Article
What is multi-factor authentication (MFA)?
Multi-factor authentication (MFA) is an advanced, layered authentication framework that requires at least two independent forms of verification to validate the identity of a user and grant access to a resource, such as applications, servers, or VPNs. The goal of multi-factor authentication is to provide a tiered defense to stop an unauthorized person from accessing a target (e.g., physical location, computing device, network, database) by making it more difficult to access. With multi-factor authentication, if one factor is compromised, there is at least one additional barrier to access.
A core component of identity and access management (IAM) frameworks, multi-factor authentication increases the threshold for access to resources. Although two-factor authentication is technically a form of multi-factor authentication, more than two factors are usually used.
Why multi-factor authentication is necessary
The main reason that multi-factor authentication is necessary is that it enhances organizations’ overall security posture. It takes username / password credentials to a new level that dramatically increases access protection efficacy. Adding additional factors beyond the password helps prevent password breaches, stopping hackers using stolen credentials from entering the account.
In addition, multi-factor authentication helps overcome non-secure behaviors that come naturally to users but make their credentials susceptible to brute-force attacks. These include:
- Reusing passwords
- Saving password information on sticky notes or in digital locations (e.g., documents, spreadsheets, contacts)
- Using predictable passwords
Benefits of multi-factor authentication
- Adapts to different use cases
- Adds layers of security at the hardware, software, and personal identification levels
- Allows administrators to enforce policies that restrict access for the time of day or location
- Can be easily set up by users
- Decreases administration management costs by focusing efforts on behavior that has been flagged as suspicious rather than requiring admins to monitor all activity
- Eliminates the need for users to store, remember, and manage different passwords across multiple accounts
- Employs a multi-layered defense system that prevents unauthorized users or cyber criminals from accessing resources, such as an account, device, network, or database
- Enables use of one-time passwords (OTPs) that are randomly generated in real time—sent via text or email
- Ensures compliance with rules set forth by corporate governance, governments, and industry standards
- Improves user trust by protecting personal information
- Includes an option for offline access for users who are without internet connectivity
- Increases productivity by making it easy for users to access resources from any device or location without compromising overall security
- Monitors user activity to identify anomalies, such as processing high-value transactions or accessing sensitive information from unknown networks and devices
- Offers a scalable cost structure to fit budgets of all sizes
- Prevents fraud by ensuring that users are who they represent themselves to be
- Reduces security breaches significantly more than passwords alone
- Removes barriers to adoption by creating a low-friction process for users
- Tracks usage according to various risk factors, such as geolocation, internet protocol (IP) address, and time since last login
How multi-factor authentication works
Multi-factor authentication works by requiring additional verification information, referred to as factors, to the standard username and password credentials when a user tries to access a resource. Once authenticated, the user is connected to the resource.
Multi-factor authentication is classified for devices and applications:
- MFA for devices verifies a user when they log in.
- MFA for applications verifies a user to give them access to one or more applications.
Adaptive multi-factor authentication
Adaptive multi-factor authentication, also referred to as risk-based authentication, analyzes additional factors by considering context and behavior. Adaptive multi-factor authentication uses artificial intelligence (AI) to gather and process contextual data to calculate a risk score associated with the login attempt using real-time analytics.
Based on the risk score, the optimal method of user authentication can be determined. For instance:
- Low risk would only require a password
- Medium risk would require multi-factor authentication
- High risk would require additional authentication processes
Adaptive multi-factor authentication is dynamic rather than using a static list of rules for logins. Using AI, it can adapt to users’ behavior and characteristics and then apply the most appropriate type of identity verification for each user session. Factors considered include:
- Device
Is the user attempting to log in using an unsanctioned device? - IP address
Is this the same IP address that the user typically uses when logging into a resource? - Location
Has the user tried to log in to an account from two different locations in a short period of time? Is the login location unusual for the user? Is the user trying to log in from a public network rather than a corporate network? - Sensitivity
Is the user trying to access sensitive information? - Time of login
Does the login time correlate with a user’s normal login times?
Example of adaptive multi-factor authentication
Adaptive multi-factor authentication can identify a user who is trying to log in from a cafe late at night, which is unusual behavior. The user is then prompted to enter a one-time password that is texted to their phone, in addition to providing their username and password.
This would be in contrast to if the user attempted to log in from the office at 8am as they do every day. In this case, they may only be prompted to provide their username and password.
Artificial intelligence (AI) and multi-factor authentication
Adding artificial intelligence (AI) to multi-factor authentication uplevels this security practice in terms of efficacy and efficiency. Cybercriminals continuously evolve and have become adept at stealing users’ credentials. Adding AI to the mix makes it much more difficult for thieves to pass through multi-factor authentication protections.
AI-based multi-factor authentication systems learn and adapt over time to stay ahead of cyber criminals while avoiding impacts to end users.
AI-enabled MFA can be used to verify users’ identities based on their behavior. For example, behavioral biometrics can track everything from how users hold their phones to their unique gaits.
AI-enabled multi-factor authentication also includes:
- Biometrics authentication
- Face recognition
- Fingerprint recognition
- Iris recognition
- Palm recognition
- Voice recognition
Multi-factor authentication examples
Biometric verification
Smart devices or computers with biometric authentication capabilities can verify identity. Biometrics are increasingly used as part of multi-factor authentication as it provides users with a low-friction login step and increases security as it is impossible to spoof.
Email token authentication
With email token authentication, users receive an email with a one-time password (OTP). This OTP and one or more authentication methods are used to verify the user’s identity. It is often offered as an alternative to SMS token authorization for users who do not have a mobile phone handy.
