東海国立大学機構 名古屋大学 情報連携推進本部

Tips Regarding Multi-Factor Authentication

Difference between password authentication and multi-factor authentication

“Password authentication” requires only a password that corresponds to your user ID for authentication, whereas “multi-factor authentication” requires, in addition to a password, a factor that is different from a password (time-dependent authentication code, biometric information, secret key files, etc.). It may also be called 2-factor authentication, 3-factor authentication, etc., depending on the number of factors required.

The Multi-Factor Authentication CAS used at Nagoya University is a multi-factor authentication (2-factor authentication) that uses an “Authentication Code” as its second factor, that is a 6-digit number changing every 30 seconds.

パスワード認証と多要素認証

Tips regarding multi-factor authentication

Currently, we have seen an increasing number of off campus information services claiming that they use multi-factor authentication, but there are cases where the claim is made even if the authentication system does not increase its security, which is possibly due to misconceptions around multi-factor authentication.

We will present a few examples below. Recent cases of authentication breaches involve the wrongful use of IDs (e-mail addresses) and passwords leaked from other information services, or IDs and passwords being inputted into fake websites (phishing websites); and the following are misunderstood to be multi-factor authentication systems and hence do not offer sufficient security.

In addition, there are cases where the claim is made that “our service can only use SMS (short message service) authentication for 2-factor authentication”, but be careful of such services, as in these instances, personal information is unnecessarily collected in the form of mobile phone numbers to which the SMS message would be sent. The National Institute of Standards and Technology (NIST) announced a few years ago that “SMS authentication is not secure”. Unless in cases where SMS authentication is the only choice available for your device, we do not recommend that you use SMS authentication. There have already been numerous reports regarding attacks via SMS authentication.

Furthermore, when compared to e-mail, service providers and security software usually have less control over SMS, so users will be more vulnerable to any malicious SMS message (prompting connections to malicious websites). It will also be easier to automatically generate the SMS message’s destination; that is, the mobile phone number. So, please be careful of malicious SMS messages.

Back to top of page