Developers’ Guide to Multi-Factor Authentication

    Multi-Factor Authentication

    In this digital world, the importance of Multi-Factor Authentication (MFA) for securing online accounts is increasing rapidly.

    Users are encouraged to activate MFA on accounts having sensitive data.

    Developers should understand how to integrate MFA into applications and initiate the process.

    This ‘Cybersecurity Month 2023’ special article explores MFA’s significance and how it works.

    What is Multi-Factor Authentication (MFA)

    AWS defines MFA as:

    Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint. A second form of authentication can help prevent unauthorized account access if a system password has been compromised.

    According to Statista’s Global MFA market size 2016-2027 report

    When a user authenticates, they must offer proof of identity through one of four broad categories:

    • What they know, a password, for example.
    • What they have, such as a device.
    • What they are, like a fingerprint.
    • Where they are, possibly determined by GPS.

    Each of these identity-proof methods is called a ‘factor.’ Factors must remain secure, not shared. This ensures correct account association with the authenticating user.

    MFA involves using two or more factors to verify a user, extending beyond the constraints of two-factor authentication (2FA). In MFA, proof factors may be required, whereas 2FA mandates two.

    It is worth noting that MFA applies not only to online user accounts. For example, accessing a bank’s locker demands a key (something you have) and a signature (something you are). This article, however, primarily focuses on online MFA.

    Most user accounts involve a password as one of the factors. Many development teams are recognizing the issue of user account hijacking. Hence, they are permitting or mandating additional authentication factors.

    Microsoft states in their article that

    MFA can block over 99.9% of account compromise attacks

    Difference Between MFA and 2FA

    These terms are often used conversely, obscuring crucial distinctions between them.

    MFA is supported by systems that enable multiple methods or factors of authentication. This includes the proof categories mentioned.

    On the other hand, two-factor authentication (2FA) occurs when a user uses two authentication factors, typically during login but sometimes at other points.

    MFA outlines a system’s capabilities, while 2FA specifies the number of factors required for authentication.

    Why Implement MFA?

    Creating a secure, accessible system requires ensuring that only valid human or software entities can access it.

    If users rely solely on one factor, mainly a password, it can be stolen. This leaves developers with limited means to prevent illegal access.

    Detecting suspicious behavior to distinguish valid users from invalid can be challenging. Failure to identify this can lead to giving access to invalid users.

    Passwords are often stolen. However, systems and users can adopt practices to detect unauthorized access by identifying stolen passwords. This requires an additional factor to strengthen the walls.

    Balancing User Experience (UX) and Security Risk

    While Multi-factor authentication (MFA) offers improved security, it is only suitable for some scenarios. Striking the right balance, as with many aspects of software engineering, is essential.

    Developers aim to streamline the user login process while reducing the risk of account compromise.

    UX extends beyond the ease of using a factor; it includes the widespread adoption of a solution.

    Listening to users is vital when evaluating factors. It is important to prevent them from

    It is important to prevent them from avoiding MFA in ways that risk security. At the same time, user education is necessary. Some people still write down passwords on sticky notes.

    When to Mandate MFA?

    In many scenarios, a higher level of certainty about the person behind the credentials is necessary. Factors such as the type of user account and the requested access may be crucial:

    • Administrative Accounts

    Privileged accounts with extensive access privileges must use MFA. Administrators or operators can cause major disruption if their accounts are misused or compromised. Therefore, MFA should be mandatory for all such accounts.

    • High-Value Accounts

    Many high-value user accounts can benefit from MFA to avoid unwanted breaches. These accounts may not have elevated privileges but allow access to critical data or actions with real-world consequences. Breaches of these accounts can lead to adverse outcomes.

    • Risky Actions

    MFA provides extra security when an already authenticated user performs high-risk actions. This is often termed ‘step-up authentication.’ It requires an additional factor for more privileged actions. For example:

    • Changing a password or username
    • Altering settings that affect other factors, such as email or phone numbers
    • Creating a new user with elevated privileges
    • Modifying system settings

    Relaxing Multi-Factor Authentication (MFA) Requirements

    MFA improves security by ensuring correct user authentication. However, there are instances when temporarily disabling MFA may be desirable.

    • MFA Deactivation for Known Devices

    MFA relaxation often involves a “trust this device” or “this is not a public computer” option. The authentication system identifies devices that can be trusted.

    For web browsers, they can adjust this by setting a cookie. MFA is reactivated when the cookie expires, goes missing, or is removed. Other devices have similar local storage methods for preserving preferences.

    • Turning Off MFA for a User

    Occasionally, it may be necessary to relax MFA requirements for a specific user account. This is a high-risk operation since disabling MFA opens the account to potential hacking by someone with just one authentication factor.

    This should be allowed only when a user has lost or forgotten a required factor. Typically, a sidestep authentication process is provided before logging in.

    The users should be provided with a One Time Password (OTP). The system generates these codes when MFA is activated, and users keep them confidential. They need to enter the code when they want to turn off MFA.

    Also Read: Why Developers Should Care About User Interface (UI) and User Experience (UX)

    Wrap Up

    Developers need to integrate MFA into their web applications. This secures the user’s accounts and makes the website a secure browsing place.