Multi-Factor Authentication Made Easier: Virtual MFA for Cloud Services

Posted by Staff   |   Wednesday, June 3rd, 2015

This is a guest post by Debra Shinder.

Authentication is the basis of security: the entire concept of securing your data, applications and services revolves around controlling who has access, and setting permissions would be meaningless if you couldn’t be assured that the users to whom you grant access really are whom they claim to be.

Although many people use the two terms interchangeably, identification and authentication are in fact two different things. Identification/identity is the claim that a person (or computer) is a specific known entity. Authentication is the means by which that identity is proven.

In the computing world, user authentication has long been based on providing a password, passphrase or Personal Identification Number (PIN) that matches the user name. In other words, the user proves his or her identity by providing something that should be known to only that user and no one else. Of course, there are a myriad of problems with this method. Passwords can be guessed, either through knowing the person well or via brute force methods. Longer and more complex passwords are harder to guess, but they’re also harder for the legitimate user to remember and more difficult to type, especially on today’s small devices with virtual keyboards. Passwords are often written down, where an unauthorized person can discover them, or users may be persuaded to reveal their passwords through social engineering tactics.

The problem with relying on “something known only to the user” for authentication is that it’s so difficult to keep a piece of knowledge completely secret from everyone else. Authentication can also be accomplished in other ways, by the user providing a physical characteristic that is unique, such as a fingerprint, voice pattern, retinal image or other biometric identifying characteristic, or by the user providing a physical object that only he or she has in possession.

This “something you know, something you are, or something you have” approach offers a way to greatly enhance security, by the combination of two (or more) authentication factors. By requiring one of the other factors along with the password/PIN, you ensure that someone who guesses a password still can’t be authenticated unless he/she also has the object or physical characteristic, and someone who finds or steals the object (for example, a smart card) still can’t be authenticated unless he/she also knows the password/PIN.

Unfortunately, there are problems with the “something you have” and “something you are” methods, too. Many people find biometric authentication to be intrusive, and smart cards or tokens are prone to being lost or left at home when you need them. We’re already loaded down with various ID and credit cards, keys, smart phones and other personal items and don’t want to have to carry yet another one.

There is a way to take advantage of multi-factor authentication without personal intrusion or requiring users to carry an additional object, though. Because most people today already take their phones everywhere with them, we can put that phone to use as a virtual multi-factor authentication device. An app installed on a smart phone can function in much the same way as a dedicated MFA device. There are apps available for the major phone platforms – Windows, Android and iOS – that will work with the MFA systems of private networks and public cloud providers.

As an example, Amazon Web Services MFA supports both dedicated hardware devices in the form of key fobs or cards (purchased from Amazon) and the use of a smart phone app that is capable of generating a time-based one-time password (TOTP). The app (or dedicated device) generates a one-time six-digit authentication code that the user enters. This form of authentication could be thought of as “something you know because of something you have.” Your smart phone becomes a virtual MFA device.

Virtual MFA apps that can be used with Amazon Web Services include AWS Virtual MFA for Android, Google Authenticator for Android, Blackberry and iOS, and Authenticator for Windows Phone.

The obvious advantage is the convenience of using your smart phone as one of your authentication factors. However, be aware that while it provides more security than the standard single-factor authentication, the virtual MFA device isn’t considered to be as secure as a dedicated hardware MFA device. The physical and virtual MFA devices use the same protocols, but because the MFA software is running on the phone OS along with other applications (either of which may have security vulnerabilities that can be exploited) you can’t lock down a virtual MFA device in the same way that a physical MFA device is. Nonetheless, the option to use a smart phone as part of a multi-factor authentication scheme is a viable way to bring more security to the process of logging into cloud services.

For more information about authenticating users and securing resources in the cloud, check out this month’s new articles at