INVITATION TO CYBERSECURITY 198 rity versus cost trade-off. This is one reason why smartphones are good candidates for “something you have” tokens. Many people carry their phones with them at all times, even around their house, guard them closely, and do not think of them as an extra burden they have to track. Figure 8.3 A physical authentication token that displays a series of random numbers. “Something you have” tokens are much more susceptible to compromise than “something you know” and “something you are” tokens because they are physical devices that can be misplaced, “borrowed,” or stolen. Therefore, they should always be used in conjunction with other forms of authentication. This is called multi-factor authentication and is explained in the next subsection. 8.1.4 Multi-factor Authentication Multi-factor authentication (MFA) is authentication based on tokens from two or more different categories. For example, inserting a debit card into an ATM and typing in a PIN number to withdraw cash is an example of MFA because it uses something you have (the debit card) and something you know (the PIN) tokens. Two-factor authentication is when exactly two authentication tokens are used. Most MFA is two-factor, but in some circumstances more than two factors are used. MFA must draw from different categories in order to qualify as multi-factor. An authentication mechanism that forces users to enter a password, a PIN, and answer a secret question is not MFA because all three of those tokens are from the “something you know” category. MFA is a well-established best practice in cybersecurity. It comes at a relatively low cost and provides substantial security benefits. Hackers may be able to compromise a token in one category, but it is much more difficult to compromise multiple categories of tokens. For example, conducting a keylogging attack on a public computer to compromise passwords is effective and relatively simple to perform. However, the compromised passwords are useless if users are also authenticated with a smartphone app. Similarly, a security key may be lost or stolen, but it cannot be used to login without the user’s fingerprint.
RkJQdWJsaXNoZXIy MTM4ODY=