Tips Regarding Multi-Factor Authentication

Difference between password authentication and multi-factor authentication

“Password authentication” requires only a password that corresponds to your user ID for authentication, whereas “multi-factor authentication” requires, in addition to a password, a factor that is different from a password (time-dependent authentication code, biometric information, secret key files, etc.). It may also be called 2-factor authentication, 3-factor authentication, etc., depending on the number of factors required.

The Multi-Factor Authentication CAS used at Nagoya University is a multi-factor authentication (2-factor authentication) that uses an “Authentication Code” as its second factor, that is a 6-digit number changing every 30 seconds.


Tips regarding multi-factor authentication

Currently, we have seen an increasing number of off campus information services claiming that they use multi-factor authentication, but there are cases where the claim is made even if the authentication system does not increase its security, which is possibly due to misconceptions around multi-factor authentication.

We will present a few examples below. Recent cases of authentication breaches involve the wrongful use of IDs (e-mail addresses) and passwords leaked from other information services, or IDs and passwords being inputted into fake websites (phishing websites); and the following are misunderstood to be multi-factor authentication systems and hence do not offer sufficient security.

  • Inputting your password twice is not a form of multi-factor authentication. Asking for the same factor twice (an unchanging secret word) does not improve the security of the authentication (it is no different from making the password longer). In fact, it is probably more secure to make the minimum password length longer and have it inputted only once.

  • Similar to “inputting your password twice”, there are systems that ask for your answer to a “secret question (for example, ‘What is the name of your elementary school?’ ‘What is your pet’s name?’)” as the second factor, but since the answers are limited, it is even less secure than “inputting your password twice”.

  • In some cases, there is no differentiation between authentication and bot evasion (&lowast). For example, puzzle authentication (self-claimed) where the answer is on the same page does not ensure the security of the authentication at all; nonetheless, by claiming to be a form of authentication, it gives users a false sense of security. (&lowast) bots are programs that breach authentication through a massive number of login attempts.

In addition, there are cases where the claim is made that “our service can only use SMS (short message service) authentication for 2-factor authentication”, but be careful of such services, as in these instances, personal information is unnecessarily collected in the form of mobile phone numbers to which the SMS message would be sent. The National Institute of Standards and Technology (NIST) announced a few years ago that “SMS authentication is not secure”. Unless in cases where SMS authentication is the only choice available for your device, we do not recommend that you use SMS authentication. There have already been numerous reports regarding attacks via SMS authentication.

Furthermore, when compared to e-mail, service providers and security software usually have less control over SMS, so users will be more vulnerable to any malicious SMS message (prompting connections to malicious websites). It will also be easier to automatically generate the SMS message’s destination; that is, the mobile phone number. So, please be careful of malicious SMS messages.