Multi Factor Authentication: Using “something you KNOW” and “something you HAVE” to protect your applications
User login credentials are the easiest target for hackers in their efforts to compromise a web application and gain access to valuable corporate data. 95% of all web application breaches involve hackers stealing user credentials. Multi-factor authentication (MFA) is one of the best ways to protect your accounts from being hacked and more organizations are now using this system to create a barrier for hackers. PCI Data Security Standards (PCI DSS) 3.2 adds multi-factor authentication as a requirement for websites handling payment card data. So what exactly is multi-factor authentication?
Something you “know” and something you “have”
Traditional authentication requires a username and a password to be entered by the user. This is a system relying on one factor – something that the user knows – as the sole authentication method. A hacker will be able to guess the correct password for a user by simply running through possible passwords and eventually guessing the correct password in what is known as a “brute force” attack. Other methods like keylogging, phishing, and pharming are also used for password theft.
With MFA, instead of only relying on something that the user knows, we also rely on something that users have in their possession, such as a cell phone, to authenticate their credentials. So a site using MFA would not only prompt the users to enter their username and password but also send a code via SMS to their cell phones, which the user would have to enter as well to gain access to their account.
A MFA system works with anything you have. SMS based text messaging is just the most common means of MFA as most people have easy access to a cell phone, so there are a lot of organizations using SMS based text messaging as their second authentication factor. There’s a community-driven list that keeps a record of all common websites implementing MFA, managed through a public GitHub repository, allowing the community to add to/modify the list.
It'll be interesting when Google launches "no password" authentication so it will be just what "you have" and not what you know: http://www.forbes.com/sites/erikkain/2016/05/29/game-of-thrones-season-6-episode-6-review-blood-of-my-blood/#1e4efb6f5b0e