Find Us

Address
123 Main Street
New York, NY 10001

Hours
Monday—Friday: 9:00AM–5:00PM
Saturday & Sunday: 11:00AM–3:00PM

A review of the evolution of multi-factor authentication (MFA)

Over the last couple of decades, multi-factor authentication (MFA) has become a popular term in the cybersecurity industry. Whether to protect an email account, log into a service, or perform a bank transaction, most of us have dealt with multi-factor authentication, an authentication mechanism where a user is only granted access to a system by sharing at least two pieces of evidence (e.g., a regular password you create and a one-time code sent to your phone). 

This blog post is a review of the history of multi-factor authentication and how the evolution of MFA methods has changed the face of cybersecurity. Technological developments promise affordable, user-friendly multi-factor authentication methods, which include typing biometrics, an innovative approach to authentication which recognizes people by the way they type.

The context for authentication

Cybercrime is on the rise

In the early 2000s, Bill Gates predicted the death of the password as a single measure of account protection. In short, he was right. 

Passwords are simply not enough. In recent years, billions of people have become the victims of cybercriminals who stole their credentials from the databases of corporations such as Marriott, Equifax, and Yahoo. Although hacked personal data is problematic to everyone, the bad news is that as long as there is a financial gain, hackers are not going to stop anytime soon. Instead, cybercrime is on the rise and continuously evolving. In fact, the forecast for annual global costs associated with data breaches is estimated to hit a staggering $6 trillion by 2021.

Authentication changed cybersecurity

The good news is we can secure our accounts by applying MFA, which makes it harder for hackers to access private data. 

By requiring the provision of identity evidence, MFA ensures only the owner of an account can access it. Very simply, MFA entails the use of two or more security factors, including knowledge (something you know), possession (something you have), and inherence (something you are).

The history of authentication

Passwords are the oldest single-factor authentication system in the world. They’ve been used with computing systems since 1961 when the first computer system implemented password login. 

Kim Dotcom claims to have invented two-factor authentication back in 1997 when he was awarded a patent for his “method for authorizing in data transmission systems employing a transaction authorization number or a comparable password.” However, AT&T’s patent precedes Kim’s, having been granted a couple of years earlier in 1995. 

Regardless of who invented MFA, authentication is becoming more and more popular and affordable. In an age of data breaches, people should be given the opportunity to use it in order to secure their accounts.

Two reasons to avoid MFA

When authentication emerged decades ago, it was unappealing to the masses in large part for reasons that are still relevant today. For example, enacting MFA can be difficult due to the cost and inconvenience of adding additional hardware to the mix, such as portable tokens or biometric scanners. On top of that, the end-user is burdened with friction during the login process due to the effort required to memorize information or access tokens or having their biometrics scanned.

However, the evolution of authentication methods changed the face of cybersecurity

The evolution of multi-factor authentication

For a long time, MFA providers dwelled over security and usability ineffectively. While private individuals rejected MFA due to friction concerns, enterprises overlooked MFA due to complexity and costs associated with the procurement of software and hardware, on-premises deployment, and maintenance.

The ubiquity of smartphones pushed MFA adoption

However, the introduction and mass adoption of smartphones has reduced hassles users may experience during authentication. 

Being able to produce both possession and biometric factors from one place (i.e., the user’s phone) brought an important decrease in disruption levels to users. Mobile phones support measures like one-time passwords (OTP) through SMS or email and key push notifications. 

What’s more, Acuity predicts that by 2020, 4.8 billion smartphones will support biometrics such as fingerprint scan, voice recognition, or facial identification.

2FA gets worldwide attention

Moreover, cloud technologies, enterprise mobility, and the increased use of bring-your-own-device (BYOD) policies solidified the positive trend in MFA implementation. 

MFA got worldwide attention when large brands like Apple, Facebook, and eBay began adopting two-factor authentication (2FA) more frequently. Two-factor authentication requires a user to present two different types of identity evidence before being allowed to access an account. 

For example, 2FA can include the use of a username and password (a knowledge-based factor) followed by one-time passwords via email or SMS (a possession-based factor) or biometric factors like a unique typing pattern.

Legislation and regulations, including PCI-DSS, PSD2, and NIST, align on requiring better protection for customer data against illegitimate access. They cover policies, procedures, and what organizations need to do to implement the authentication measures. These regulations apply not only to government agencies but also enterprises within a range of industries such as commercial security, finance, banking, software services, and healthcare.

The boost in MFA’s popularity happened when technological advancements and legislation were leveraged for global cybersecurity purposes.

MFA today

MFA has indeed become a popular phrase in the cybersecurity industry due to its widespread global use. A study by Okta, for example, revealed that, in 2018, 70% of companies used two to four different authentication factors to secure their systems. Turning on MFA is common as well, with 26% of individuals using it in their private lives and 38% at work.

MFA can easily be applied in many different use cases, such as account login, ATM authentication, online banking, driver’s license testing, and eLearning.

Today, three categories of factors are available to link an individual with established credentials:

Something You Know – Knowledge

A quick look at authentication factors is enough to help you understand the drawbacks of single methods of authentication. To many, these lower assurance factors are no longer perceived as trustworthy, particularly on their own. For example, security codes sent through text messages can be intercepted or redirected, and the answers to security questions are easily available via public records, on social media, or even by guessing.

Something You Have – Possession 

There is a shift toward more secure factors such as one-time password codes (OTP), push notifications, app-generated codes, security tokens, smart cards, and physical keys. However, these can be stolen or lost, and they implicitly create additional costs and disruption.

Something You are – Inherence

Biometrics can be traced back to the 19th century. But it’s gained popularity in the digital era due to technological progress in the field. While finally taking off in the consumer space, the intrusive nature of biometrics remains a crucial reason for skepticism. Moreover, some biometrics—like fingerprints and facial scans—are less secure because they can be duplicated. Others like voice recognition are often too cumbersome. Taken together, all of these things stand as challenges for the user adoption of MFA.

SCA-elements

The future of authentication

Behavioral biometrics

The trend in user authentication is behavioral biometrics, which analyzes patterns in the mannerisms of people (e.g., gestures, keystrokes, mouse movements, and gait). Sophisticated technology allows for a thorough comprehension of people’s unique actions. Behavioral biometrics is usually regarded as a supplement to traditional authentication approaches like passwords, smart cards, and PINs.

Typing biometrics used for secure and frictionless MFA

As mentioned, user-friendliness and privacy protection are critical in how people perceive authentication. Typing biometrics provides accurate online security based on how people type on their keyboards. The innovative approach to authentication analyzes new typing patterns against previously recorded samples to produce a matching score. If this score is within the predetermined threshold, the user can access their account. 

With typing biometrics, people can stay secure while simply typing their credentials as they normally would. Even if credentials are stolen, security stays intact since it is almost impossible to replicate someone’s typing pattern.

Typing biometrics as an authentication method can be used to safeguard data, seamlessly in the background, on any keyboard, and without requiring additional hardware.

The evolution of multi-factor authentication changed the face of cybersecurity. Technological developments promise affordable, user-friendly multi-factor authentication, which is the main vector in any comprehensive privacy protection system. Typing biometrics is an innovative behavioral biometrics authentication method which focuses on individuals’ unique typing patterns, and which can be used as part of an integrated and robust MFA system. To learn more about how you can use the modern solution to identity verification to secure your systems, check this out.

Share: