To what extent is two the optimal number of factors in multi-factor authentication, in relation to the balance between security and convenience ?

Multi-factor authentication is a key feature of cybersecurity methods in the modern world; it is used globally and has been adopted as a standard feature by a significant number of organisations, including but not limited to commercial websites, government departments, intranet, and software packages. The focus of this essay is to explore the importance of multifactor authentication, with the research question being: To what extent is two the optimal number of factors in multi-factor authentication, in relation to the balance between security and convenience?

This topic is relevant and worth investigating for several reasons, for example due to the ever-increasing number of annual cyberattacks and data breaches¹, and due to the continuing technologisation of the world today, meaning people often rely on technology to encrypt and safeguard their personal or sensitive data. Therefore, it is essential that digital security measures (such as multi-factor authentication) are widely implemented to help achieve a more cybersecure world and help minimise the number of successful cyberattacks and data breaches.

Furthermore, this is a personally relevant topic because I, like many others, use technology to store and manage my files and data, and I firmly believe that it is important to ensure that they are well secured, and that steps are taken to protect them from cybercrime. I aim to determine how to balance this out in a way that maximises security, whilst still maintaining a proportionate level of user satisfaction and convenience.

My thesis is that two is the optimal number of factors that will balance security and convenience.

In this essay, I aim to provide an overview of multifactor authentication, including what it is, why it is important, and how it is used, analyse each factor, (including individual methods of implementing them), compare them in terms of their balance between security and convenience, and conclude with a summary of the results.

The main body will start by going over the three factors of authentication, why multifactor authentication is important, before moving on to assessing the advantages and disadvantages of the three factors and each of their individual methods. It will close with comparisons of the methods and factors not only in terms of how secure they are, but also in terms of how convenient / fast they are.

There are three main factors of different methods of digital authentication². These are: the knowledge factor, the possession factor, and the inherence factor. The knowledge factor is where you can be authenticated by proving that you know something, such as a password. Examples of methods that are part of the knowledge factor include passwords, PINs, and security questions. The possession factor is where you can be authenticated based of whether you possess something, such as a mobile phone. Examples include SMS codes, one-time passwords, and physical security keys. The inherence factor is where you can be authenticated based off your physical features, such as your fingerprint pattern. Examples include fingerprint scans, iris scans, facial recognition, and voice recognition. Each of these carry advantages and disadvantages, ranging from security to implementation cost to convenience. These different factors can be combined to form multiple layers of protection for a system, which will increase the security of the system. If only one layer is used, the login process is relatively quick and easy, however the degree of security is very low. Conversely, a system that requires the user to go through three or four factors will be very secure, however it will be less convenient and take longer. This means that it is important to maintain a balance between security and convenience.

In a modern world full of IT-dependent activities, being digitally secure is important. However, passwords, firewalls, and physical security (for example, server room access control) are no longer sufficient for effective protection against online threats. These can range from malware (namely keyloggers and spyware, which can intercept sensitive data as it is entered), the use of artificial intelligence to create a clone voice from snippets³, and even analysing public social media posts to build a profile of someone which can help a hacker to get answers for security questions. This is why multi-factor authentication plays a key role in ensuring that one's online data and activities are properly secured, meaning that only the user can access them, without needing to go through unnecessary or extensive checks. Without it, the negative impact on an individual, family, or business can be devastating, financially and emotionally. On average, a data breach can make a business lose $4.1 million globally.⁴ However, it can be difficult to determine which method or methods to implement in order to have decent security without decreasing efficiency or productivity too much. This document aims to not only provide information about what options are available, but also provide an insight into which combinations would be suitable for different people depending on their circumstances. For example, a business might implement the use of smartcards that staff use to login with. This will likely work well in an enterprise environment, as staff will likely have one anyway. However, for an individual user to be required to present a card to login would be arguably inconvenient, unsuitable, and somewhat strange.

Overall, the knowledge factor's main advantage is its simplicity and convenience: creating, remembering, and re-entering a password is not something that is very difficult to understand, perform, or program into software, which means that they are a very popular choice for a primary method of authentication, and they have been around since the 1960's⁵. Also, personal identification numbers (PINs) are very similar to passwords, except that predominantly, they are purely numeric, as opposed to passwords which often contain letters, numbers, and special symbols. The absence of letters and symbols in PINs mean that they are even more convenient than normal passwords, but this comes at the expense of security.

