Multi-factor authentication (in general)
What is MFA?
MFA stands for multi-factor authentication. This is also known as two-factor authentication or two-step authentication (2FA).
In today's digital age, securing your online accounts and personal information is of utmost importance. MFA is a crucial tool in enhancing the security of your accounts by adding an extra layer of protection beyond just a password. You may know the principle of MFA from various systems today. It is widely used in banking applications. MFA can be set up in most social networks (Facebook, Linkedin, …), email services (Gmail, Seznam.cz), and many other services (Github, Gitlab, Amazon, DropBox, and many more).
Multi-factor authentication is a security process that requires users to provide two or more separate authentication factors before gaining access to an account, system, or application. These factors typically fall into one of three categories:
Something you know:
This is typically your password or a personal identification number (PIN).
Something you have:
This can be a physical device like a smartphone, security token, or smart card.
Something you are:
This involves biometric data such as your fingerprint, facial recognition, or voice recognition.
Why is MFA Important?
MFA guards against attacks that might succeed with only one authentication factor, such as password attacks or credential theft. In this way, it offers a higher level of security and safeguards against unauthorized access to accounts and sensitive information.
MFA also serves as a crucial defense against phishing attacks.
Phishing
Phishing is a type of cyber attack in which attackers attempt to deceive individuals into revealing sensitive information such as usernames, passwords, credit card numbers, or other personal details. The attacker usually sends out a fraudulent email with a link to a fake login page. Even if a user falls victim to a phishing attempt and unknowingly provides their username and password, MFA can prevent account misuse.
You can read more about phishing in Phishing guide.
Simple Phishing
A simple phishing attacker creates a a visually similar copy of a legitimate login page that saves or sends the entered information to the attacker. Even the address often looks the same as the real one. How is that possible? For example, because the Latin letters "e" and "a" can be replaced by the Cyrillic alphabet.
All forms of MFA work against this phishing. The phishing attacker can obtain a password, but cannot get into the system without authentication using another factor. Therefore, account misuse is not possible in this case.
Advanced phishing
In advanced phishing, the attacker launches a "live" copy of the login page, which forwards the information entered by the user to a legitimate login page.
This allows the attacker to eavesdrop between the victim and the genuine login page, so that the attacker can also eavesdrop on the verification code (TOTP) or a one time password sent via text message. After the user enters their code into the fake page, a copy of the code is also immediately inserted into the real page. This gives the attacker access to the user's account.
Therefore, for maximum protection, we recommend choosing security key authentication (WebAuthn), which will not allow logging in on a fake page.
What are the methods of multi-factor authentication?
There are many methods of MFA, such as SMS verification, IP address verification, verification Codes (TOTP) and so on. You may be wondering why so many methods exist at all. It is because they evolve over time, and some have proven less secure as attackers have found ways to simply break them. So it is important to consider which MFA methods you will use.
However, in the following paragraphs, we will specifically address the authentication methods employed by our authentication system. These methods are Verification Codes (TOTP) and Security Keys (WebAuthn).
Comparison of signing in methods
| Passwords | Verification codes (TOTP) | Security keys (WebAuthn) |
Protection against misuse of stolen passwords | ✗ | ✔ | ✔ |
Protection against guessing of passwords | ✗ | ✔ | ✔ |
Protection against simple phishing | ✗ | ✔ | ✔ |
Protection against advanced phishing | ✗ | ✗ | ✔ |
Availability on all IT devices | ✔ | ✔ | ✗ |
Verification codes (TOTP)
Verification codes represent “something you have”.
The Time-Based One-Time Password (TOTP) method, also known as the verification code method, is a form of multi-factor authentication that utilizes time-limited one-time codes to verify a user's identity. This method is time-dependent and employs a mathematical algorithm to generate one-time codes that are valid for a limited period, typically 30 or 60 seconds.
The advantage of TOTP is that even if someone intercepts the code, it will not be valid in the future. This enhances security compared to traditional static passwords. TOTP is often implemented in mobile applications, so-called authenticators, which generate codes.
Authenticator is an app that you install into your phone. You can find a guide for choosing an app and how to set it up here: https://perunaai.atlassian.net/wiki/spaces/PERUN/pages/202670097.
How the authentication procedure works:
Enter your login details as you are used to. (First factor)
You will then be prompted by the system to enter a one-time (TOTP) code.
Open the authentication app on your phone and enter the code. (Second factor)
And you are done.
Security keys (WebAuthn, passkeys)
Security keys represent “something you have” and optionally “something you are”.
This is a highly recommended method. It is more secure and also more user-friendly for everyday use. Security keys offer maximum levels of security, they authenticate the device using so-called asymmetric cryptography. A computer or a smartphone can be used as a security key if it supports this function.
The way this method works is that you register your device or a password manager as a security key and then when you log in, depending on the type of device, you must confirm the login by pressing a button, entering a PIN, or with biometric verification.
As we mentioned, this method is device-specific, so you need to create a security key on all the devices you will use for MFA (unless some of your devices offer passkey synchronization).
How the authentication procedure works:
Enter your login details as you are used to. (First factor)
You will then be prompted by the system to enter your biometric information, a PIN, a password, or sometimes just to press a button. (Second factor)
The system will verify your details.
And you are done.
What if I lose or forget the device I use to log in?
You may forget or lose the device you use to authenticate yourself. In this case, it is possible to use so-called backup codes. This is a set of text codes that you can input into the login page instead of TOTP codes or WebAuthn authentication in critical situations. It is a good idea to have these codes printed and stored securely so that they cannot be misused.
Glossary
Multi-factor authentication | Identity verification using two or more authentication factors (e.g. something I know + something I have). |
Security key | Usually a physical or a virtual device used for identity verification based on a secret key. |
Verification codes | One-time codes with limited time validity, generated by an authentication app, e.g. Aegis. |
Recovery codes | One-time codes which can be generated during initial setup and saved or printed. They can be used to authenticate in case of losing all other authentication devices. |
Tokens | Means of authentication other than a password or a PIN, including security keys, verification codes and recovery codes. |
What next?
Read the more detailed documentation in child pages:
Support: perun@cesnet.cz