What Is MFA (Multi-Factor Authentication)?
We use passwords to verify that someone is who they claim to be. But passwords alone are no longer secure enough to protect your data. With the increasing number of cyberattacks, combining passwords with another form of authentication is more effective. This is known as multi-factor authentication (MFA). In this article, learn what multi-factor authentication is, how it works to protect your accounts, and how you can utilize it.
What is multi-factor authentication?
Multi-factor authentication, or MFA, is an electronic application method that requires users to provide multiple forms of identification in order to access a system or application. MFA protects sensitive data from being accessed by unauthorized persons.
Traditionally, we use passwords to prove our digital identity for logins. However, sometimes these passwords are easy for bad actors to discover. Multi-factor authentication combines at least two independent credentials in order to strengthen security.
If one credential gets compromised, attackers then cannot meet the second authentication requirement. This makes it difficult for them to access a target, whether that target be a device, location, network, or database.
Individuals and businesses alike rely on multi-factor authentication to reduce the likelihood of various types of cyber breaches, such as brute-force attacks. For organizations, MFA helps comply with regulatory requirements.
How does multi-factor authentication work?
It's common for malicious actors to programmatically attack user accounts. Having known that, it makes sense to implement MFA on your online accounts.
Multi-factor authentication works by requiring additional verification information. You must provide more than one piece of evidence to validate your identity when logging into an account. Therefore, first, when a user tries to access a system or application that require MFA, they start by entering their username and password credentials as the first authentication factor.
The system validates the login credentials entered by the user against the stored credentials in its database. If the username and password match, then it satisfies the first authentication factor.
After a successful first authentication, the user is prompted to provide the second authentication factor, which is typically something they have or something they are.
If the second factor is based on something that the user has, they might receive a one-time code via a text message, email, or a mobile app. This code can be generated by an authentication app or sent as a text message to the user's registered mobile phone. The user then enters a code to complete the second factor.
If the second factor is based on biometrics, then the user needs to provide the required biometric data, like a scanned fingerprint or face.
The system then validates the second authentication factor provided by the user. If the second factor also matches the expected value, then the system provides the user access to the system, application, or account.
Multi-factor authentication example
Say, for example, that you're trying to log into your banking account online. You would first enter your username and password. Then, you would receive a prompt to enter a one-time passcode (OTP) sent to your phone. The OTP only has one use, so even if someone else gains access to your password, they could not to log into your account without the OTP.
Multi-factor authentication enhances security because even if a password attacker manages to beat the first authentication requirement, they would still need access to the second factor in order to gain unauthorized access.
Types of MFA methods
MFA creates a layered defense by combining different authentication factors. An authentication factor is a category of credentials that is intended to verify your identity. For MFA, each factor provides a higher level of assurance that an entity requesting access to a system is what it says it is. The use of multiple factors makes it much harder for hackers to access your account.
The types of authentication factors are usually broken down as follows.
Knowledge-based authentication
Knowledge-based authentication requires users to provide something that they know, like answering a personal security question. Knowledge factor technologies include:
- passwords
- PIN numbers
- one-time passwords
Passwords are the most common form of knowledge factor used in MFA. However, note that passwords alone aren't sufficient for strong authentication. Use strong passwords and regularly update them to ensure maximum security.
Personal questions can also be used to gain system access. However, these types of questions are less secure as the answers can often be obtained through social engineering techniques.
Possession-based authentication
Possession-based authentication relies on something that the user physically has, such as a smartphone, a token, or a smart card. Users must have the physical device in their possession in order to complete authentication.
Common examples of possession factors include:
- smartphone-based authentication apps
- hardware and software tokens
- biometric cards
A possession factor comes into play when you receive a code on your smartphone to gain access into an account.
MFA processes combine this authentication factor with other factors, such as knowledge or inherence factors, to create a strong authentication process.
Inheritance-based authentication
An inheritance factor is something that you are. This uses unique biological traits of an individual, and they are usually biometric methods such as:
- fingerprints
- iris scans
- voice or facial recognition
- hand geometry
- digital signatures
Users can utilize behavioral biometrics such as keystroke dynamics as well. Many consider biometric authentication highly secure as it relies on the uniqueness of the traits.
However, it may require components including a reader, hardware, and software to capture the biometric data and process it. As MFA integrates artificial intelligence and machine learning, authentication methods are becoming more sophisticated.
