What Is MFA (Multi-Factor Authentication)?
What Is MFA?
Multi-factor authentication (MFA) is an authentication method that requires users to verify identity themselves using multiple independent methods. Instead of just asking for a username and password, MFA implements additional credentials.
What Is MFA Used For?
MFA is the easiest and most popular way to secure enterprise users and access to their data. Additional verification credentials must be met using information from the following categories:
- Something the user knows.
- Something the user has.
- Something the user is.
Multi-Factor Authentication Examples
Examples of Something the User Knows
Knowledge factors are the most common — and vulnerable — type of security. Knowledge factors are less secure because the information is easier to share or steal. Authentication examples of something the user knows include:
- PIN (or personal identification numbers).
- Answers to supposedly secret questions (such as “Where were you born?” or “The name of your first grade teacher.”).
Examples of Something the User Has
Something the user has — also called possession factors — have been the foundation of security for centuries. The most basic version is a key, which opens a lock. Possession factors are more complex now, but the premise is the same. Authentication examples of possession factors include:
- Google Authenticator (an app on your phone).
- SMS text message with a code.
- Soft token (also called software token).
- Hard token (also called hardware token).
- Security badge.
Examples of Something the User Is
A biometric verification (or something the user is) is a way to identify a person using their unique biological traits. Examples of biometric verification include:
- Retina and iris patterns.
How Multi-Factor Authentication Works
The goal of MFA is to provide a multi-layered defense system. This helps ensure that the users who access your system are who they say they are. Even if one factor is compromised, there are still more barriers to breach. For example, if someone’s computer password is stolen, the thief would still need more than just that information to break into the account.
81% of data breaches involve weak or stolen credentials. MFA can prevent that. (Data from the 2017 Verizon Data Breach Investigative Report.)
With MFA, users need to have the correct combination of multiple authentication factors. For example, to log in to a secure program, a user might need to type a password (something the user knows) and enter a number from a hard token (something the user has). Only the correct password combined with the correct number from the correct hard token would give a user access.
Multi-Factor Authentication Meets Version Control
Large companies use multi-factor authentication to limit access to mission-critical systems. Health care systems use MFA to ensure protected health information (or PHI) stays secure. And many smaller businesses use MFA for email because it helps keep phishers out.
Version control software often stores some of the most valuable assets companies possess — their intellectual property. However, most version control systems don’t provide full 360-degree support for MFA. For example, some version control tools have two-factor authentication (or 2FA) in their web interfaces, but not on the command line. This setup leaves your IP exposed.
When MFA isn’t used, any malicious person can pull down an entire repo from the command line. The only thing they would need is a username and password.
Incredibly, 42% of companies have experienced ransomware attacks. Exfiltration by disgruntled employees is a real issue. And careless or distracted employees can fall victim to phishing scams, exposing your assets to the world.
Mission-critical applications are protected with multi-factor authentication (or MFA). But what protects your IP — especially the code that’s stored in your version control system?
If you're using Helix Core for version control, it can protect your IP. Not using Helix Core yet? Try it free >>
Why MFA Is Important in Version Control
Version control systems store some of the most valuable assets companies possess — their intellectual property. Even so, no other VCS (besides Perforce) provides support for MFA.
Some VCS have 2FA (two-factor authentication) in their web interfaces, but not on the command line. As a result, your IP is exposed. Git servers, for example, that has MFA support. This means that with only a username and password, someone could pull down an entire repo from the command line.
[Related White Paper: How to Lock Down Git]
What Is MFA With Helix Core?
Support for MFA is built into Helix Core. Once you’ve implemented MFA on your server, it provides an additional security layer. Helix MFA currently works with Okta out-of-the-box, and it’s configurable with other providers.
Perforce provides you with a trigger for your server. And it only requires simple editing to configure your Okta account (and to establish the details of the factors you wish to use).
Perforce already limits access to files stored in the Helix Core — either via a client application, command line, or Helix Swarm using a browser. This means that only users with permission can view and act on the files stored.
How It Works
When users try to access the server from the command line, visual clients, or plugins, they’re required to provide the additional authentication factors that their administrator chose.
MFA is supported by all Helix Core client software, including:
- Command-Line Client (P4) 2017.2
- Helix Visual Client (P4V) 2018.2
- Helix Plugin for File Explorer (P4EXP) 2018.2
- Helix Plugin for Visual Studio (P4VS) 2018.2
- Helix Plugin for Eclipse (P4Eclipse) 2018.2
- Helix Swarm 2018.1
The visual client support is provided via an interface called Helix MFA Authenticator, which is bundled into the download for P4V.
You can use MFA from the command line on Linux, Windows, or Mac. Here’s an example from the Command Prompt on Windows 10:
In this example, a user named Hercule has entered his normal Perforce password, after typing in the p4 command “p4 login”. Then, after the success of that password, he is asked to choose from a list of possible second factors that will be required before he can access the assets stored in the server. Once he completes that challenge, he will be granted access and can proceed with his work.
You can also use MFA with the Helix Visual Client (P4V). Just like on the command line, after user Hercule enters his normal password at P4V login (or via a prompt if the session has timed out), the Helix MFA window pops up. Hercule sees a list of the factors the administrator has chosen. Once he performs the action required, he is securely logged in and can begin to work with the assets on the server.
The example above shows Hercule logging back in after his session expired. P4V looks like it always does when this happens, with most activities greyed out. When Hercule tries to do anything, he’s prompted for his password. Then he sees the MFA dialog box and begins the additional steps required to authenticate.
Get Started With MFA
Add MFA to your source code and digital assets. You can try Helix Core free for up to 5 users and 20 workspaces — and add MFA to your assets.
If you're already a Helix Core user, you can download Helix MFA to get started now.