security as well as ease of use.
Something you have – such as a token device or smartcard.
This method refers to the possession of an item a user has. It can range from a physical or logical security token, a one-time password(OTP) token, a key fob, an employee access card, or a phone’s SIM card.
Most things that are easy to carry are also easy to lose or get stolen. The tokens that have taken over corporate cybersecurity in the past 20 years are hard to integrate, adding significant costs to yearly budgets. Tokens also create a burdensome user experience and crowd the IT departments with replacement requirements since most employees will at some point or often forget them at home. The security of a token is fragile, considering that anyone in possession of the object can use them to authenticate.
Something you are – such as biometrics or behavioral
Biometric verification is made based on the characteristics unique to the individual: retina, irises and fingerprint scans, facial recognition, voice recognition, hand geometry, and earlobe geometry. As for behavioral biometrics gait and typing behaviors can be analyzed as well as the hand movements when holding a device(aided by the gyroscope technology).
Users tend to be uncomfortable having such sensitive data like retina scan or fingerprints scanned and stored since it was primarily used in law enforcement. Therefore, it’s easy to understand the hesitation due to privacy infringement.
The past years have also shown that fingerprints and facial recognition are not as safe as anticipated. Ingenious hacking exploits have been pursued in various regions across the world with the sole purpose of stealing personal and corporate data.
Most popular devices lack the appropriate means to record such sensitive data, and biometric-scanning hardware adds cost and complexity.
MFA with typing biometrics
Major drawbacks such long log-in times or cumbersome user experience can be avoided by implementing typing biometrics in a multi-factor authentication system. Recent technological improvements have allowed the development of algorithms able to learn the way people interact with a device. Typing biometrics, or capturing the way people type on their keyboards, is a newly emerging technology facilitated by the progress in AI(Artificial Intelligence) and computational power.
Every individual has a unique typing pattern. As part of an authentication process with typing biometrics, the initial enrollment consists of capturing the typing pattern and attributing it to the user. Every time a new authentication is made, the stored hashed pattern is verified with the initial one, and after being matched in the background, the user is logged in. Combined with other factors, an MFA implementation with typing biometrics is key in avoiding drawbacks such as costly tokens or user experience disruption.
To combat the above-mentioned shortcomings, we developed a savvy MFA solution with typing biometrics, SMS, or Email OTP. Read more about TypingDNA MFA.