Multifactor Authentication (MFA): When Adding more Passwords is not the Solution

09 March 2023 by Uday eDiscovery MFA Multifactor Authentication

Takeaway: Multifactor Authentication - This is when users are required to choose different methods of verification, this method of securing an app makes it less prone to hacker attacks. So when you register on an app check to see if they use basic MFA principles as part of their security setup.

Adding layers of protection to online applications with Multifactor authentication (MFA).

Multifactor authentication (MFA) is the method of adding multiple layers of protection over data and services. This makes users confirm their identity using one or more credentials (e.g., a password and a fingerprint) – creating a system that is significantly more difficult for hackers to breach. So, hacking into your password vault or stealing your wallet does not mean that they will be able to access all your data, as they will need additional validation like a biometric security element(e.g., a fingerprint or face scan) or your phone (for a security code). This also applies to social-engineering attacks like phishing. So a single hack will not provide all the necessary information for the hacker.

MFA functions by making use of multiple parts of your identity.

MFA checks particular aspects of your identity rather than asking for random bits of information. What this means is that you will be asked for any two or all of the following -

  • Something you know (e.g., a password, PIN, pattern code, or security question)
  • Something you have (e.g., a smart card, mobile token, Bluetooth proximity)
  • Something biometric (e.g., fingerprints, voice samples, facial recognition, etc.).

A hack might easily be able to access one of the above but it will be extremely difficult to get two or three pieces of information.

Passwords are susceptible to attacks so it is important to use more than one factor

Using a password for authentication is wonderful but they are not fail-safe. This is mainly because when we set a password it is generally based on something that is related to us (e.g., birthdays, anniversaries, first school, etc.) and this is something someone else might know or guess. Alternatively, there are several tools available that go through various permutations and combinations and hack the password using brute force. You could be careless with it (e.g., you write your password on a note stuck onto your computer screen) and someone could stumble across it or even trick you into sharing it.

That’s why you need to do more than add more passwords as an authentication method.

Multi-factor authentication is not the same as multi-step authentication. When multi-step authentication is used, multiple passwords are used to move further into the applications or for different functions within the application. The problem is that you will have to deal with the fallibility of passwords. The process to crack many passwords is the same as that for one so multiple passwords, this just means that it will take the hacker longer to get into the system. In comparison, users have to provide two kinds of identification when they use MFA. A hacker may be able to crack your password but they will need to find a way to easily access the randomly generated security pin(which is valid only for a few minutes). Most importantly, both these bits of information will be required simultaneously.

Robust systems require authentication and authorization.

A point worth noting is that some systems distinguish authentication from authorization. So, you will be able to log in to an application or system with a password. Still, you may not be able to perform any further actions that can alter system data without a separate authorization process. For example, you can log in to your bank’s online system with a password using which you can check your account balance and transactions. But to change profile information or transfer funds you will need authorization. So just because you have managed to authenticate your ID by logging into a system does not mean that you are authorized to perform any functions.

Two-factor authentication is one of the simplest forms of data protection

When a regular password is paired with a randomly generated token - e.g., a one-time password (OTP) it is known as two-factor authentication (2FA). The data protection process is simplified when a second factor (i.e., a different type of data) is used, thus making it more difficult for hackers to crack the system. An OTP generator similar to Google Authenticator is all you will require to make the system work. The simplicity of your authentication process is necessary to make your system more user-friendly as complex security even though tends to make users impatient - even though it is for their benefit. 2FA is a very good choice for data protection but more factors will make your system more robust, as someone could crack your authenticator app, steal your phone, or intercept an OTP in transit.

Decentralization is essential, irrespective of the factor count.

Decentralization ensures the optimum functioning of the multiple layers of protection. For example, suppose you sign in via your phone, the verification then happens on the device rather than on a central database. This makes the process of hacking a system much more difficult, as hackers need to break into many individual phones (instead of a single website) to tamper with the sign-on process. So, such systems where password information is well-distributed act as a deterrent to hackers. Additionally, authentication via phones utilizes their pre-existing authentication technology (e.g., fingerprint sensors). Also, this method utilizes the available resources in a better manner. This helps app developers stay within budget and avoid duplicating available technology just to provide a verification function.

Also, ensure that the process is ‘dynamic’ whenever possible.

Dynamic authentication functions by cross-verifying the context and the required verification data. This means that data in the system is constantly being monitored and the system then asks for what is most relevant. For example, the IP address from your browser may match the transaction’s IP address, therefore the system may trust your phone – but it might ask for further verification to ensure that you are the person using it. So you may be asked to provide a fingerprint. Alternatively, in a different scenario, you might be asked for an OTP if that feels most appropriate at that time. The system is constantly assessing the risk and requests for information that minimizes the risk.

So, what is our takeaway from all this? Find and utilize apps that have been developed using MFA principles, even if it is not full-fledged MFA

Two-factor authentication and in-app authorization are the practices followed by all the best applications. For example, eDiscovery applications have user-level permissions that allow some users to only view the data and others to view and edit the data but not delete it, and so forth. (This is over and above the sign-in password and Google Authenticator data.) So, when you are next evaluating a new application, take into account the number of authentication best practices it uses. This is required especially if the app is going to be dealing with sensitive or privileged information. Another point to note is that just adding more passwords does not mean better security

Looking for an affordable eDiscovery software that uses MFA principles as part of its security setup, checkout GoldFynch.

If you haven’t yet settled on which eDiscovery software to use, consider trying GoldFynch. It’s an affordable eDiscovery service designed for small and midsize firms. And it’s stocked with essential eDiscovery tools and bonus features. For instance:

  • It costs just $27 a month for a 3 GB case: That’s significantly less than most comparable software. With GoldFynch, you know exactly what you’re paying for: its pricing is simple and readily available on the website.
  • It’s easy to budget for. GoldFynch charges only for storage (processing files is free). So, choose from a range of plans (3 GB to 150+ GB) and know up-front how much you’ll be paying. You can upload and cull as much data as you want, as long as you stay below your storage limit. And even if you do cross the limit, you can upgrade your plan with just a few clicks. Also, billing is prorated – so you’ll pay only for the time you spend on any given plan. With legacy software, pricing is much less predictable.
  • It takes just minutes to get going. GoldFynch runs in the Cloud, so you use it through your web browser (Google Chrome recommended). No installation. No sales calls or emails. Plus, you get a free trial case (0.5 GB of data and a processing cap of 1 GB) without adding a credit card.
  • It’s simple to use. Many eDiscovery applications take hours to master. GoldFynch takes minutes. It handles a lot of complex processing in the background, but what you see is minimal and intuitive. Just drag-and-drop your files into GoldFynch, and you’re good to go. Plus, you get prompt and reliable tech support (our average response time is 30 minutes).
  • Access it from anywhere, and 24/7. All your files are backed up and secure in the Cloud.

Want to find out more about GoldFynch?