Last updated on March 26th, 2024
Last week, we described the most common types of authentication methods. Hopefully, our quick rundown of how every authentication method works gave you general know-how regarding the most common ways to verify user identities. This time we will talk about the security of every MFA method.
MFA security is an important topic for every organization that wants to implement MFA. Administrators must be able to tell which authentication method is best for their use case, and security is one of the important factors in choosing the right authentication method, especially in adaptive authentication systems that allow you to have a different set of authentication methods for every application.
In this article, we first enumerate the pros and cons of each authentication method and then deep-dive into details.
Authentication Methods Table
Method | Security | Pros | Cons |
Push Notification | High |
|
|
U2F/WebAuthn Security Keys | Very High |
|
|
Email Link | Low |
|
|
Hardware OTP Tokens | Medium |
|
|
Software OTP Tokens | Medium |
|
|
SMS Passcode | Medium |
|
|
QR Code | Medium |
|
|
Biometrics (Fingerprint and Face Recognition) | High |
|
|
Password | Very Low |
|
|
Push Notification
Push Notification is a secure, convenient, and fast authentication method. Push Notifications are a perfect choice if you are looking for a user-friendly authentication method but do not want to sacrifice MFA security.
Still, Push Notification comes with some drawbacks.
- User must have a smartphone. While most people use smartphones daily, many individuals are reluctant to use their personal phones for work. Moreover, modern smartphones need to be recharged daily. If a phone’s battery dies, you cannot use this phone to authenticate using Push Notification.
- User must install a mobile app (e.g., Rublon Authenticator). Thankfully, mobile apps are easy to install and do not take much memory space.
- User must ensure their mobile device has Internet access. If there is no internet connection, the Push Notification authentication method will not work.
- User may lose their phone. Or somebody may steal their phone. Modern security systems come with a way to deactivate the mobile app on a phone that was reported as lost or stolen. Always have at least two authentication methods active so that an incident like this does not immobilize a user.
- User may accept a fraudulent login attempt by mistake. The blessing of a single-tap authentication request approval can also be a curse. A user may tap Approve on an illegitimate authentication request for many reasons: habit, mistap, fatigue, or a moment of inattention.
U2F/WebAuthn Security Key
Experts believe that U2F/WebAuthn security keys are the most secure method of authentication. Security keys that support biometrics combine the Possession Factor (what you have) with the Inherence Factor (who you are) to create a very secure method of verifying user identities.
U2F/WebAuthn security keys are the best method of defense against man-in-the-middle attacks. Security key authentication takes place locally. The security key communicates with the user’s browser so there is no way for somebody else to log in instead.
While impeccable as far as MFA security goes, security keys come with some disadvantages:
- Expensive to deploy and maintain. Every user who wants to use this method of authentication needs their own security key. While a single security key is not very expensive, the more users you have, the more you have to pay.
- User has to carry an extra piece of hardware. Security keys are small, but some users may still not want to always carry their keys with them.
- User may lose their security key. Or somebody may steal their key. A malicious actor cannot use the security key if they do not have the fingerprint. But the user who lost the key will not be able to sign in, and the organization will have to buy a new key for them.
Email Link
Email Link’s biggest advantage is that it does not require any additional hardware or software. However, Email Links come with many issues:
- Not really an MFA. If you use a password in the first step of your authentication process and then use an Email Link in the second step, then you use the Knowledge Factor twice. As a result, you are not using Two-Factor Authentication (2FA) but Two-Step Authentication (2SA). This difference is important and may be the deciding factor in whether you comply with security regulations such as NYDFS, NAIC, PCI DSS, or HIPAA.
- A hacker may easily compromise an email account. If the user uses the same password everywhere, then accessing their email account is a piece of cake.
- Vulnerable to man-in-the-middle (MITM) attacks. It is better to use Push Notifications or U2F/WebAuthn Security Key that are resilient against such attacks.
Hardware OTP Token
Hardware OTP Tokens used to be a popular choice, but today most people prefer to use a mobile app instead. Hardware OTP Tokens work offline, but come with some issues:
- Expensive to deploy and maintain. Every user who wants to use this method needs their own hardware token. OTP tokens are cheaper but also less secure than U2F/WebAuthn security keys.
- User has to carry an extra piece of hardware. Hardware OTP Tokens are small, but some users may prefer using a mobile app because a phone is something they carry with themselves anyway.
- User may lose their OTP token. Or somebody may steal their token. A malicious actor may then use the token to get unauthorized access. The user who lost the token will not be able to access their data, and the organization will have to buy a new token for them.
