Jan 12 2023

Ways to Implement Multifactor Authentication Without a Mobile Device

Federal agencies have options to strengthen security when signing in to accounts.

Passwords are hard to remember and even harder to change periodically, and it’s increasingly difficult to devise strong credentials. Instead of confronting the challenge, many users rely on weak passwords and reuse them for multiple accounts. This makes it easy for cybercriminals to guess credentials or obtain them via phishing attacks.

Once gathered, credentials can be sold on the dark web. Then, both the original criminal and hordes of other attackers can gain access to personal and work-related systems and data.

Two-factor authentication (2FA) and multifactor authentication (MFA) are accepted ways to make credentials much less vulnerable. 2FA relies on a combination of something you know (e.g., username/password) and something you have (e.g., your mobile phone or computer, a keycard or a USB) or something you are (e.g., a scan of your iris or fingerprint) to ensure that only authorized individuals can access sensitive systems and information.

MFA can involve all three factors. With MFA, even if the username/password combination is stolen, accessing an account is extremely difficult because criminals won’t be able to complete the additional authentication steps.

Click the banner to access customized content when you register as an Insider.

When MFA and Mobile Devices Don't Mix

Common methods of implementing MFA often rely on the use of mobile devices. When an SMS message, a one-time password or a push notification is sent, it is commonly delivered to a user’s smartphone. That said, there are some risks associated with sending SMS, one-time password or push notifications for MFA. When implemented improperly or as the sole security method, messages could be hacked and codes intercepted. In fact, the U.S. government has recommended that no MFA solution should rely solely on SMS verification tools.

Ensuring Protection Outside of Mobile-Based MFA

To fill these gaps and ensure 100 percent MFA coverage, agencies may consider hardware security keys. The key is typically a physical device, often a USB drive that only grants access to accounts while it is plugged into a computer. It provides a high level of protection against phishing and hacking because no one can access an account without both the login credentials and the key. And it doesn’t rely on a phone.

Another solution is Login.gov, the General Services Administration’s cloud-based remote identity proofing platform. Login.gov provides strong authentication to allow the public to access participating programs, using MFA for desktops as well as mobile devices. The user need only set up a Login.gov account, create a strong password and then select one or more additional authentication methods. These include security keys, authentication applications, biometric methods, and personal identity verification or common access cards.

Source: govtech.com, “Fed’s Authentication Service Comes to State, Local Gov,” March 5, 2021

How Login.gov Handles Authentication

Some Login.gov authentication options do not require a mobile device. These include:

  • Security keys: These physical devices provide the highest level of protection against phishing and hacking if lost or stolen. To be used with Login.gov, security keys must meet Fast Identity Online standards. Examples include YubiKey keys, which support many protocols and are compatible with a wide range of online services.
  • Authentication applications: These applications, when downloaded to a computer, generate secure, six-digit codes used to sign in to accounts. The app is more secure than phone calls or text messages, which are susceptible to phishing, hacking or interception by cybercriminals who can reroute messages. Examples of authentication applications are 1Password and OTP Manager for Windows and Mac devices and the Authenticator extension for Chrome.
  • Biometric authentication: Facial recognition and fingerprint sign-in to Login.gov accounts are phishing-resistant methods, but they come with some limitations. They can only be used on devices that support them, and they are specific to both the device and the browser. In most cases, users will need to purchase and install hardware for fingerprint recognition or a biometrically enabled camera.
  • PIV or CAC: Personal identity verification or common access cards are secure options for federal government employees and military personnel. They are resistant to phishing and difficult to hack if stolen. However, these cards are not available to everyone.
  • Backup codes: If all else fails, Login.gov can generate a list of backup codes, each of which can be used only once when logging in. This is the least-secure option for MFA; codes must be printed out or written down, making them just as vulnerable as passwords written on sticky notes left on a desk. Users who choose backup codes as their preferred MFA method must closely guard the codes.

MFA methods that rely on mobile devices can be convenient, but there is a need for equally strong alternatives. Login.gov provides multiple MFA authentication options, extending the reach of strong authentication to those who can’t or won’t use mobile devices.

UP NEXT: Why insiders might be the biggest threat to your zero-trust efforts.

David Gyung/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.