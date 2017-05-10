Use Multi-factor Authentication for Security

As the name suggests, multi-factor authentication (MFA) is a mechanism for which the user is required to separate pieces of information or evidence to gain access. The most popular MFA across the globe is a two-factor or two-step authentication or 2FA, as it is popularly known. This is used for authenticating transactions using cards, netbanking transactions or even for emails or some websites.

The MFA, typically, is required to have at least two of the following categories: knowledge (something the user knows), possession (something the user has), and inherence (something the user is). For example, for withdrawing cash from an automated teller machine (ATM), the user is required to have a plastic card (debit, ATM or credit). This is what they possess. Secondly, the user needs to know the personal identification number (PIN), which is knowledge or something the user knows. Using the 2FA transaction, the user can withdraw cash from an ATM.

Now, consider that you are making an online payment through your card to buy an item. You have your card number and your PIN (or card verification value - CVV). After submitting this information, you can opt for a one-time password or passcode (OTP) which is received on your mobile phone registered with the card issuer. Your payment will take place only after you enter the OTP. This is an example of MFA.

MFA provides an added layer of security. Someone may steal your card and PIN, but will not be able to use it for transactions (except at an ATM or at point of sales —POS—terminal) that require validation through OTP. Most of the times, the OTP is sent through SMS and there may be some technical issues with the network that may prevent the message from reaching the user device. For such issues, the payment gateways or banks offer a chance to seek a fresh OTP. The user needs to use the latest OTP for such transactions. (As standard practice, never share the OTP with anyone, especially for transactions that you have not initiated.)

The third factor in MFA is inherence, or something that the user is. This involves use of biometrics, like fingerprints or retina scans. But the problem is that we still do not have scanners for authenticating biometrics within a stipulated time. Add to this, the cost and connectivity issues and the use of biometrics as part of MFA fails. Also, biometrics or similar authentication works well in a stipulated environment and for limited users. You can use fingerprints to unlock your mobile phone. However, when the time comes for using it for other authentication and verification, the payment gateway needs to compare your fingerprints with millions of other fingerprints to validate that you are who your fingerprints claim to be. A super difficult task, especially for a country with over a billion population! Some transactions are taking place through this method, but are dependent on a locally-stored database.

Apart from financial service-providers, several others like Apple, Google, Microsoft, Amazon, Facebook and Twitter also offer MFA for login. Apple allows access to its multiple devices after entering the ID, password and the six-digit verification code received, either by text or a phone call. Similarly, Google allows the user to opt for a second authentication factor like a six-digit code, received either through SMS on the registered mobile or via a phone call. Recently, Google launched a service where the user just needs to tap on Google’s mobile app installed on the registered device. In addition, Google lets the user authenticate a particular device (PC or laptop) so that it can be used without the second authentication factor.

Some users may find it cumbersome or time-consuming to use the multi-factor authentication, but being safe and secure is not easy. Remember, cyber criminals love people who are lazy about protecting themselves. But if you are punctilious about avoiding a serious theft like your identity, email ID, data or money, then it is better be safe than sorry and use MFA, wherever available.