Software OTP Token
Software OTP Tokens are free and work offline just like Hardware OTP Tokens. Users do not have to carry a separate token and authenticate using their smartphones.
No method is perfect, and here are some downsides of Software OTP Tokens:
- User must have a smartphone. This requirement might be an issue If your user is reluctant to use their personal phone for work or does not have a smartphone. You can buy them a work phone but that generates additional costs.
- User must install a mobile app (e.g., Rublon Authenticator). Apart from having a smartphone, a user has to install an additional mobile app. Still, this should take less than a minute and greatly improve MFA security.
- User may lose their phone. Or somebody may steal their phone.
SMS Passcode
SMS Passcode is an authentication method that most users recognize. Banks use this form of authentication. SMS Passcode works on any phone that supports text messaging and does not require any additional hardware or software. So far, so good, but here come the disadvantages of SMS Passcode:
- Costly. Sending an SMS message costs money. If you have many users who only use the SMS Passcode for authentication, then you will have to prepare yourself for additional costs.
- Vulnerable to attacks. SIM swapping, SIM hacking, and SS7 attacks are only some of the possibilities of how the seemingly secure SMS Passcode method can be broken.
- User may lose their phone or SIM card. Theft and damage are possibilities, too. A malicious actor may use a stolen SIM card or a stolen phone.
QR Code
QR Codes may not be as familiar as SMS Passcodes, but tech-savvy users will know how they work. Still, the QR Code authentication method has some cons:
- User must have a smartphone. The QR Code authentication method requires a mobile app so it will not work on an old phone.
- User must install a mobile app (e.g., Rublon Authenticator). User needs an app that allows scanning and then verifying the QR code.
- User must ensure their mobile device has Internet access. If there is no internet connection, the QR Code authentication method will not work.
- User may lose their phone. Or somebody may steal their phone. Admittedly, it is much harder to steal a phone than a password, but it is still possible.
Biometrics (Fingerprint and Face ID)
Biometrics are often used as the third authentication method next to the password and a second method such as Rublon’s Mobile Push. For example, Rublon allows you to enable a fingerprint lock on your Rublon Authenticator mobile app. Biometrics are secure and powerful but work best in tandem with another authentication method such as Push Notification.
A general drawback of biometrics is that:
- You cannot change your fingerprint or your face. Once they get compromised, they are compromised for life. Hackers developed some malicious ways of compromising biometric methods. These methods include but are not limited to using a latent fingerprint or a high-definition picture of a face.
Password
Even passwords of considerable complexity and length are relatively easy to compromise.
Passwords are vulnerable to brute-force attacks, dictionary attacks, rainbow table attacks, spoofing, man-in-the-middle attacks, phishing, keylogging attacks, data leaks, and more.
Cracking a long and complicated password is still much easier than compromising any other authentication method.
Never use passwords on their own. Always enable at least one other authentication method.
Education Is Key
It is important to note that, ultimately, every authentication method is vulnerable to social engineering attacks. An attacker may gain enough trust to convince your user to reveal their secret. Alternatively, the attack may make the user follow specific steps that lead to malicious actor’s unauthorized access.
Train and educate your users about MFA security. A user who knows more about MFA security is less likely to become a victim of a social engineering attack such as phishing.
Best authentication methods make social engineering attacks much harder to conduct. But what authentication method gives you the best MFA security?
Which Authentication Method Is Most Secure?
If security is your number one priority, use the U2F/WebAuthn Security Key. A combination of the Possession Factor (what you have: the hardware token) and the Inherence Factor (who you are: the fingerprint) gives your users the highest level of MFA security out of all authentication methods. To break into an account secured with a U2F/WebAuthn security key, a malicious actor has to not only steal the physical key but also forge the fingerprint. Security keys are extremely hard to tamper with and their only real disadvantage is their price.
If you want a perfect balance of security and user convenience, use Push Notification. Rublon Authenticator is free and allows you to use the Mobile Push authentication method in tandem with a fingerprint lock, which results in a strong combination of both the Possession Factor and Inherence Factor. In addition to that, Mobile Push is just one notification you either approve or deny – no user training required. If paying for security keys is a deal-breaker for you, use Rublon’s Mobile Push and enable Fingerprinting in Rublon Authenticator to achieve a similar level of security.
Trust Rublon
We have years of experience in delivering top security solutions to organizations across multiple industries. We love to educate about MFA security. Today, we can improve your organization’s security posture and help you mitigate security risks. If you are unsure which authentication method will suit you best, contact Rublon Support. We will help.