Security questions are another method of authentication in the knowledge factor, but, different from passwords and PINs, the values are meaningful answers to questions, as opposed to arbitrary combinations of letters and numbers. This can be helpful in certain situations, for example, if the user has a large number of passwords to remember, they can be authenticated without them needing to rack their brains for some random password, and instead, can simply answer something which comes more naturally to their memory. However, if these answers can be more easily found out by the user, that likely also means that they can be found out more easily by other, unauthorised users, i.e., hackers and cybercriminals. This is a security concern because even the most careful users can still miss things, and methods such as social engineering and phishing can be significantly effective at gaining this kind of information.⁶ Having said that, the likelihood that someone will be hacked by security questions depends on what personal information somebody decides to share (via, for example, social media), how detailed this information is, and who is able to see it, but this is quite similar with passwords and PINs, too.

Another advantage of methods within the knowledge factor is that they can be changed, usually at any time. This is a key benefit when compared to possession-based or inherence-based methods of authentication, of which changing the data is difficult or impossible. Being able to change your knowledge-factor piece of data at any time is beneficial because it means that if a user's password was compromised, the user would be able to change it and the issue would be mostly resolved. Also, answers to security questions are likely to be transient, and therefore be inaccurate or hard to remember after a certain period of time, for example if one's tastes have changed.

Furthermore, methods within the knowledge factor do not require any special or extra technology to be involved in the authentication process, unlike with possessive and inherent methods. For example, to enter a password, all that is required is your device, the system, and possibly an internet connection. With the possession factor, an extra device is required, and with the inherence factor, special devices / drivers are required for it to work.

In general, methods within the possession factor offer more security than the knowledge factor, due to it requiring possession of a physical object, such as a smartphone or physical security token. This makes it inherently quite secure.

A common method used in the possession factor is sending an SMS (short message service) or text message to a phone number already registered with the account. The user will then be required to enter the correct code to gain access. This method is generally effective, fast, easy, and convenient. However, there are some disadvantages, such as the need for cellular coverage, an active SIM plan, a working smartphone. Additionally, this method is vulnerable to SIM-swap attacks: a technique that hackers use to gain access to a phone number.⁷ Also, the FBI say that this type of attack is becoming more common (which is concerning), with there being 1,611 reports in 2021.⁸

Another way in which the possessive factor can be implemented is through the use of physical hardware tokens, for example YubiKeys. Physical hardware tokens are small hardware devices that can be plugged into a computer port (or presented to the system in some other way), which the host system then uses to attempt authentication. A way in which this method is secure is that the keys are often encrypted and copy-protected⁹, meaning that it is difficult to create unauthorised clones of them for nefarious use. Older versions of similar technologies, for example RFID tokens, may not be as secure¹⁰, however in places where security is of high concern, more modern, secure technologies will likely be employed and therefore this is too much of a problem. Another advantage of physical security keys is that they can often be managed centrally¹¹, meaning that if lost or stolen, it can be deactivated quickly before any incidents. However, physical security tokens are not perfect, because they are not supported on all sites (major companies will likely have support for them, however). Having said that, as the technological world evolves, this will be less of an issue in the near future. Other flaws of physical security keys are that they can be expensive to purchase and can get lost easily. I therefore conclude that physical security keys are a decent option for the possessive factor.

Another possessive method of secondary authentication is backup codes. Backup codes are a set of password-like strings which are typically generated in bulk by the system. When you setup an account or enable multi-factor authentication, the platform will execute the bulk generation and take you through the process, often displaying a message informing the user to securely keep a note of them, before removing them from the screen and not allowing them to be shown again. They then serve as single-use 'passwords'. A key advantage of this method is that it does not rely on any external technology, devices, or even internet connection. This makes it more usable and convenient for the end user, as the only additional thing they may need is their noted-down copy of the codes. Having said that, it is generally bad practice to have a physical copy of sensitive data, as it may be seen or stolen by unauthorised individuals, creating significant security and privacy concerns. A way to reduce this risk would be to use a password management application, or another secured place, physically or virtually, to store them. Another advantage of backup codes is that they are very likely to be compatible with most technologies, unlike other, more advanced methods. However, this method is more susceptible to phishing or social engineering attacks, i.e., if the user is tricked into disclosing the codes, their account will be compromised. In addition, not all platforms that use this method include a way to allow the user to generate a new set of codes, should they run out. Therefore, it can be unsustainable. Overall, backup codes are a decent option.

