Carnegie Mellon University

Multi-Factor Authentication

September 25, 2019

Multi-Factor Authentication: What It Is and Why You Need It



In today's online environment, the fundamental “username and password” approach to account security can be easily breached by cyber criminals. Many log-ins can be compromised in a matter of minutes, and private data; such as personal and financial details, is under increasing threat. Wouldn't it be nice if your online accounts let you know when someone new is trying to get into them? Even better, wouldn't it be terrific to make a stolen password useless to others?

Strong web security relies on a variety of tools and policies. It’s important not to rely on any single method for comprehensive protection. Multi-factor Authentication (MFA) adds another layer of account security, supplementing the username and password model with another factor that only the specific user has access to. Whenever possible, users should get into the habit of protecting themselves with the extra layer of security that MFA provides.

What is it?

Multi-Factor Authentication is the use of two or more independent means of evidence (factors) to assert the identity of a user requesting access to an application or service. The most common form of multi-factor authentication is two-factor authentication (2FA), which pairs your first authentication factor (typically something you know like your password) with a second factor of an entirely different kind such as something you have and something you are. The multiple types of authentication factors are as follows:

Something You Know Password

  • Password
  • Personal Identification Number (PIN)
  • Security Question

Something You Have

  • Smartphone
  • Token
  • Smart Card/ID Badge

Something You Are

  • Fingerprint
  • Retinal Scan
  • Voice Pattern

With MFA, a potential compromise of just one of these factors won't unlock the account. So, even if your password is stolen or your phone is lost, the chances of someone else having your second-factor information is highly unlikely. Note that the use of a password in combination with a PIN, for example, is NOT considered two-factor authentication because both pieces of information invovle a single factor-something you know. 

How Does it Work?

Whenever multi-factor authentication has been activated on an account, each time a user attempts to log in from a different device, an authorization check will be sent to the user. The authorization check can be sent in a variety of ways depending on the application and how the user established the multi-factor authentication. The authorization check can come in the form of a passcode sent to the users associated email account or through SMS to the user's phone. Another method of authorization is when a push notification is sent to a registered device such as a smart phone. The user will need to enter that code prior to receiving access to the account. Without the approval or current code, a password thief can't get into an account. 

Why Should We Use It?

Widespread major data breaches are occurring at an alarming rate affecting millions of people. The information that's stolen, in many cases, includes usernames and passwords that could allow cybercriminals access to user accounts. In addition, passwords alone can frequently be easily guessed or compromised through phishing or hacking. As more personal information finds its way to online applications, privacy, and the threat of identity theft is increasingly a concern.

Multi-factor authentication should be used whenever possible because it immediately neutralizes the risks associated with compromised passwords by adding an additional layer of security to protect highly sensitive personal information. If a password is hacked, guessed, or phished, a bad actor would still need the required second factor on the account, making the stolen password alone useless.

Risks of Multi-Factor Authentication

While MFA does provide added security, it is not a perfect solution. MFA is most often exploited through social engineering. Social engineering is when a bad actor manipulates a person into give up confidential information. A hacker doesn't need to try to crack MFA security when they can simply call a support line, pose as you, and get your password reset. Some MFA services using SMS can be vulnerable to any number of telecom provider's practices regarding reassignment of phone numbers or security of messages. There are even certain types of malware that can be distributed to a person's phone through a malicious link that can intercept SMS messages such as a one-time passcode and send them directly to a cyber-attacker. 

To help mitigate the risks of social engineering MFA through a telecom provider, it is recommended that users establish a PIN or password on the account. The PIN or password is requested by the telecom provider when any type of change or service is requested over the phone or in person. It is also important to recognize the indicators of a phishing email which attempts to steal usernames and passwords or even the SMS based one-time passcode. 

How to Set Up Multi-Factor Authentication

Using MFA on consumer services like Apple ID, Google, Facebook, Instagram, Twitter, and banking websites is as simple as turning the service on. Carnegie Mellon University uses DUO Security to support 2FA for services using Single Sign-On through Web Login, as well as some services that don't require Web Login (VPN, Citrix, and Campus Cloud). DUO Security 2FA service is required for all faculty, staff, and student workers. Students and other sponsored accounts are encouraged to enroll in DUO 2FA for added account security. 

In order to use 2FA at CMU, new users must register for DUO and designate a device for identity confirmation. Computing Services has a DUO 2FA Registration webpage available to all interested CMU computer users.