What is Multi-Factor Authentication?
Account authentication is a core part of securing services like WordPress VIP. Basic account authentication relies on a combination of username and password to secure your account. Multi-factor authentication (MFA) adds an additional factor, which increases authentication security.
Multi-factor authentication is one part of the identity and access management (IAM) that allows an IT department to manage who gets access to specific systems and what level of access they are allowed. MFA may also be referred to as two-step verification because it requires adding an additional factor after a password is provided.
Some common implementations of MFA include receiving a text message with a code or approving access by opening an app on your phone. Sometimes, companies provide a USB key or have an RFID inside your employee badge. All of these examples represent an additional authentication factor.
How does MFA work?
MFA works by requiring a user to correctly provide all required factors before gaining access to a website or application. The first factor is usually something you know like a pin code or password. Once that first factor is submitted, multi-factor authentication will prompt for the next required factor before granting access.
The additional factor is typically either a physical device like a USB key that is inserted in your computer, a biometric identifier like a fingerprint scan, a temporary code sent via text message, or an email after you’ve entered the first factor.
In high-security settings, a third factor may be required following the submission of the first two factors. Whether the system you are accessing requires two or three factors, each required factor must be provided correctly in order for access to be granted.
Depending on the policies created by your IT department, multi-factor authentication may not be required every time you sign in. Many services only require you to enter the second factor once per day. There are some services that allow you to bypass entering passwords and codes if you opt into using a biometric factor like a fingerprint of facial recognition.
Why is multi-factor authentication important?
As software and services have evolved to provide access to more sensitive data, the level of sophistication bad actors use to gain access to that data has evolved along with it. MFA is one tool that IT departments deploy to reduce the risk of those bad actors gaining access. When implemented correctly, each additional authentication factor reduces the likelihood that a bad actor can gain access to systems.
With a single factor like a password or a pin, it only takes that one piece of information for someone to steal your identity and impersonate you when accessing services. There are also numerous phishing attacks where a bad actor may try to trick you into revealing your username and password by sending an email with what looks like a link to a valid site.
Adding an additional authentication factor through the implementation of multi-factor authentication increases the difficulty of the wrong person having all the required information needed to access your company site.
For content sites like the ones hosted through WordPress VIP, requiring the users who modify and update the site to use MFA for access reduces the potential for someone outside your organization to post things that could be inaccurate or even harmful to site visitors.
MFA increases trust from the users that rely on information provided on your site and guarantees the content on your site originated from your team.
If you work for a government organization or a company that provides services to a government, there may be regulations that require adherence to security standards, like NIST standards in the United States. Multi-factor authentication is one of the required components to adhering to those standards.
Types of multi-factor authentication
Multi-factor authentication comes in several forms. Some of these factors may operate in the background without requiring any intervention by you.
Knowledge factors are sometimes referred to as something you know. These factors are the passwords and PIN codes created by you.
Possession factors, also known as something you have, refer to hardware tokens and one-time use codes you have access to. Examples include text messages sent to your phone after submitting your password, an authenticator app installed on your phone, or a hardware token like a USB key or ID embedded in your employee badge.
Inherence factors are also described as something you are and include the various biometric verification methods that are used for identification including facial recognition, fingerprint scanning, iris scans, and handprint identification.
Location is less commonly used in multi-factor authentication, but can be a useful indicator. An example of this would be a service warning you when they see a sign-in from Australia when you typically connect to services from your home office in New York City.
Behavioral Factors can also be used to either block or alert during authentication. Similar to being in a different location, using an unknown device might generate a warning. Time can be another indicator, for instance, if your job only expects you to sign in during daylight hours, a 2am sign-in could be an indicator that something isn’t normal about your authentication attempt.
Combining these factors improves security for your organization. When you provide one or more additional factors beyond your password, it increases the probability that you are really the person authorized to access the system and not someone impersonating you.
How WordPress VIP can assist you
Security is a priority in everything we do at WordPress VIP. We support integrating with your organization’s SAML single sign-on. Two-Factor Authentication (2FA) is required for all WordPress VIP users with an administrator role. As a security best practice we recommend enabling this type of multi-factor authentication for all user roles.
When new code is pushed to any branch of our GitHub repository, the VIP Code Analysis Bot analyzes it to check for potential vulnerabilities. If your IT team wants to run penetration tests or other vulnerability scans against your WordPress VIP environment, we are here to assist you.
Read more about WordPress security to find out how we can protect your WordPress environment.