Enterprises authenticate users based on their knowledge, possession, or inherence of some evidence that they are the party with the given right of access. Some experts see the context of the user\u2019s authentication such as the time, their network IP and device, and their location as the fourth factor of authentication.Stephen Cobb, senior security researcher at ESET says you can assure greater security with each additional factor of authentication that you add.MFA is more important than ever as attackers are increasingly breaking into accounts that use single-factor authentication and sometimes even those with two factors. In one example, attackers tried to get the second factor by using phishing texts that asked users to send over their tokens.CSO looks at some of the latest MFA technologies and methods, the benefits and challenges, and how these help keep attackers out.MFA technologies use factors such as something you know, something you have, something you are, and your context. Factors that you must know include user names, passwords, passphrases, PINs, and confidence images (an image you preselect that confirms to you that the site is genuine). Authentication factors that you must have include tokens and one-time passwords (a system sends you a code that you must type in, in addition to your password), and encryption keys. Factors that you are include biometrics and behavior-based authentication. Contextual factors include your verifiable location, the time when you authenticate, and the device or IP address you are using.Some of these authentication methods have seen significant improvements. Advances in Public Key Infrastructure (PKI) encryption include virtual smart cards that use trusted platform modules (TPM). Virtual smart cards safeguard encryption keys while limiting their use to the device that has the TPM. \u201cVirtual smart cards are available on almost all devices,\u201d says Joakim Thoren, CEO of Versasec.Context-based authentication adds a user\u2019s whereabouts (with the time and the IP address or device they are using) as a consideration when determining whether to make authentication easier or more difficult. The enterprise can use technologies such as smartphones, Bluetooth policy beacons, and GPS to perform this kind of authentication.\u201cAccess from a cell phone from inside the HQ would allow a more lax authentication, while access from an internet cafe in China would trigger additional security measures to log on,\u201d says Thoren. The enterprise can also take into consideration times when the user has never connected before and devices or IP addresses they have never used before.There are new ways to use old biometrics that increase security. \u201cPutting the biometric template on a secure device such as a smart card is the way to go. If you put a fingerprint on a server and an attacker hacks into it, there is simply no way to issue a new fingerprint, rendering it obsolete,\u201d says Thoren.\u201cBehavioral biometrics identify a user\u2019s behavior, such as how they type on a keyboard. Behavior-based authentication is a relatively new MFA method, and continuous authentication by continuously monitoring behaviors can be a very efficient way to detect intrusion,\u201d says Thoren.In a slight improvement in the use of OTPs, vendors are transmitting tokens securely via voice calls, emails, and SMS messages. Some apps generate tokens, as well.More benefits\/challengesThere are benefits and challenges to organizations and users with each new type of authentication. The advantages of the relatively new TPM-based PKI application (virtual smart cards) include increased security over file-based tokens, which you must further secure using passwords and encryption.Biometrics have their pros and cons. If you use biometrics to replace passwords, you don\u2019t have to count on a user\u2019s memory. However, a biometric method can fail if it cannot properly read or accurately confirm a fingerprint where a password that you correctly enter will succeed. If the technology isn\u2019t recognizing the fingerprint, then the user must authenticate by some other means. \u201cThe user needs a backup, like a security code, which means you still have to have procedures for PINs\/passwords,\u201d says Thoren. Using voice recognition biometrics combined with facial recognition makes it easier to identify the user than fingerprint scanning does, eliminating the challenges that come with fingerprints.According to Cobb, there are other issues with biometrics such as with people with damaged fingerprints, a hand that is in a cast, or objections to biometric measurement based on religious grounds. \u201cThere are also tradeoffs with biometrics such as false positives and speed,\u201d says Cobb. In any of these cases, an enterprise may have to void biometric authentication temporarily and use another method.Every authentication process that depends on what the user remembers or carries can increase access failures or add security risks. With context-based authentication, if an attacker has possession of the user\u2019s device, they could control this factor of authentication, aiding their attack. The same goes for sending tokens via voice calls, emails, or texts; if someone has already compromised the device or account, then they have also compromised this form of authentication.The user may also find it an invasion of privacy to ask for their fingerprint or facial map for biometrics. \u201cWhen users use their personal devices for work, the enterprise may ask them for partial or full administrative access or ownership of the hardware, which can make many employees uncomfortable,\u201d says Thoren.In the enterprise, the challenges to MFA include convincing people that most systems need MFA and getting more than one factor of authentication on those systems, says Cobb. \u201cA strong impetus to meet these challenges is the current explosion in black market sales of verified account credentials now that attackers have streamlined the processes for bringing these to market in easily exploitable form,\u201d says Cobb.Another huge driver for increased use of MFA, especially where employees are accessing any enterprise data over the internet is the kinds of ransomware attacks that are becoming more common. \u201cAttackers are targeting corporate servers using ransomware that they implant through Remote Desktop Protocols (RDP). They are using brute force attacks to defeat password protection on RDP, then turning off malware protection on the server, encrypting important corporate files, and demanding significant sums of money for the keys. MFA can defeat these attacks,\u201d says Cobb.What does MFA mean for attackers?MFA prevents users from sharing passwords; password sharing previously created a lot of risk for the enterprise. MFA could prevent many of the high-profile attacks perpetrated by insiders and third-party vendors. \u201cTwo-factor authentication adds another level of security against insider threats. Target could have avoided its breach by implementing MFA,\u201d says Thoren.MFA accomplishes what it is intended to do. The goal for MFA systems is to protect credentials against theft. It is very hard to steal additional factors of authentication. The right selection of other authentication measures can make logging in less burdensome for users, who can then get more done.\u201cAdding in things like contextually-aware authentication and behavioral biometrics benefits your organization because it\u2019s working in the backend. Your user experience doesn\u2019t change at all, but you have increased your network\u2019s security posture,\u201d says Vid Sista, technology practice director at Accudata Systems.Using three factors of authentication can remove the rewards of phishing and thwart brute-force password guessing and data compromise. \u201cBy adding more log in factors, you render stolen account information ineffective,\u201d says Sista.MFA as an end to phishing\u201cMFA protects people who have an understanding of IT security as well as users who click on links in unknown emails and give out account information to phishing schemes,\u201d says Sista. Unless attackers figure out how to phish out your entire online context and all your behaviors on the system that uniquely identify you, this kind of MFA should put a stop to phishing.Leave your state of the art comments on our Facebook page.