Protecting your IT system: Choosing a Right MFA Solution

After another leak of susceptible personal data from one of the big company’s systems, we at Jappware have been asked a good question by one of our customers: why are even the biggest and most reach companies vulnerable to data thefts despite their investing an enormous amount of money and effort on their IT systems security? I doubt anyone has the correct answer to this question. Still, I believe one of the reasons (probably not the most important, though) is that many software engineers mindlessly follow some security recommendations without a clear understanding of the topic.

Let’s look at one of the standard authentication techniques — Multi-factor authentication, or MFA for short — and consider what approach to MFA is secure enough in your particular case.

What actually MFA is

Briefly, MFA is a way to grant (or deny) a user access to a system based on a combination of multiple factors, like his uniqueness, i.e., who the user is (determined by login or username or email, etc.), his secret knowledge (password), his unique possession (a hardware device, access to some third party system or information, biometric data, etc.), or even his location.

In most common software systems, the MFA is implemented as a combination of a user’s identity, password, and some third factor. Let’s review the options available when deciding precisely the suitable third factor.

Random one-time password (OTP)

When you first think of the OTP, you might imagine the random numeric or alphanumeric code generated upon login attempt and sent to a user via some communication channel, such as email, SMS, GSM voice call, or even via instant messengers like WhatsUp, Viber or Facebook Messenger.

Despite the seeming simplicity, you will have to solve a few problems:

Make sure you use a secure random algorithm. Otherwise, an attacker could reconstruct the sequence and “guess” your OTP. Most pseudo-random algorithms use fairly simple math to produce statistically distributed “random” values, not the unpredictable random sequence.
You have to keep track of which OTP belongs to whom and make sure it cannot be reused.
To make it even stronger, you should make sure your OTP expires after a certain amount of time, even if it hasn’t been used.
You must take care to send the OTP via the communication channel of your choice. This is essentially an integration problem, and integration problems have always been a source of headache, e.g., every integration point is a potential point of failure, such as network issues (so the OTP could not be delivered) or security issues (the channel might be insecure, like SMS, or compromised).

Pros: You fully control all OTP generation and transfer aspects.

Cons: you have to manage all aspects of the OTP lifecycle; there is a risk of the communication channel being broken, insecure, or compromised.

Hardware security tokens

Another approach to generating temporary codes is a Time-based One-time Password or TOTP short. The idea is that there are two physically independent places where the code is generated — the server/application the user tries to log in to and some other independent device — a security token.

The tokens come in different flavors, such as keyrings with a small display showing the TOTP code, a USB drive plugged directly into the user’s computer, and the fact it’s plugged in means the user is authenticated, NFC tags, etc. A few examples are RSA SecureID®, Yubikey from Yubico, Titan from Google, and many others.

Let’s describe how the device with a small display works. It generates a security code using an algorithm based on a unique SID and current time. The server/application is aware of the SID the specific device is using, so it can generate the code using the same source information, too. Upon login, the user is requested to enter the code from their own device. If the entered code matches the code generated by the application internally, the user is authenticated.

Pros: no need to transport OTP to the user; standardized TOTP algorithm so you can use an existing library to generate TOTP in your application.

Cons: hardware token may be lost or stolen; in practice, users often leave the USB token plugged into the laptop while transporting, so the computer may be lost together with the token; there is a need to store the device-associated identifier, such as device ID or serial number or the SID, which may be a security concern.

Software Tokens or Virtual Devices

The idea behind the software tokens is similar to their hardware counterparts, except that the code is generated by an application on another device (e.g., mobile app) or in another program (e.g., browser plugin).

To initialize the virtual token, the application generates a hash code (often provided to the mobile app in the form of a QR code), which is then used on both sides as an SID for the code generation.

Plenty of mobile applications can act as TOTP generators, e.g., Google Authenticator (despite the name, it’s an open-source application not related to any Google service and doesn’t require a Google account), Authy, Microsoft Authenticator, etc. Some also support alternative and more sophisticated MFA approaches involving third-party servers in the verification process (e.g., Okta or Authy).

