What is multi-factor authentication (MFA)?

Multi-factor authentication is used as a first line of cyber defense. It seeks to stop unauthorized access at entry points by requiring two or more sets of unique identifiers to validate users’ identities. The authentication factors used by these systems are different and are not accessible from a single source, so if one is compromised, it is unlikely that others are as well.

What is multi-factor authentication: definition and overview

Multi-factor authentication (MFA) is an advanced, layered authentication framework that is a core component of identity and access management (IAM). It increases the threshold for a user to access an account (e.g., applications, systems, servers, or VPNs) by requiring at least two independent forms of verification. With the tiered defense approach of multi-factor authentication, even if one factor is compromised, there is at least one additional barrier to access.

Although multi-factor authentication is an older security approach introduced in the mid-1990s, it persists as one of the most efficient security solutions for end-user access security. This is in part because it provides effective protection with minimal impact on end users and overburdened IT administrators. Additionally, modern multi-factor authentication solutions leverage artificial intelligence (AI), biometrics, and other emerging technologies.

Importance of multi-factor authentication in digital security

Cyber attacks come from many vectors, but end users are frequent targets because they are widely considered to be one of the weakest links in security defense systems. Multi-factor authentication bolsters security at end-user access points, ensuring that even if credentials are stolen, additional layers of protection are in place to prevent unauthorized access.

Multi-factor authentication takes username / password credentials to a new level that dramatically increases access protection efficacy. Requiring additional factors beyond the password, multi-factor authentication helps prevent password-based breaches, which occur when databases of passwords are compromised.

Multi-factor authentication in historical context

Versions of multi-factor authentication predate online services. However, the first commercially available tool was released in 1986 by RSA as a key fob with a screen that presented randomly generated numeric code that served as a second authentication factor after user name / login credentials. This system was used primarily by large companies and government organizations.

Multi-factor authentication became widely available to the general public in 2011. In response to persistent attacks by China, Google introduced a two-factor authentication system. It was rolled out to all users and kicked off the broad use of multi-factor authentication.

The limitations of simple user name/password credentials and the need for multi-factor authentication led President Obama to weigh in on the topic. In February 2016, President Obama’s editorial on the subject was published. In it, he announced a national campaign to speed the advancement and adoption of multi-factor authentication as a security standard. He said he wanted to “encourage more Americans to move beyond passwords — adding an extra layer of security like a fingerprint or codes sent to your cellphone.”

Multi-factor authentication has continued to advance. Modern versions combine multiple elements, such as location, knowledge, passion, and inherence, to verify users’ identities before allowing access. Artificial intelligence and machine learning are also being used to enhance the capabilities of multi-factor authentication solutions.

How does multi-factor authentication work?

Multi-factor authentication works by requiring additional verification information, referred to as factors, to the standard username and password credentials when a user tries to access a resource. Once authenticated, the user is connected to the resource. Multi-factor authentication is classified for devices and applications.

Authentication factors

Email token authentication

Email token authentication sends users a one-time password (OTP). This approach is often offered as an alternative to SMS token authorization for users who do not have a mobile phone accessible to receive a text message.

SMS token authentication

SMS token authentication works in the same way as email token authentication but uses text messages.

Hardware token authentication

While they are more expensive than using email or SMS token authentication, hardware tokens are considered the most secure authentication method. Hardware tokens can be fobs with screens that generate a one-time password or a small device that is inserted into a system to validate the user's identity and grant access.

Software token authentication

Authentication applications can be installed on smart devices to serve as an authentication factor. These applications allow the smart device to be used as a token that can be tied to authentication services for multi-factor authentication.

Time-based one-time passcode authentication

Time-based one-time passwords (TOTPs) are dynamically generated when a user initiates a login. Users are prompted to enter the TOTP, which has been sent to their trusted devices, such as smartphones or computers, via SMS or email. The TOTP is set to be valid for a limited time.

Biometric verification

Identity can be verified with smart devices or computers that have biometric authentication capabilities. Biometrics are increasingly used as part of multi-factor authentication as they provide users with a low-friction login step that is impossible to spoof.

Security questions

Static security or dynamic questions can be used for multi-factor authentication. A type of knowledge-based authentication (KBA), users provide answers to questions during their account setup, and then these are randomly presented for identity verification during the login process. A more advanced approach to security questions is dynamic questions, which are generated in real time using publicly available information. Examples of dynamic questions are:

• What city were you born in?
• Have you lived at any of these addresses?
• Were any of these once your phone number?

Social login authentication

Social login, or social identity verification, leverages social media platforms for authentication. If a user is already logged into a social media platform, it can serve as an authentication factor. This approach is considered riskier than other authentication factors, but it can be effective when used with other authentication factors.

Time-based one-time passcode authentication

Time-based one-time passwords (TOTPs) are generated when a user attempts a login and expires after a set time. Users receive TOTPs on their smartphones or computers via SMS or email.

Step-by-step process

The specific setup process for multi-factor authentication will vary by solution. However, the following are basic steps.

