Find Us

123 Main Street
New York, NY 10001

Monday—Friday: 9:00AM–5:00PM
Saturday & Sunday: 11:00AM–3:00PM

A review of the evolution of MFA

Over the last couple of decades, multi-factor authentication, widely known as MFA, has become a popular jargon in the cybersecurity industry. Whether to protect an email account, log into a service, or perform a bank transaction, most of us have dealt with multi-factor authentication. This blog post is a review of the history of authentication and how the evolution of MFA methods changed the face of cybersecurity. Technological developments promise affordable, and user-friendly multi-factor authentication, which includes typing biometrics as an innovative option.

The context for authentication

Cybercrime is on the rise

In the early 2000s, Bill Gates predicted the death of the password as a single measure of account protection. In short, he was right. Passwords are simply not enough. Billions of people are the victims of cybercriminals, having their credentials stolen from databases of corporations such as Marriott, Equifax, and Yahoo. Although hacked personal data is problematic to everyone, the bad news is that as long as there is a financial gain, hackers are not going to stop anytime soon. Instead, cybercrime is on the rise and continuously evolving. The forecast for annual global costs associated with data breaches is estimated at $2.1 trillion in 2019.

Authentication changed cybersecurity

What can we do to secure our accounts? Apply multi-factor authentication (MFA), which makes it harder for hackers to access private data. By requiring the provision of identity evidence, MFA ensures only the owner of an account can have access to it. It entails the use of two or more security factors, including knowledge (something you know), possession (something you have), and inherence (something you are).

The history of authentication

Passwords are the oldest single-factor authentication system in the world, used with computing systems since 1961 when the first computer system implemented password login. Kim Dotcom claims to have invented two-factor authentication back in 1997 when he was awarded a patent for his “method for authorizing in data transmission systems employing a transaction authorization number or a comparable password.” However, AT&T patent precedes Kim’s, having been granted a couple of years earlier in 1995. Regardless of who invented it, authentication is becoming more and more popular and affordable and people should be given the opportunity to use it in order to secure their accounts.

Two reasons to avoid MFA

When authentication emerged decades ago, it was unappealing to the masses. The reasons for this are still relevant today. One reason remains the cost and inconvenience of additional hardware, such as portable tokens or biometric scanners. On top of that, the end-user is burdened with friction during the login process, due to the effort required to memorize information, access tokens, or to have their biometrics scanned.

However, the evolution of authentication methods changed the face of cybersecurity. tweet

The evolution of authentication

For a long time, MFA providers dwelled over security and usability ineffectively. While private individuals rejected MFA due to friction concerns, enterprises overlooked MFA due to complexity and costs associated with the procurement of software and hardware, on-premise deployment, and maintenance.

The ubiquity of smartphones pushed MFA adoption

However, the introduction and the mass adoption of smartphones meant less hassle during authentication. Being able to produce both possession and biometric factors from one place (the phone) meant an important decrease in disruption levels. Mobile phones support measures like one-time passwords (OTP) through SMS or email, and key push notifications. Acuity predicts that by 2020, 4.8 billion smartphones will support biometrics such as fingerprint scan, voice recognition, or facial identification.

2FA got worldwide attention

Moreover, cloud technologies, enterprise mobility, and the increased use of bring-your-own-device (BYOD) policies solidified the positive trend in MFA implementation. MFA got worldwide attention when two-factor authentication (2FA) started to be more frequently adopted by large brands, including Apple, Facebook, and eBay. Two-factor authentication combines two different types of identity evidence before being allowed access to an account. For example, the use of username and password (a knowledge-based factor), followed by one-time passwords via email or SMS (a possession-based factor), or biometric factors like the unique typing pattern.

Legislation and regulations, including PCI-DSS, PSD2, and NIST, align on requiring better protection for customer data against illegitimate access. They cover policies, procedures, and the implementation of authentication measures. Such enforcement direct not only governmental agencies but also enterprises within a range of industries such as commercial security, finance, banking, software services, and healthcare.

The boost in MFA’s popularity happened when technological advancements and legislation were leveraged for global cybersecurity purposes.  tweet

MFA Today

MFA has indeed become a popular jargon in the cybersecurity industry due to its widespread global use. A study by Okta on their customers shows that, in 2018, 70% of companies used two to four different authentication factors. Turning on MFA is common as well, with 26% of individuals using it in their private lives and 38% at work.

There are a plethora of markets where MFA can easily be applied, such as account login, ATM, online banking, driver’s license, eLearning, etc. tweet

Today, three categories of factors are available to link an individual with the established credentials:

  1. Something You Know – Knowledge

    A quick look at authentication factors is enough to grasp concerning drawbacks. Lower assurance factors are no longer perceived as trustworthy. For example, security codes sent through text messages can be intercepted or redirected, and the answers to security questions are easily available via public records, or on social media.

  2. Something You Have – Possession 

    There is a shift toward more secure factors such as one-time password codes (OTP), push notifications, app-generated codes, security tokens, smart cards, or physical keys. However, these can be stolen or lost, and they implicitly create additional costs and disruption. 

  3. Something You are – Inherence

    Biometrics can be traced back to the 19th century, gaining popularity in modern times, due to technological progress in the field. While finally taking off in the consumer space, biometrics’ intrusive nature remains a crucial reason for skepticism. Moreover, some biometrics like fingerprint or facial scan are less secure, as they can be duplicated. Others like voice recognition are many times too cumbersome, all of which, stand as challenges for the user adoption of a strong identity and multi-factor authentication.

The future of authentication

Behavioral biometrics

The trend in user authentication is behavioral biometrics, which analyzes patterns in the mannerisms of people (gestures, keystrokes, mouse movements, gait, etc.). Sophisticated technology allows for a thorough comprehension of people’s unique actions. It is usually regarded as a supplement to traditional authentication approaches like passwords, smart cards, and PINs.

Typing biometrics used for secure and frictionless MFA

As mentioned, user-friendliness, as well as privacy protection, are critical in how people perceive authentication. Typing biometrics provides accurate online security based on how people type on their keyboards. Typing biometrics analyzes new typing patterns against previously recorded samples to produce a matching score. If this score is within the predetermined thresholds, the user receives access to their account. This way, people can stay secure while just typing their credentials in the login. Even if credentials are breached, security is intact as it is almost impossible to replicate someone’s typing pattern.

Typing biometrics as an authentication method can be used to safeguard data, seamlessly in the background, on any keyboard, and without requiring additional hardware. tweet
The evolution of MFA methods changed the face of cybersecurity. Technological developments promise affordable, and user-friendly multi-factor authentication, which is the main vector in any comprehensive privacy protection systems. Typing biometrics is an innovative behavioral biometrics authentication method which focuses on individuals’ unique typing patterns, and which can be used as part of an integrated and robust MFA system.