In summary, methods within the possession factor are generally decently effective at providing an extra layer of security, whilst maintaining simplicity and ease-of-use.

The inherence factor provides a revolutionary form of digital security in the modern, interconnected world. Although the concept has existed for centuries, it is only recently that it has become a mainstream feature in cybersecurity.¹² Due to the requirement of the actual physical body of the account holder, this factor is inherently very secure; even more than the possessive factor. Due to the nature/how the concept of this factor works, i.e., using a device to extract data about a person's physical features, storing it, collecting a new sample, then similarity matching it to the stored version, the advantages and disadvantages of the individual methods within it are largely similar. The most widely used method within this factor is fingerprint recognition.¹³

A general advantage of the inherence factor is that the data is non-transferable, i.e., you cannot "give" someone else your fingerprint for them to login. This increases the degree of security because it protects the user from social engineering and phishing etc., as only the user themselves can provide successful authenticatory input. Another advantage is that biometric data cannot be forgotten, lost, or stolen (with some exceptions, for example in the case of worn out / cut / amputated or otherwise absent fingers, loss of voice, etc.). This means that it reduces the burden on the user to have to remember data or to carry an additional object with them. Another advantage is that they are totally unique¹⁴ and therefore impossible to "guess" and can be difficult to forge. However, there are some disadvantages, for example, privacy and ethical concerns about the collection of biometric data. Some people find it invasive and concerning for a computer to collect such personal data. Also, it is not always transparently communicated how the user's biometric data will be stored or processed; it could be insecurely stored, or even worse, sold without consent. This is a reason why some people are reluctant to use biometric / inherence-based methods of authentication. Another disadvantage is that unlike knowledge and possession-based methods, biometric data is unchangeable, meaning that if somehow cloned, it is difficult to prevent unauthorised access, without also locking out the legitimate user.

The main subtypes of inherent authentication methods are fingerprint recognition, facial recognition, voice recognition, and iris scans. Each of these have their own advantages and disadvantages, and some users may use some over other for various reasons and personal preferences.

A disadvantage of fingerprint recognition is that it is inaccessible for those who may have missing or degraded fingerprints (for example if they have a skin condition or work in manual labour), and people with fingers or hands amputated. However, fingers are usually required to operate digital devices and therefore it is quite convenient. A disadvantage of voice recognition is that the user may be in a loud environment or may have lost their voice. If this is the case, then successful authentication may prove difficult for them. A disadvantage of facial recognition is that it may not work whilst wearing a facemask (this was somewhat problematic during the Coronavirus pandemic, except if you had a compatible phone) or glasses, etc. A disadvantage of facial recognition is that, like voice recognition, it can be less accurate than fingerprint recognition. An example of this is when a woman in China was offered a refund on an iPhone X, after it successfully authenticated her colleague with facial recognition.¹⁵ Also, someone might undergo plastic surgery, another aesthetic procedure, or have an accident which causes a significant change in their appearance, rendering facial recognition unusable. However, this could be said about any method, really. Whilst it is true that the camera may have been faulty, it still demonstrates that this method is prone to errors.

Other methods such as time or location constraints can be used as an additional layer of security, for example by preventing login from specific countries, or on specific days. This is effective and secure as it means that only someone trying to login in a specific place at a specific time can do so successfully, lessening the risk of being successfully hacked. However, VPNs (virtual private networks) are a common way of bypassing this system, location-wise, as falsifying time is not generally possible (as simply changing the system time is usually ineffective when dealing with remote servers). Furthermore, this can cause problems for remote workers as they may be unable to login and do work if these security policies are enforced in a way which is not compatible with their situation.

Multi-factor authentication is when multiple of the aforementioned methods are used to verify whether a user should be granted access to the system or not. It can be any combination of interfactorial methods, but a rather common one is password (knowledge) and text message (possession based). The more steps involved, the more secure the system will be, however, this does indeed come at the expense of user satisfaction, time, and convenience.

