So far, I’ve realized the following
- I have way too many identities
- Password complexity rules are implemented incorrectly
- Multi-factor authentication will provide additional authentication security
So let’s look at one of the most basic forms of MFA. Unfortunately, I’ve seen this take on many names:
- Two-Step Verification
- Two-Step Authentication
- One-Time Password
After providing your username and password for certain Web/SaaS-based apps, you are given a screen like the following:
Once you enter this verification code, you are successfully authentication. From the user perspective, this is a pretty easy way to implement MFA. However, this is NOT multi-factor authentication.
With 2-step verification, the verification code can either be sent to your phone as an SMS message or to your email.
Let’s think about our authentication factors for an app utilizing 2-step verification.
- Password: Something you know
- 2-Step Verification (select 1)
- SMS: Something you have
- Email: Something you know
If the user selects email to receive the verification code, we only need the “something you know” factor. “Something you know” is the factor used for our initial password. As we know, many users reuse passwords across sites.
Although 2-step verification appears to provide multi-factor authentication, it is really only providing 2-steps to our authentication process.
Authentication Blog Series:
Ask the Architect 