Multi-Step vs Multi Factor AuthenticationVeridium Author | March 22, 2018
Around four years ago, Brown University rolled out a multi-step authentication program to increase their cybersecurity. Partnering with Duo Security, they required all Brown affiliated users to log into any Brown related site to input a secure password and then verify their identity through a “push” (a phone call or text) on their phone. This, however, requires for you to have an external device compatible with the push, and I had lost my phone.
The Brown community received multiple emails about the system going online soon, but as a stressed out first-year does, I ignored it until I couldn’t anymore. I panickily dashed to IT services when I was denied access to an essay due that night. I was issued a small device called a “token” with one button that produced an encrypted six-digit sequence whenever I needed to enter a site. At the time, I had never really used a token before and didn’t realize the difference between it and the phone-based authenticator.
What Is Multi-Step Authentication?
Authentication mechanisms can be classified in three categories. To verify your identity often times you produce either: “Something you have,” “something you are,” or “something you know.”
Something You Have:
Something You Are:
Something You Know:
- Personal Info
- Obscure Passwords
- Cell Phone Information
In a multi-step authentication process, a user must produce two or more forms of identification. For example, on the government student loan site, if you forget your password, you are asked three obscure security questions that you picked. Since all these fit under “something you know”, this is a multi-step authentication system.
What Is Multi Factor Authentication?
Just like how not all fruits are oranges, but all oranges are fruit, not all multi-step authentication processes are two-factor authentication processes. When I received the token, my verification procedure became a multi-step authentication AND multi factor authentication. Brown requires a distinct, long password, and I had a verification device which specifically only mapped to my user account. Since the password was “something I knew” and the token was “something I had,” it was a multi factor setup.
You may be confused as to why cell phone authentication is under “something you know.” While a cell phone certainly is a physical item, there are many ways to gain access to a cellphone’s knowledge. Calls and texts may be rerouted and effectively stolen from the phone because of their digital nature. Encrypted digital passwords on tokens are stored within the token itself and cannot be intercepted unless the token is stolen.
Which One Is Safer?
Intuitively, multi factor authentication is safer than multi-step authentication. To gain access to any of your devices, the foreign attacker must either access personal knowledge, possess a physical item, or mimic biometrics. Each authentication process requires arduous and specialized work to master. Having multiples and increasing the complexity of a verification system makes hacking the structure a time-consuming project for the digital threat.
Within each authentication scheme, however, there are varying degrees of security. Compared to brute force password hacking, with the right security programs, biometric authentication services are more difficult to crack.
Yes, receiving the token from Brown made my personal info more secure than most of Brown’s users, but I lost the token a month into using it. I quickly replaced my phone with a smartphone and disregarded the token. Because it was easy to lose, suddenly my data was compromised. In the end, without even realizing it, I made my information less secure. This is why a mobile-based multi-step authentication system that uses something you know, something you have, AND something you are is the best way to protect your data.