The inconvenient truth about Multi-factor authentication
Multi-factor authentication (MFA) includes two-factor authentication (2FA) and describes a digital process for blocking access to a website or service until a user performs a secondary, air-gapped, action.
The three factors are commonly described as:
Something you know – a password or a pin
Something you have – a token or a mobile phone that can receive SMS or generate a One-Time Pad via a 3rd party authentication application
Something you are – a biometric validation such as a fingerprint or facial recognition
Initially devised in the late 90’s MFA was created for the purpose of providing a greater surety that the person providing a digital identity was indeed the owner of it. Driving this need was the new “internet” that allowed customers and employees to access web-sites and digital services from any computer that had a browser and connectivity – and control to services and your data was (and still is) the traditional identity/authority pair – username and password.
So here’s the inconvenient truth about MFA – it’s sole purpose is to transfer the risk and accountability for security to you as citizen, employee, and consumer, all whilst making your experience worse. Underpinning every system is the concept of digital identity – something that binds all your data, all your privileges, and all your access rights back to the core systems that create and interact with you and by legacy design, it is something that needs to be handed to you to keep secret, and then provide as part of a login process. This is the way it has been for decades.
The world is now aware that MFA is not bullet proof and can be bypassed in many ways. Moreso, MFA fatigue (I have to authenticate again and again), MFA spamming (someone with my username and password keep triggering MFA challenges until I accept one just to shut it up), and the increased costs associated to MFA and resets have companies and people turning it off.
The other elephant in the room is that most of these protective measures only exist if you are outside of the building, thus an employee or internal compromise with the right credentials can access and do anything as anyone else.
Enter Cipherise and our vision of safe, simple identity and security.
Cipherise removes the need to provide identity to users and eradicate logging in as a process. Delivered as a familiar feeling QR code, our WaveAUTH technology ensures identity never leaves the company, no usernames or passwords exist, and nobody else can use systems or access data as you – except you. For the tech people, Cipherise is powered by a patented decentralised, mutual authentication process that creates two sets of entangled keys. One set generated and controlled by the company and the other generated and controlled by the end user – ensuring both sides are legitimate before allowing access to systems and data and preventing imposter actions from the inside as well as the outside.
Cipherise provides better than MFA security whilst making it simpler for people and safer for business.