The data in the Combinations column was calculated using the formula x^y, where x equals the total amount of available characters, and y equals the length of the string.

The data in the Time column was obtained by timing myself typing a randomly generated string of the specified length consisting of the specified available characters.

With the possession factor, there are three main ways of obtaining a secondary code for authentication. These are push notifications, emails, and SMS messages.

Shown below is a table that shows how long it takes to receive a code via each method (according to data I collected myself). Also added is the extra time to type in the code (usually 6 numeric digits, so +2 seconds).

According to the data, it is clear that the most secure factor is inherence, averaging at an almost infinite number of unique combinations. This is somewhat closely followed by knowledge factor methods, with an average of 2.157221×10³⁷ unique combinations. Given that most possessive-factor methods (that use a code in conjunction with another method) consist of 6 numeric digits, the average of this is 1,000,000, which is significantly lower than the other two by itself, however when used in addition to another method, the degree of security increases.

Additionally, the inherence factor is the fastest, with it generally taking less than 1 second to process an authentication attempt. This is followed by knowledge-factor authentication with an average of 5.7 seconds. Possessive-factor methods take the longest out of the three, averaging at 21 seconds (including extra time to type the code).

Whilst the inherence factor may appear to be a clear winner, it is worth mentioning that it is generally the most difficult to implement, not only due to the complex and advanced techniques used, but also due to the special hardware and drivers required to support it. Knowledge-factor methods are generally the easiest to implement.

Therefore, a combination of two of these methods, specifically, facial recognition with a 6-digit numeric password, is in my opinion the optimal amount to strike a balance between security (measured by total number of unique combinations) and convenience (measured by time taken to complete), as each method has its own advantages and disadvantages.

In summary, it is evident that combinations of these three methods can provide extra security to users, systems, and organisations, without impacting productivity or user satisfaction too negatively. However, it is essential to have other methods, digital (i.e., antivirus and DNS filtering) and non-digital (i.e., physical security and cybersecurity-awareness training for users), in place to further strengthen security, which is increasingly necessary in a modern technological society.

Action Fraud. (2016, July 5). How private is your personal information? Retrieved from YouTube: https://www.youtube.com/watch?v=yrjT8mOhcKU

Apple. (2023, August 22). About Face ID advanced technology. Retrieved from Apple Support: https://support.apple.com/en-gb/102381

Apple. (2023, November 15). About Touch ID advanced security technology. Retrieved from Apple Support: https://support.apple.com/en-gb/105095

AVG. (n.d.). What Is Two-Factor Authentication (2FA)? Retrieved from AVG: https://www.avg.com/en/signal/what-is-two-factor-authentication

BU TechWeb. (n.d.). Why Use 2FA? Retrieved from BU TechWeb: https://www.bu.edu/tech/support/information-security/why-use-2fa/

Cerullo, M. (2023, March 21). Cybercriminals are using AI voice cloning tools to dupe victims. Retrieved from CBS News: https://www.cbsnews.com/news/ai-scam-voice-cloning-rising/

Degruchy, C. (2020, September 23). Can I duplicate or clone a YubiKey? Retrieved from Yubico: https://support.yubico.com/hc/en-us/articles/360016614880-Can-I-duplicate-or-clone-a-YubiKey-

DiFurio, D. (2022, September 21). 10 Statistics That Show the Cost of a Data Breach to Companies. Retrieved from Beyond Identity: https://www.beyondidentity.com/blog/10-statistics-show-cost-data-breach-companies

Duo. (n.d.). Two-Factor Authentication (2FA). Retrieved from Duo: https://duo.com/product/multi-factor-authentication-mfa/two-factor-authentication-2fa

Gilbert, J. (2021, August 26). The importance of two-factor authentication. Retrieved from Techradar: https://www.techradar.com/news/the-importance-of-two-factor-authentication

GSD Solutions. (2022, June 7). Pros and Cons of Hardware Authentication Keys for 2FA. Retrieved from GSD Solutions: https://gsdsolutions.io/pros-and-cons-of-hardware-authentication-keys-for-2fa/

