By Zach DeMeyer Posted February 7, 2020
Organizations concerned about identity security need to make multi-factor authentication (MFA) a standard practice for their users. MFA is one of the most effective security methods for blocking unauthorized account takeovers. There are several types of MFA, but before we talk about TOTP MFA specifically, let’s talk about MFA in general and why it’s so effective at securing user accounts.
What is MFA?
MFA (also called two-factor authentication or 2FA) is the practice of requiring additional authentication factors beyond the standard username-password combination most authentication mechanisms require. If that credential combo is compromised for any reason, MFA acts as the final barrier between an attacker and their prize: the critical data housed within an organization’s network. Since compromised credentials are the leading source of breaches, an additional layer of security through MFA works wonders. In fact, Symantec found that 80% of recent breaches could have been prevented with the addition of MFA.
Because of its additional factors, MFA helps to fully authenticate that a user requesting access is who they say they are. These factors are colloquially referred to as “something you have, something you know, or something you are” (e.g., an MFA token, password, or biometric information, etc.). Additionally, login time and location can also be used as authentication factors. In practice, each should be individualized and mutually exclusive, meaning that compromising one factor doesn’t compromise the others, thus making the possibility of taking over a user’s account significantly more difficult for a bad actor.
What is TOTP MFA?
TOTP (Time-based, One-Time Password) is a form of MFA that uses a randomly generated code as an additional authentication token. TOTP MFA codes are generally created via a smartphone app (e.g. Google Authenticator), so it falls under the “something you have” classification.
As the name suggests, each TOTP code is only valid for a short amount of time and constantly refreshed, meaning that the perpetrator of a breach would need both a user’s compromised credentials and direct access to their phone in order to take over (Read more...)