Benefits of implementing MFA
Administrators introduced MFA to enforce the security of access to systems and applications. The main purpose was to ensure the integrity of users' digital transactions by verifying their identity before any activity took place. Multi-factor authentication has many benefits when it comes to account security and protecting data.
Enhanced security
MFA adds an extra layer of protection to the authentication process. By requesting for additional factors beyond a username and password, MFA significantly reduces the risk of cyber threats. For example, for Gmail, you need the second factor when signing in from a new device or location.
Protection against unauthorized access
Implementing MFA prevents cybercriminals from accessing your online accounts. Even if they steal your password, they would also need access to your phone or fingerprint to log in. Additionally, MFA protects against phishing attacks and other deceptive threats.
Compliance with regulatory requirements
Compliance with regulatory requirements is a crucial aspect of implementing multi-factor authentication. MFA helps organizations meet various regulatory standards, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standpoint (PCI DSS).
Mitigation of account takeovers
Account takeover attacks are a growing concern for individuals and businesses alike. Once hackers manage to steal your login credentials, they can wreak havoc by conducting fraudulent activities. By requiring multiple factors of authentication, MFA ensures your account remains secure.
Convenience and compatibility
MFA often uses mobile apps or text messages, which is convenient since most people have their phones with them at all times. Many popular services, like Facebook and Gmail, support MFA.
Furthermore, modern MFA solutions have improved user experience. They provide options like biometric authentication and mobile apps that generate unique codes. The process of providing the necessary information is seamless.
Disadvantages of MFA
There are a few disadvantages to using multi-factor authentication for your logins. For one, the biometrics used in MFA are irrevocable for life. Biometric data, such as a fingerprint, is unique to each individual and cannot be changed if compromised or stolen.
Furthermore, MFA verification can fail if there's an Internet or network outage. Additionally, someone can steal phones or hardware tokens, making these variations less secure.
MFA also requires regular upgrades. Administrators must constantly upgrade MFA techniques to protect against malicious actors who work incessantly to break them.
Multi-factor authentication vs. two-factor authentication
Multi-factor authentication and two-factor authentication are both security measures designed to enhance access control. They require users to provide additional verification beyond just a password. However, they differ in the number of factors that they utilize as well as their complexity.
| Feature | Multi-factor authentication (MFA) | Two-factor authentication (2FA) |
| Number of factors | Involve the use of two or more authentication factors, which can include something you know, something you have, and something you are | Involves only two authentication factors, typically something you know and something you have |
| Security | Considered more secure because it requires at least two authentication factors, making it less susceptible to attacks | More secure than single-factor authentication, but still vulnerable to certain attacks, such as those that intercept one-time codes sent via SMS |
| User experience | Potentially more complex for users, though it can offer a smoother user experience when well-implemented | Simpler for users because it requires only two steps |
In general, all 2FA is MFA, but not all MFA is 2FA. Two-factor authentication is a subset of multi-factor authentication.
Addressing the challenges of MFA
Many users may hesitate to embrace MFA due to usability challenges. The need to remember multiple passwords, for example, may cause confusion. Furthermore, MFA may present other hurdles like integration issues.
Therefore, administrators have developed four approaches to simplify MFA for users. These approaches are meant to address the challenges of MFA and simplify the process to make it more accessible.
- Single sign-on (SSO). This method enables users to log in once and gain access to multiple applications without the need to reenter their credentials for each one. Single sign-on simplifies the user experience by reducing the number of times users need to authenticate themselves without compromising security.
- Biometric authentication. Biometric authentication methods may be more user-friendly because they leverage something that the user is familiar with. Users find these methods convenient as they eliminate the need for physical tokens.
- Mobile authentication apps. Mobile authentication apps like Google Authenticator simplify the process by generating time-based one-time passwords. Users install the apps on their smartphones, link it to their accounts, and receive temporary codes when needed.
- Push notifications. Some MFA solutions offer push notifications directly to users' mobile devices. When users attempt to log in, they receive a notification on their registered device asking if they are trying to log in. Users can confirm or deny the login attempt with a simple tap.
Frequently asked questions
What is adaptive multifactor authentication?
Adaptive multifactor authentication is a security measure that dynamically adjusts the authentication requirements based on the risk level of a user's login attempt.
What is an MFA device?
An MFA device is a physical or software token that generates a one-time passcode or other verification factor to be used in conjunction with a password when logging into an account.
How do I set up MFA in mobile?
To set up MFA in a mobile device, install a supported authentication app. Link it to your accounts and follow the app's setup instructions, which typically involve scanning QR codes or entering the codes that the service provides.