1. Educate and engage users to ensure adoption
2. Establish multi-factor authentication policies
3. Develop a plan that includes a variety of factors to support different needs
4. Consider compliance requirements
5. Create a plan for handling lost devices
6. Phase the deployment
7. Plan for continuous review and optimization

Types of multi-factor authentication methods

Multi-factor authentication combines several types of authentication. The primary MFA methods are based on four types of information used for identity verification—knowledge-based, possession-based, inherence-based, and adaptive.

Knowledge-based (something you know)

Knowledge-based identity verification requires the user to answer a security question. For multi-factor authentication, examples of knowledge include answers to security questions (e.g., where were you born, what is your favorite color, what was your high-school mascot, what is your mother’s maiden name), one-time passwords (OTPs), passwords, and personal identification numbers (PINs).

Possession-based (something you have)

A possession factor requires a user to have an object in their possession to log in since this would be difficult for a cybercriminal to acquire. Objects included in the multi-factor authentication possession category are badges, key fobs, smartphones, physical tokens, smart cards, soft tokens, and USB keys.

Inherence-based (something you are)

For multi-factor authentication, any of a user’s biological traits (i.e., biometrics) can be used for identity verification. Inherence factors include facial recognition, fingerprint scan, voice authentication, retina or iris scan, voice authentication, hand geometry, digital signature scanners, and earlobe geometry.

Adaptive multi-factor authentication

Adaptive multi-factor authentication is also referred to as risk-based authentication. It adds a layer of authentication that considers context and behavior. This approach to authentication is dynamic rather than using a static list of rules for logins. Using AI, it can adapt to users’ behavior and characteristics and then apply the most appropriate type of identity verification for each user session.

Among the factors considered with adaptive multi-factor authentication are the following.

• Device
  Is the user attempting to log in using an unsanctioned device?
• IP address
  Is this the same IP address that the user typically uses when logging into a resource?
• Location
  Has the user tried to log in to an account from two different locations in a short time? Is the login location unusual for the user? Is the user trying to log in from a public network rather than a corporate network?
• Sensitivity
  Is the user trying to access sensitive information?
• Time of login
  Does the login time correlate with a user’s normal login times?

AI is also used to gather and process contextual data to calculate a risk score associated with the login attempt using real-time analytics. Based on the risk score, the optimal method of user authentication can be determined. For instance:

• Low risk would only require a password
• Medium risk would require multi-factor authentication
• High risk would require additional authentication processes

For example, adaptive multi-factor authentication would be able to determine that a login attempt from a cafe late at night is likely suspicious as this is unusual behavior for the real user. With adaptive multi-factor authentication, the login attempt would be followed by a prompt to enter a one-time password that is texted to the user’s phone.

Benefits and challenges of multi-factor authentication

The main benefits of multi-factor authentication revolve around the enhanced security that it provides and its mitigation of cyber threats. Multi-factor authentication delivers these because it can:

• Adapt to different use cases as threats evolve
• Augment security at the hardware, software, and personal ID levels with a layered defense system
• Enforce security policies that restrict access for the time of day or location
• Gain the support of users because it is easy to set up and use
• Allow IT and security admins to focus their efforts on behavior that has been flagged as suspicious rather than requiring admins to monitor all activity
• Enable authentication controls to be enforced during offline access for users who are without internet connectivity
• Reduce security breaches significantly more than passwords alone

Although multi-factor authentication has been widely adopted, it is not without challenges. Users and security professionals cite a number of challenges. Most of these can be overcome without major effort.

A failure to see broad adoption of multi-factor authentication is usually related to how it is deployed. When multi-factor authentication is encouraged but not required, most users take the path of least resistance and skip it. To ensure widespread usage of multi-factor authentication, it needs to be mandatory.

Technical challenges are sometimes associated with multi-factor authentication deployments. In most cases, these challenges are the result of an organization selecting a solution that is too complex or lacks the necessary integrations. Taking time to evaluate resources and requirements up front will help organizations implement a multi-factor authentication solution that is easy for them to implement and maintain.

Complaints about user friction caused by multi-factor authentication are usually caused by a one-size-fits-all model. Using adaptive multi-factor authentication eliminates unnecessary friction, limiting enhanced authentication to specific user scenarios.

Multi-factor authentication FAQ

What is multi-factor authentication?

Multi-factor authentication is a layered identity verification that enhances access controls by requiring users to provide more than one authentication factor. In addition to different factors that only the actual user would have, multi-factor authentication restricts unauthorized access even if a user’s credentials have been compromised.

What are the three main types of multi-factor authentication methods?

The three main types of multi-factor authentication methods are knowledge-based or something you know (e.g., user name and password), possession-based or something you have (e.g., a hard token or message with code received via email or text message), and inherence-based or something you are (e.g., fingerprint).

What is the difference between MFA and 2FA?

Although two-factor authentication is technically a form of multi-factor authentication, it only uses one factor in addition to users’ credentials, while multi-factor authentication adds two or more.

How safe is multi-factor authentication?

Multi-factor authentication is a highly effective identity verification and access control tool when implemented correctly.