Multi-Factor Authentication Deep Dive: Securing Access On-Premises and in the Cloud

Play Multi-Factor Authentication Deep Dive: Securing Access On-Premises and in the Cloud

The Discussion

  • User profile image

    Multi-Factor authentication must comply, at least:

    1) "something only the user knows" (aka password)
    2) "something only the user has".

    Multi-Factor authentication with phone or email ARE NOT effective because communication can be "known" by the service provider. Phone and email are not "something only the user has"

    A token-code generated by a Mobile App is better, but the "secret seed" (which is needed for generate token-codes) must be encrypted using a PIN code. This PIN can be seen by a third person while you are typing into your Mobile device.

    Hardware tokens are more secure because the "secret seed" is stored in a secure memory, no-one can see this secret key.

    Active Directory supports hardware tokens?

  • User profile image

    Azure Multi-Factor Authentication doesn't use email. It uses a phone or mobile device that the user registers. When they sign in with their username and password, they prove that the registered phone/device is in their possession by answering a phone call, receiving a text message, receiving a push notification to the MFA app registered on the device or using an OTP from the mobile app.

    All forms of multi-factor authentication (phone call, text, mobile app, soft token, hardware token, USB token, grid card, smart card, etc.) are more secure than using just a username and password. Using the phone call, two-way text message or push notification to the mobile app are more secure than software or hardware tokens because they are 100% out of band, meaning that the second factor of authentication is completed in a totally separate channel than the first factor of authentication. If a keystroke logger or malware is able to compromise a user's username and password, it is not able (or is much more difficult) to compromise the second factor.

    Using the phone/mobile device as the device the user has in their possession is much more convenient to both the end user and IT than hardware (and often software) tokens, and is generally less expensive. The IT department doesn't have to purchase tokens, sync them, distribute them, replace them when lost/broken, etc. and the user doesn't have to carry an extra device with them.

Add Your 2 Cents