Hardware token authentication
Hardware tokens are used for multi-factor authentication to add an additional level of security. While this is more expensive than using email or text token authentication, it is considered the most secure authentication method. Hardware tokens must be inserted into a device to validate the user’s identity and gain access to the device.
Social login authentication
Social login, or social identity verification, can be used for multi-factor authentication if a user is already logged into a social media platform. While considered riskier than other authentication factors, it can be effective when used with other methods of identity verification.
Software token authentication
Authentication applications on smart devices can be used for multi-factor authentication. This application turns the smart device into a token that can be tied to authentication services for multi-factor authentication.
Risk-based authentication
Risk-based authentication (RBA) supports multi-factor authentication by monitoring behavior and activity (e.g., location, device, keystrokes). Based on the findings, RBA can inform the frequency of multi-factor authentication checks to increase security and minimize risk.
Security questions
A type of knowledge-based authentication (KBA), static security, or dynamic questions can be used for multi-factor authentication. With static questions, users provide answers to questions during their account setup, and then these are randomly presented for identity verification during the login process.
Dynamic questions are generated in real-time using publicly available information. Usually, users are presented with a question and a series of answers (e.g., what city were you born in, have you lived at any of these addresses, were any of these once your phone number). To verify their identity, they must select the correct answer.
Short message service (SMS) authentication
For SMS token authentication, a message is sent via text message with a personal identification number (PIN). The PIN is used as an OTP with one or more factors.
SMS token authentication is a relatively simple multi-factor authentication method to implement. It is commonly offered as an alternative delivery method to email token authentication.
Time-based one-time passcode authentication
Time-based one-time passwords (TOTPs) are generated when a user attempts a login and expire after a set time. TOTPs are sent to users’ smartphones or computers via SMS or email.
Multi-factor authentication methods
Multi-factor authentication works by combining several methods of authentication. The primary MFA methods are based on three types of information used for identity verification:
- Knowledge or things the user knows
- Possession or things the user has
- Inherence or things the user is
- Time-based authentication
Multi-factor authentication knowledge category
With multi-factor authentication, knowledge-based identity verification requires the user to answer a security question. For multi-factor authentication, examples of knowledge include:
- Answers to security questions (e.g., where the user was born, their favorite color, their high-school mascot, their mother’s maiden name)
- OTPs
- Passwords
- PINs
Multi-factor authentication possession category
A possession factor with multi-factor authentication requires an object in the user’s possession to log in, since this would be difficult for a cybercriminal to acquire. Objects included in the MFA possession category include:
- Badges
- Key fobs
- Keychains
- Mobile phones
- Physical tokens
- Smart cards
- Soft tokens
- Universal serial bus (USB) keys
Multi-factor authentication inheritance category
In multi-factor authentication, any of the user’s biological traits can be confirmed for identity verification. Inherence factors include the following biometric verification methods:
- Facial recognition
- Fingerprint scan
- Voice authentication
- Retina or iris scan
- Voice authentication
- Hand geometry
- Digital signature scanners
- Earlobe geometry
Time-based multi-factor authentication
Time can also be used for multi-factor authentication. Time-based authentication can prove a person’s identity by detecting their presence at a specific time and granting access to a certain system or location. For example, an ATM card would be blocked if a withdrawal was made in the U.S. and a second was attempted in China ten minutes later.
Multi-factor authentication best practices
Multi-factor authentication is not difficult to implement, but taking best practices into consideration enables an efficient and effective deployment. The following are commonly cited best practices for implementing and managing MFA systems.
Educate users on the importance of multi-factor authentication and how to use it.
Considered the weakest link in security chains, users play an integral part in the success of an MFA deployment. Taking time to educate them about how the system works and the importance of following the rules provides strong support for the program.
Implement multi-factor authentication across the enterprise.
Avoid gaps that can undermine multi-factor authentication by including all access points, across the organization, in deployments. Be sure to include remote network access in MFA deployments to account for remote, distributed users on all systems.
Include adaptive multi-factor authentication.
Use context to create an adaptive, step-up approach to MFA that only prompts users for additional factors based on risk scores rather than as the default.
Offer users a variety of authentication factors.
Improve users’ experience and adoption by offering them the choice of multiple authentication factors. This flexibility avoids a one-size-fits-all approach that users often find cumbersome and restrictive. Giving users choices increases their satisfaction with the system and overall adoption.
Re-evaluate multi-factor authentication deployments.
Conduct assessments on a regular basis to ensure multi-factor authentication deployments are optimized to address current threats and continue to cover all access points.
Take a standards-based approach.
Follow standards to ensure that the multi-factor authentication system operates optimally within the existing IT infrastructure. Standards to consider are Remote Authentication Dial-in User Service (RADIUS), and Open Authentication (OAuth) enables authentication of all users on all devices across all networks.
Use multi-factor authentication in concert with complementary security tools.
Combined with other access control solutions, such as single sign-on (SSO) and least privilege access, multi-factor authentication provides enhanced security.
MFA offers excellent first line of defense
Cyberattacks come from many vectors, but end users are frequent targets. By strengthening end-user access points with multi-factor authentication, even if weaknesses are exploited and credentials are stolen, additional layers of protection are in place.
Leveraging AI and other emerging technologies, multi-factor authentication persists as one of the most efficient solutions for end-user access security. MFA solutions provide effective protection with minimal impact on end users and over-burdened IT administrators.
Take control of your cloud platform.
Learn more about SailPoint’s integrations with authentication providers.