Henry, B. (2022, August 5). The Importance of Two-factor Authentication. Retrieved from Bitner Henry Insurance Group: https://bitnerhenry.com/the-importance-of-two-factor-authentication/

LaMotte, S. (2015, December 4). The other 'fingerprints' you don't know about. Retrieved from CNN Health: https://edition.cnn.com/2015/12/04/health/unique-body-parts/index.html

McMillan, R. (2012, January 27). The World's First Computer Password? It Was Useless Too. Retrieved from Wired: https://www.wired.com/2012/01/computer-password/

Medline Plus. (2022, July 7). Are fingerprints determined by genetics? Retrieved from Medline Plus: https://medlineplus.gov/genetics/understanding/traits/fingerprints/

Microsoft. (2023, January 5). What is SIM swapping & how does the hijacking scam work? Retrieved from Microsoft: https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-sim-swapping

Microsoft. (n.d.). What is: Multifactor Authentication. Retrieved from Microsoft: https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661

onelogin. (n.d.). What is Multi-Factor Authentication (MFA) and How Does it Work? Retrieved from onelogin: https://www.onelogin.com/learn/what-is-mfa

Pinghui, Z. (2017, December 14). Chinese woman offered refund after facial recognition allows colleague to unlock iPhone X. Retrieved from South China Morning Post: https://www.scmp.com/news/china/society/article/2124313/chinese-woman-offered-refund-after-facial-recognition-allows

Rafter, D. (2022, August 15). What is SIM swapping? SIM swap fraud explained and how to help protect yourself. Retrieved from Norton: https://us.norton.com/blog/mobile/sim-swap-fraud

Recfaces. (n.d.). What are Iris and Retina scanners, and how do they work? Retrieved from Recfaces: https://recfaces.com/articles/iris-scanner

Refvik, O.-M. (2022, November 2). Why is Two-Factor-Authentication (2FA) so important? Retrieved from Admincontrol: https://blog.admincontrol.com/en/why-is-two-factor-authentication-2fa-so-important

Roger. (2021, March 27). Is it Possible to Clone RFID Cards? An All-Inclusive RFID Security Guide. Retrieved from RFID Future: https://www.rfidfuture.com/clone-rfid-cards.html

Rublon Authors. (2021, December 14). What Are the Three Authentication Factors? Retrieved from Rublon: https://rublon.com/blog/what-are-the-three-authentication-factors/

Ryles, G. (2021, September 6). What is two-factor authentication and why is it important? Retrieved from Trusted Reviews: https://www.trustedreviews.com/explainer/what-is-two-factor-authentication-4161786

Scientific American. (1894, June). The Chance of Identical Fingerprints: 1 in 64 trillion. Retrieved from Scientific American: https://www.scientificamerican.com/article/the-chance-of-identical-fingerprints-1-in-64-trillion/

Shacklett, M. E. (2021, November). What is multifactor authentication and how does it work? Retrieved from TechTarget: https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA

Shokotko, D. (2018, January 10). The Pros and Cons of Different Two-Factor Authentication Types and Methods. Retrieved from Protectimus: https://www.protectimus.com/blog/two-factor-authentication-types-and-methods/

Slater, A. (2019, September 20). POLICING PROJECT FIVE-MINUTE PRIMERS: IRIS RECOGNITION. Retrieved from Policing Project: https://www.policingproject.org/news-main/2019/9/20/policing-project-five-minute-primers-iris-recognition

Stealth Labs. (2022, January 19). Number Of Cyber Attacks In 2021 Peaked All-time High. Retrieved from Stealth Labs: https://www.stealthlabs.com/news/cyberattacks-increase-50-in-2021-peaking-all-time-high-of-925-weekly-attacks-per-organization/

Stegner, B. (2020, April 15). The Pros and Cons of Two-Factor Authentication Types and Methods. Retrieved from Make Use Of: https://www.makeuseof.com/tag/pros-cons-2fa-types-methods/

Thales Group. (2023, March). The History of Biometric Authentication. Retrieved from Thales Group: https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/inspired/history-of-biometric-authentication

Williams, C. (2023, January 11). Why are fingerprint scanners still the most widely used biometric technology? Retrieved from M2 SYS: https://www.m2sys.com/blog/biometric-technology/fingerprint-scanners-are-the-most-widely-used-biometric-technology/