In the IT industry there are many words used when discussing the topic of authentication. Some of those words often used are multi-factor authentication (MFA), two-factor authentication (2FA), time-based one-time password (TOTP), one-time password (OTP) and more. It is important to understand that here are dependencies and differences amongst these terms. For example, two-factor authentication (2FA) is a subset of multi-factor authentication (MFA) because it requires more than 1 form of authentication - i.e 2FA is under the MFA umbrella. Additionally, there are multiple types of 2FA/MFA such as one-time password (OTP). Lastly, there are variations of OTP methods like TOTP, HOTP, etc. Therefore, all of the above would be considered multi-factor authentication. Your authentication method(s) can thwart would be attackers. It seems like all too often we hear about a different company falling victim to a cyberattack (some of which are massive enterprise corporations/conglomerates). In this blog we take a look at the various methods of authentication available to protect your business.
Authentication is the process of determining if someone is who they say they are. Servers, phones, tablets, laptops, Software-as-a-Service clients may all use an authentication method. Servers, as an example, use authentication to identify who is accessing the data, and software clients use it to ensure that the connected server is the system intended. This secures systems and information.
Authentication is typically accomplished by validating one of three factors:
Authentication is simple but effective - you can control system access by checking if the user credential provided matches what is stored in the database of users or servers. You must prove your identity through unique login information to access information. We use keys to protect our homes and belongings and authentication allows for protection of your personal information (PII), or your organization’s IT systems
Over 90% of phishing attacks target your users’ credentials. It is important your organization has an authentication solution to prevent these targeted attacks as well as ensure compliance requirements like HIPAA (Health Insurance Portability and Accountability), PCI, NIST (National Institute of Standards and Technology), and more. We wanted to help break this down and make it a little simpler.
Multi-factor authentication (MFA) has grown in popularity to increase the assurance for web and mobile apps. This adoption has correlated to the increase in threats to password security in recent years.
MFA requires two or more verification factors for access. This is considered a core tenant of a secure Identify Access Management (IAM) policy. Instead of just asking for a username and password the user is required to provide additional verification factors. This decreases the chances of a successful cybersecurity attack. Usernames and passwords are important but used alone they make your organization vulnerable to attacks. Enforcing MFA adds confidence to your IT team’s ability to keep sensitive data safe.
One-time passwords (OTP) are one of the most common MFA factors used. They are used with HTTPS (web applications) and are not available for connections through FTP/FTPS/SFTP due to the automated nature of these protocols. An OTP is a 4 to 8-digit code that you receive via text, e-mail, or an authenticator app. The OTP code is either generated every time a request is made or periodically generated. This code generates based on a seed value that is given to the user when they first register and some other factors that could be a time value or a counter that is incremented. If an OTP code is time based, it is called TOTP which stands for time-based one-time password. This means the code will refresh after a determined period (normally 30 seconds) whether the current code is used or not.
IT security professionals should always revisit how to provide secure access to their users. One way to protect sensitive company information and user data is to empower users with reliable and simple security. Using one-time passwords (OTP) as a form of multi-factor authentication is a way to make it more difficult for cyber criminals to access sensitive information.
As mentioned previously, authentication typically involves using a combination of elements to authenticate.
Out of the above elements, an OTP code could be considered both Knowledge and Possession because an individual must know the OTP application required, and you must have something in your possession to receive the code, such as your phone or application.
There are a few other types of MFA that integrate with new frontiers of technology like machine learning and artificial intelligence (AI) – these allow authentication methods to become more sophisticated.
This type of MFA uses an IP address and/or geolocation permissions such as country access. You can block access if a user’s location information does not match what is on the whitelist, or it can be used as an additional form of authentication for an SFTP connection. The first check would be the correct username and password or SSH key, and the second check would be the IP address the individual is connecting from.
Adaptive authentication analyzes more factors using context and behavior to assign a level of risk of a login attempt, and then may require additional authentication depending on the risk score.
The risk is calculated based on the answers to these questions and can determine if any progressive authentication will be required or not. If you have a user attempting to login from somewhere late at night, which is unusual, there may be a prompt to enter a code that was sent via text in conjunction with their username and password. However, when they are logging in from the office during normal business hours, they are only required to provide their username and password.
User accounts can be easily compromised through weak password controls required by organizations, or through social engineering (the stealing of passwords by pretending to be someone else, say a member of your organization’s help desk). Additionally, even if your organization has implemented strong technical controls (requiring passwords to be of a certain length, the use of numbers, symbols, uppercase and lowercase), overcoming the human element of choosing passwords that are easy to remember because they use the same password on other applications is difficult to overcome. Unfortunately, a strong security posture in today’s age means administrators should assume your users’ password will be compromised at some point, and you must be able to defend against it.
MFA is widely regarded as the best defense against password-related attacks, and this includes several distinct types of attacks including:
An analysis from Microsoft suggests that MFA would have stopped 99.9% of account compromises!
Although the advantages of using MFA are evident, there are some disadvantages your organization should consider before implementing. If you decide to implement MFA anyway, then you should have a plan in place for overcoming these objections:
Here are several best practices an organization can take to overcome some of the disadvantages of MFA, implement strong security practices, and lighten the load on your users. Even though these tips might be helpful, we encourage you to conduct your own research to decide what works best for your organization:
Many tech platforms, software, tools, etc. today commonly use multi-factor authentication along with a password plus a push notification via an app, a time-based token, or even biometrics. As you can see the different approaches to MFA vary widely and present different tradeoffs.
Before you select a secure file-sharing or file transfer solution, consider your authentication needs carefully. If you need the heightened security to protect your data, make sure to choose an FTP solution that features these authentication methods, or can integrate with an MFA application that supports them. When you choose an industry-best secure file-sharing or transfer solution with support for MFA, you will have peace of mind knowing you have implemented another step in effectively protecting your organization’s data by ensuring every user accessing your server is whom they claim to be.
To keep your company data safe, it is essential to verify that someone is who they say they are. In the past, a single, unique password might have been enough protection to keep potential digital thieves at bay, but hackers’ methods have become more sophisticated with each passing day. Contact our team to learn more about the authentication methods that FTP Today offers to ensure you can share with confidence.
Arvind is Director of Compliance and Programs at FTP Today. He came to FTP Today with 11+ years of experience in offering cloud solutions to the Federal Government and public sector channels at companies such at Rackspace, IBM, UNICOM, A10 and Radware Alteon. He is based in the Washington, D.C. area.