One of the best ways to strengthen the security of your systems is to implement Multi-Factor Authentication (MFA), but what does that mean? Essentially, MFA is a methodology that enables multiple layers of authentication to strengthen the security of identifying a user.

Typically, this is accomplished by using a username & password, while also requiring a one-time password during the initial login process. This one-time password is sent to a user either through email, an SMS text message, or generated by an application on their mobile device.

Other implementation methods include certificate authentication (popular in U.S Federal government with their CAC cards) or biometrics such as fingerprint, voice, iris or facial scan, and typing phrases/drawing symbols.

While the concept for MFA is not new, it’s still a budding practice gaining popularity in today’s modern IT landscape. It’s a result of what we’re seeing — an increase of insider aided or internal credential exploitation leading to the vast exposure of private information. MFA is one of the leading factors preventing outright havoc and is being demanded by boardrooms across applications from Financial departments to Marketing.

A Note on SMS Related MFA

When it comes to the second factor of authentication, unfortunately, SMS is too easily hijacked and spoofed.

One of the last projects I worked on as an Oracle Product Manager was designing the Oracle Mobile Authenticator application that enables easy practical use of MFA. Users either enter a one-time pin or accept a login request by tapping a prompt on their mobile device.

Okta also has a similar application. I only talk about Oracle Mobile Authenticator in detail because, while I remain objective between the companies, I’m still proud of that product. In particular, because my team set a development record in taking the product from concept to production.

That said, it’s likely that you’re more familiar with Google Mobile Authenticator which was the first consumer friendly product on the market. As far as I know, it’s also the most widely-adopted MFA application after SMS.

Meanwhile, hardware-tokens have not gone away. For organizations that are higher priority targets for hackers, they should be using a hardware token that they always carry with them. While inconvenient, they are very hard to compromise.

Your System Administrators, on the other hand, will want to investigate a product like Yubikey. One of the advantages noted by my friends running a large number of servers was that Yubikey has a feature that lets you automatically log in to systems using its one-time password function via SSH — critical requirement when you need to update 100 servers quickly.

If you want to hear more about MFA, different approaches for implementation, how it works with Windows desktop apps, SaaS or with hybrid cloud deployments, give us a shout.