Introduction

It used to be that if you were in your company’s office, you were inside its protective digital firewall and a simple password granted you access to the files you needed. No one could log in from outside the company’s premises because no one needed to.

 

Then the digital world became more complicated. People needed access to data and applications from everywhere. Having methods of verifying employees’ identities became increasingly important, because corporate assets could no longer be locked down so that they could only be accessed by employees behind the corporate firewall.

 

Relying on passwords alone has led to a rise in account takeovers and a realization that password security is inadequate. To protect both corporate information and their employees’ personal data, organizations are increasingly turning to multi-factor authentication (MFA).

 

What is MFA?

Your password is a single piece of information that is supposed to prove your identity because you’re the only one who is meant to know it. Security professionals call this a factor, and there are multiple kinds. A factor is either something you know (a password or your mother’s maiden name), something you own (a possession like your phone or a USB key), or something you are (a biometric factor like a fingerprint or an iris scan).

 

MFA combines factors to verify that you are who you say you are. A hacker might steal your password, but it’s less likely that they could steal another of your factors too.

 

MFA can combine any number and type of factors. You’ll hear terms like 2FA and 3FA to describe how many factors are in play. Receiving a code via SMS and entering it into a web application along with your password is a form of 2FA. Combining a fingerprint scanner, iris scanner, and code is an example of 3FA.

 

Factors

Each factor has its own strengths and weaknesses. The best way to mitigate a factor’s weaknesses is by combining it with other factors from different categories: say, a knowledge factor paired with a possession factor. This makes it more difficult to hack by introducing extra layers of protection.

 

Okta believes in balancing security with user convenience. That’s why we support so many different security factors. Below, you can see each factor’s strengths and weaknesses. No factor is strong in all four categories, and only push verification and U2F rank as moderate in a single category and strong across the rest.

 

Some categories might be more important to your organization than others. While security and phishing protection should be high on everyone’s priority list, deployability is especially important in large companies with many users to manage.

 

Knowledge Factors

Knowledge-based factors are by far the most common because they have traditionally been the easiest and cheapest to implement, requiring no scanners or hardware keys.

 

Passwords

Passwords are vulnerable to attack. Account takeover attacks targeting passwords are common, with many passwords available for sale via online forums.

 

Hackers steal passwords via phishing schemes that fool you into voluntarily giving away your password. They can also steal them by hacking the databases that online services use to store user passwords.

 

You can protect yourself in three ways. Firstly, be extra cautious when entering your password anywhere online. Second, use a longer, more complex password that is difficult to crack. Third, use a unique password for each online service you visit. While that makes passwords more difficult to remember, manage, and use, a trusted password manager program can help by creating and storing strong passwords, and filling them out for you on websites.

 

Security questions

Every user is familiar with security questions, which sites will often ask you before resetting a forgotten password.

 

Security questions are often insecure because the answers to questions like “what is your mother’s maiden name” or “what is the first street you grew up on” are often commonly available, either through public record searches or social media.

 

One way to help make security questions stronger is not to answer them truthfully. After all, your answer just has to match the answer you wrote in when you set the questions; it doesn’t need to be honest.

 

Possession Factors

Possession-based factors involve something the user has, or has access to. That could be something physical like a phone, or something digital like an email address. Some possession factors are very secure, while some are so vulnerable that security experts warn people to avoid them.

 

Okta Verify OTP

Okta Verify OTP (one-time password) is an application that you download onto your phone. It generates a six-digit code you use to sign into your company’s Okta portal. This factor is very secure, but it takes time and effort to take out your phone, open the app, get the code, remember it, and type it into your computer.

 

Okta Verify Push

Okta Verify Push is a simplified version of Okta Verify. Instead of typing in a code, you just approve a push notification to your phone, Apple Watch, or Android Wear device with the click of  a button. This reduces the friction while still maintaining a high level of security.

 

Email

Okta offers email as a factor, but only to support customers that must use it as part of a legacy IT environment. It is a low-security factor and we recommend against using it where possible. Email is easy to hack and often travels over insecure protocols. Online services also often use it for recovering primary factors like passwords, which negates its use as a secondary factor.

 

SMS

With SMS authentication, Okta sends a text message to your phone with a code that you then type into the website. In theory, this sounds a lot like Okta Verify OPT, but SMS is actually less secure than you might think. Criminals have become experts at SMS phishing, where they persuade cellular carriers to hand over your cellular number to them.

 

Voice

Voice authentication replaces SMS when a phone number can’t receive text messages. Instead, the code comes through as a robotic voice on the other end of the line. Voice’s weaknesses are the same as SMS; hackers who steal your number have the keys to the kingdom. 

 

U2F

A U2F device is a physical USB key that generates its own secure code. Users plug the USB into their computer or hold it against a smartphone equipped to pick up wireless signals. The key sends the code to the Okta website for you behind the scenes, as long as you’re using a compatible browser or one with an extension that supports U2F.

 

Several companies make these keys, like Yubico’s YubiKey and Google’s Titan Security devices. U2F is a high-security, low-friction mechanism to keep you protected, but like all physical factors you must keep it safe and ensure you don’t lose it and lock yourself out of your account.

 

Third-party factors

Security is an important aspect of information technology, and many companies are doing a great job of it. Okta supports as many factors as we can to give our customers choice and consistency across the board. We are compatible with Duo, Symantec, RSA, and YubiKey OTP.

 

Biometric Factors

Once a vision of the future, biometrics are quickly becoming a popular option for security. When they work well they are the height of low-friction, high-security authentication, but these are often developing technologies that can have their own weaknesses.

 

People have used photographs to trick face scanners, for instance, and cheap 3D-printed fingerprints have fooled fingerprint scanners. Biometric scanners can also register false positives (accepting fingerprints or faces from illegitimate users) and false negatives (not accepting the real user). 

 

Nevertheless, as these technologies grow more mature, their usefulness will continue to increase.

 

Apple TouchID

Apple has its own biometric login using fingerprint scanning technology. As long as users have the right hardware, Okta supports logging in through a simple touch.

 

FAQs

Still have questions? Visit Okta’s End User MFA FAQs page for detailed answers to any MFA questions you might have.

 

Having trouble?

If you’re having trouble, we recommend contacting your help desk or IT admin directly.