Pros: no need to transport OTP to the user; standardized TOTP algorithm, you can use an existing library to generate TOTP in your application; no need to take care of additional security token device.

Cons: the physical device, such as a mobile phone with the Software Token application, may be damaged, lost, stolen, or compromised.

Push notifications

Significant improvement in user experience offers a push notification approach — instead of re-typing the verification code from a token to the login screen, the user has to press an “Accept” button in the mobile application. It may seem to be less secure, but actually, it’s more. The trick is that push authentication implements end-to-end encrypted communications between the application and a secured authentication service.

A good overview of the Push Notifications approach is given in the Push Authentication: Bringing the Most Secure Method of 2FA Mainstream article by Authy.

Pros: the safest solution from the cryptographic point of view; better user experience compared to other approaches.

Cons: you must use a third-party service unless you have your own mobile application.

Bottomline

There is a good list of MFA methods to choose from. As usual, neither is ideal, but you can select the best one for your use case.

Intro to Passwordless Authentication

In today’s digital landscape, the reliance on traditional username-password combinations for authentication poses significant security risks. Users frequently grapple with managing multiple pass

Feb 16, 2024

Oleh Tokarenko

We recognized as a Clutch Global Leader for 2023

Ukraine, 15.11.2023 — Jappware, one of the leading custom software development companies, today announced its recognition as a 2023 Global Award winner for Dedicated Teams and Team Augmentation

Nov 15, 2023

Andriy Rymar

Technology relevant to InsurTech

Many broader technological developments and innovations underpin many InsurTech developments. Some of the technologies are interrelated, and a brief review of them helps establish a common understandi

Oct 31, 2023

Andriy Rymar

Jappware introduction by CEO Andriy Rymar

🚀 Friends, we are happy to invite you for a short intro movie watching. You will meet our CEO, Andriy Rymar, and hear about the company, our short story, and differentiation. 🤝 Jappware is a place f

Sep 24, 2023

Andriy Rymar

Ivan Verhun, CTO: Bringing value in partnership

🖐 Continuing our introductions series, we've recorded a short video with our CTO Ivan Verhun highlighting how we bring value into every cooperation and partnership. 😇 It is essential to al

Sep 20, 2023

Andriy Rymar

Hire a Dedicated Development Team: The Ultimate Guide

The speed of the development, product quality and reasonable monetary cost are the factors that affect the successful result in the IT sector indeed. Corresponding this, dedicated teams are a one-size

Aug 13, 2023

Andriy Rymar

How to Hire Skilled and Dedicated UI Designer: Fulcrum’s Tips & Practices

Creating an intuitive and attractive design is a key moment in the software development process because this factor affects its popularity and the number of customers after release. That’s why m

Aug 11, 2023

Andriy Rymar

Ultimate Guide: How to Hire a Dedicated Development Team in Ukraine

Thanks to the possibility of remote work, each client can find a qualified specialist or an entire team from any corner of the world and cooperate with them 24/7. At the moment, one of the largest tec

Aug 11, 2023

Andriy Rymar

12 Reasons to Hire Ukrainian Software Developers for IT Outsourcing

Generally, the IT industry is quite developed in Ukraine - according to forecasts, the volume of exports of the technological ecosystem will cross the line of 8 billion dollars within 2-3 years. Thank

Aug 11, 2023

Andriy Rymar

Protecting your IT system: Choosing a Right MFA Solution

What actually MFA is

Random one-time password (OTP)

Hardware security tokens

Software Tokens or Virtual Devices

Push notifications

Bottomline

Related articles

Intro to Passwordless Authentication

We recognized as a Clutch Global Leader for 2023

Technology relevant to InsurTech

Jappware introduction by CEO Andriy Rymar

Ivan Verhun, CTO: Bringing value in partnership

Hire a Dedicated Development Team: The Ultimate Guide

How to Hire Skilled and Dedicated UI Designer: Fulcrum’s Tips & Practices

Ultimate Guide: How to Hire a Dedicated Development Team in Ukraine

12 Reasons to Hire Ukrainian Software Developers for IT Outsourcing