top of page
  • Writer's pictureVishal Chaudhari

Quantum-Safe MFA Beyond "What You Know"

Updated: Nov 2, 2023

In an era where the digital world continues to expand, so do the threats that loom in cyberspace. Traditional multi-factor authentication methods, while once reliable, now find themselves outmatched by the ever-evolving sophistication of cyberattacks. But a security strategy that presents MFA as a stack of step-up authentication options only after a 2-way mutual authentication is done for digital identities and assets makes a mark to be infallible. This approach doesn't just rely on one layer of defence but rather assembles a formidable fortress of protection. We're talking about a powerhouse combination of cutting-edge technologies designed to thwart even the most sophisticated cyber threats.



Strengthening MFA Beyond What You Know

As the interconnected digital world grew, the number of users also increased exponentially, and so did the cybersecurity risks. For a while traditional IDs and passwords were sufficient for a secure authentication process. But as the digital world evolved, cyber threats became increasingly sophisticated, and enhancing password complexities is not helping.

Attackers could crack into IDs and passwords using brute force attacks or social engineering tactics, leaving individuals and organizations vulnerable to data breaches, identity theft, and financial losses.


In 2021, when the Colonial Pipeline was attacked, one of the vulnerabilities that the attackers exploited was the password – the “what you know” factor of authentication. The hacked password was not a weak one, but rather a complex combination of alphabets, numbers and special characters. Nevertheless, it was hacked, making it crystal clear that relying on a single factor of authentication can no longer protect organizations from cyberattacks.


But what’s really scary is the idea that these hackers don’t work individually and they are certainly not carrying out one-off attacks. They are often part of an organized crime, hired by corporate-like entities to conduct cyberattacks at scale. These attackers have access to sophisticated methods to steal identity, and user IDs and passwords remain the prime entry point for them. This makes robust identity and access management incredibly important.


According to an IBM study, it takes three years for an organization to recover costs from a data breach. On average, an organization takes more than 277 days to contain a data breach – this means for nine months the resources are busy working on containing a data breach and are not available for contributing to business growth.

Given these statistics, the questions enterprises must ask themselves are: Do we really have the bandwidth to lose productivity for such an extended period due to the repercussions of a data breach? Plus, be the victim of the damaging consequences of a data breach?


According to Google, organizations can prevent more than 95% of bulk phishing attempts and over 75% of targeted attempts by adding Multi-factor authentications (MFAs). Microsoft reports that over 99.9% of account compromise attacks can be prevented with MFA. With 81% of breaches caused by credential theft, adding an extra layer of authentication only makes business sense.


What is Multi-factor Authentication?

Multi-factor authentication is a security protocol that demands two or more pieces of evidence to confirm a user’s identity before granting them access to a system. Rather than relying on a single authentication factor, MFA examines multiple aspects of a person’s identity before granting access. With this additional layer of protection, MFA strengthens security, safeguarding sensitive data against potential threats. Traditionally, MFA factors fall into three categories:

· Something you know (e.g., a PIN or password)

· Something you have (e.g., a smartphone, token, or smart card)

· Something you are (e.g., biometric data like fingerprints, facial recognition, or voice recognition)


But traditional MFA is under attack

While MFA is undoubtedly a powerful tool, a vast improvement over a simple username and password combination, it's not without a few shortcomings. One of the key reasons for these MFA options to be under attack is that, it all starts with a password based identity. Another fundamental reason for the MFAs lacking in their precision is because the Identity itself seldom participates in any of these MFAs. Let’s break down the vulnerabilities of top traditional MFAs:


SMS or Email OTP (One-Time Password)

Vulnerable to phishing attacks, SIM swapping, and interception of OTPs, making them less secure for critical applications. Authorized push payment scams make OTPs vulnerable.


Hardware Tokens

Costly to distribute and replace if lost or damaged, inconvenience for users who must carry them, and can be vulnerable if stolen. Hardware tokens based on PKI are not PQC compliant.


Biometric Authentication (e.g., Fingerprint, Face Recognition)

Vulnerable to biometric data theft (e.g., fingerprint replication), not easily replaceable if compromised, and privacy concerns regarding biometric data storage.


Smart Cards

Costly to issue and maintain, users may forget or lose their cards, and potential compatibility issues with some devices and systems.


Software-Based Token Generators (e.g., Google Authenticator)

Vulnerable if the device is compromised (e.g., malware), not easily transferable to new devices, and potential synchronization issues.


Push Notifications (e.g., Mobile App Authentications)

Susceptible to device compromise, phishing attacks can trick users into approving malicious requests, and reliance on internet connectivity.


Cryptographic Identity as the Foundation for MFA

Cryptographic identity has undergone a remarkable transformation. It has evolved into a self-sovereign, and password-free that is super secure.

