Multi-factor authentication (MFA) is now one of the core methods for securing user access to IT resources, and a critical component of a Zero Trust security model. With the rise of remote work and the continued prevalence of high-profile data breaches, many organizations are evaluating their options for implementing MFA policies.
According to a recent survey of IT professionals, 52.6 percent of small and medium-sized enterprises already require MFA across all applications and logins. This article is geared towards the remaining organizations trying to figure out the best way to do that while avoiding resistance from decision makers and end users.
An excellent option for a frictionless MFA experience is push notification-based MFA, but how does it compare to other implementation options?
What is MFA & Why Should You Use It?
Multi-factor authentication (also called two-factor authentication or 2FA) is the practice of requiring an additional factor beyond the standard username/password combination requested at most logins. Oftentimes, these factors are colloquially known as:
- 鈥淪omething you know鈥 – includes username/password credentials, but also applies to security questions or similar factors
- 鈥淪omething you have鈥 – pertains to device-based MFA options like mobile passcodes or physical keys
- 鈥淪omething you are鈥 – generally refers to biometrics.
According to Verizon鈥檚 2021 Data Breach Investigation Report, involve credentials. When used as a single factor, passwords are an insufficient security measure and unable to protect your organization from the costs of a data breach. Layering on a second authentication factor at login is significantly more secure than relying on passwords alone, and can make accounts to be compromised.
So how much of an effect does the type of additional factor have? Well, Google鈥檚 Security Blog studied . Here鈥檚 what they found:
The chart above details the efficacy of the six most popular 鈥渟omething you have鈥 and 鈥渟omething you know鈥 MFA methods. With this chart in mind, let鈥檚 look at how push notification MFA (which falls under the 鈥淥n-Device Prompt鈥 classification) compares to the other forms of multi-factor authentication an organization can deploy.
What is Push Notification MFA?
Push MFA utilizes smartphone notifications to assert authentication. This puts push MFA in the category of 鈥渟omething you have,鈥 as the user will need to have their smartphone on them to use push notifications as a second factor. After inputting their username and password, end users simply need to unlock their phone and then press a button to either approve or deny the access request.
Push notifications are growing in popularity thanks to the ease of use for end users and the low cost of implementation for IT admins. To best illustrate the benefits of this authentication factor, the following sections highlight the similarities and differences between push notifications and other MFA implementation options.
Push Notifications vs. Other MFA Factors
SMS-based MFA
SMS-based MFA is one of the more widely-used forms of MFA in use today. This method sends a login code to an end user鈥檚 phone or email after they have submitted their credentials. Once they receive the code, they must input it correctly to complete the login.
Per the Google chart above, SMS-based MFA offers effective security for automated and bulk phishing attacks, but is less effective for accounts that are specifically targeted. This security vulnerability is due to the need for a third-party network to act as the middleman between the origin of the code and the end user. This provides an additional attack vector, as well as a larger window of time in which foul play can occur.
Push notifications, on the other hand, are created directly on a user鈥檚 smartphone with an authenticator app and do not require the user to input a numerical code. This not only provides a simpler user experience, it also saves employees time. In fact, push MFA saves a user over SMS-based MFA.
Time-based One-Time Password (TOTP)
TOTP MFA utilizes a randomly generated code similar to that of SMS-based MFA. In contrast to SMS, however, TOTP codes are generated the same way as push notifications鈥攙ia an authenticator app. The numerical codes are only valid for a specific time interval, such as 30 seconds. The user must correctly input the TOTP before the end of the time period since once it ends, a new code is generated and the previous one is rendered null.
TOTP is generally considered more secure than SMS, falling under the 鈥淥n-Device Prompt鈥 classification in the chart above. TOTP is continuing to gain in popularity although some users find inputting the code within the time limit to be a cumbersome process. IT admins, however, find TOTP quite easy to manage.
Push notifications operate very similarly to TOTP and provide the same level of security with a better user experience. A good authenticator app will provide the option for both TOTP and push MFA, and empower employees to choose the second authentication factor that works best for them. This is especially important for putting MFA accessibility considerations into practice.
Physical Keys
Physical key-based MFA is akin to a digital version of a tangible lock and key. Each physical key 鈥 often represented in the form of a USB stick like Go