For MFA to be effective in countering the cyber-attacks, the foundational identity must be cryptographic, tamperproof and participative in the authentication process. Such an identity must be able to perform a mutual authentication before it can trigger the MFA.


The user has the control over their own identity that is private, tamper-proof and cannot be stolen. Moreover, cryptographic identity is inherently participative in transactions, rendering them non-repudiable and supporting mutual authentication without relying on SSL certificates.


But here’s the best part: it leverages aggregated ID chains, allowing users to pick and choose what attributes to use from their federated identity, thereby ensuring a flexible and adaptable identity framework.


Mutual Identification before MFA

Think of mutual authentication within cryptographic identity as a 2-way digital handshake that goes both ways. Its just like the 2-way SSL, but SSL is extremely difficult and commercially unviable to implemented and manage for large scale projects.


In this process, not only does the user authenticate themselves to the service or system, but the service or system also authenticates itself to the user. And the user could be both human or non-human (IoT/ API/ App/Server). This bidirectional verification is achieved through the use of PQC compliant cryptographic keys, adding an extra layer of trust and security to online interactions. 2-Way mutual authentication helps establish that both the end-points are the right party. Mutual authentication should trigger the MFA based on the risk profile of the transaction. Mutual authentication before MFA safeguards against impersonation and ensures that both parties are who they claim to be, making it a cornerstone of secure digital communication and transactional integrity in today's interconnected world.


MFA as a Stack of Step-up Authentication Factors

It involves combining multiple authentication methods and factors in a way that forms a robust and adaptable security strategy. Following section talk about how MFA as a stack addresses the vulnerabilities of traditional MFAs.


Contextual Authentication

Contextual authentication takes a deep dive into the context and behaviour surrounding a login attempt to gauge the potential risk involved. But here’s where it gets truly impressive. Within a multi-factor authentication (MFA) framework, this contextual authentication can be adaptive or risk-based.


In other words, it's smart enough to dynamically assess the context of each authentication request and choose the most suitable combination of factors. It takes into account things like how the user behaves, the risk associated with the transaction, the details of the device they're using, and much more.


These criteria also include the risk profile of the other party involved in the transaction, the risk profile of the device in use, transaction specifics like the amount or frequency, and even how many transactions are happening within a certain timeframe or account. It's a comprehensive analysis.


Based on this meticulous examination of all these factors, the system then decides whether the user needs extra authentication steps or if access should be denied altogether.


Spectrum of Innovative Password-free MFA

Password-free multi-factor authentication (MFA) has ushered in a new era of digital security, harnessing a spectrum of innovative technologies. Some innovations include:


  • Biometric fingerprints and facial recognition, integrated directly into apps through in-app native libraries, offer a seamless and highly secure method for identity verification.

  • App notifications paired with e-signature further enhance the authentication process by combining real-time alerts with cryptographic signatures for added assurance.

  • Cryptographic tokens, both offline and online, serve as another layer of protection, ensuring secure access even in disconnected environments.

  • SMS/email one-time passwords (OTP) provide a simpler and effective means of authentication for some of the low risk profile transactions

  • FIDO devices take security to the next level by offering hardware-based authentication that's virtually impervious to phishing attacks.

  • QR codes and tap-enabled EMV chip cards make authentication even more accessible and convenient, ensuring that users have a diverse array of options to choose from in their quest for secure, passwordfree MFA.

Quantum-safe Authentication

MFA stack must be quantum-safe for it to be an investment that works beyond 2025. Quantum-safe authentication represents the cutting edge of digital security in an era when quantum computing threatens to break traditional cryptographic systems. This forward-looking approach ensures that our digital identities and sensitive information remain secure even in the face of quantum computing's immense processing power.

Quantum-safe authentication relies on cryptographic algorithms that are resistant to quantum attacks, ensuring the confidentiality and integrity of our data in a post-quantum world. By adopting these quantum-resistant techniques, organizations and individuals can future-proof their authentication methods, safeguarding their digital assets and privacy against emerging quantum threats.


The Wraparound the MFA Stack for Post Quantum Readiness

Traditional multi-factor authentication (MFA) has served as a vital stepping stone, enhancing security beyond standard MFA point solutions. Yet, we find ourselves at a crossroads, facing an increasingly complex web of security threats because of the apparent vulnerabilities of traditional MFAs. But if we consider MFA as a stack approach built on top of Cryptographic password free digital identity and mutual authentication, we’ll be taking a leap into the future of authentication. MFA as a stack of this kind overcomes MFA vulnerabilities with unparalleled flexibility, adaptability, and resilience.


Enterprises must up their MFA game by incorporating cutting-edge elements such as password-free authentication, quantum-safe digital trust ecosystems, cryptographic identity, and VPNless zero-trust access. These innovations form an essential part of the security arsenal in this digital age.


92 views0 comments

Recent Posts

See All

Comentários


bottom of page