Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a users identity for a login or other transaction. Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.
The goal of MFA is to create a layered defense that makes it more difficult for an unauthorized person to access a target, such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.
In the past, MFA systems typically relied on two-factor authentication (2FA). Increasingly, vendors are using the label multifactor to describe any authentication scheme that requires two or more identity credentials to decrease the possibility of a cyber attack. Multifactor authentication is a core component of an identity and access management framework.
How does Multifactor Authentication work? | MFA and privacy explained
Why is MFA important?
MFA is important because its primary purpose is to enhance the users, or an organizations, security. It does this by requesting more than just a username and password for users to identify themselves. Although usernames and passwords are still necessary, when used alone they are more vulnerable to getting stolen by third parties or through brute force attacks. When organizations use MFA factors, like a physical hardware badge or a biometric thumbprint, the users and their organization have increased confidence that their accounts, devices and information will stay safe.
Cyber criminals goal is to steal personal information and use it for unauthorized gain. If an organization or user has an enforced and effective MFA strategy, it creates a first line of defense against cyber attackers. An effective MFA security plan could potentially save organizations and users from identity theft, loss of private data and the time and money it would take to resolve these issues.
What is MFA?
MFA, or multi-factor authentication, is an authentication method where the user has to provide two or more types of verification to access their online account, application or virtual private network (VPN). Multi-factor authentication is one of the core components for a secure identity and access management (IAM) policy.
MFA creates an additional layer, or multiple layers, of protection besides the typical username and password. The first verification factor is what the user knows, their username and password. The second verification factor is what the user has, an authentication code or security token. The third and any additional verification factors are also security tokens the user has, or it can be what the user is, like a biometric verification.
Combining verification factors increases security for the users accounts. It creates a layered system of defense, making it harder for an unauthorized person to gain access to the users account and reduces the chances of a cyber attack being successful. It also prevents an unauthorized user from gaining access to the computing device or the users information like their physical location, network or database. If one of the verification factors becomes broken or compromised, the cyber attacker still has one or more barriers to break through before reaching their target.
Main types of MFA
There are three main categories of MFA based on the type of information:
This category of information includes things the user knows, or their knowledge, like a personal identification number (PIN) or password. Examples of knowledge multi-factor authentication include:
This category of information includes things the user has, or their possessions, like a smartphone or digital badge. Examples of possession multi-factor authentication include:
This category of information includes things the user is, or their inherence, like biometrics such as voice recognition or fingerprints. Examples of inherence multi-factor authentication include:
How does MFA work?
MFA works by creating a layered system of defense that requires additional factors, or verification information. OTP, or one-time passwords, is the most common MFA that a user may encounter. An OTP is a code with four to eight digits that the user receives through a text message, email or application. A new OTP code gets generated for every authentication request and only works for a specified amount of time. The OTP code gets generated based on an incremented counter, time value or an assigned seed value from the users registration.
Other types of MFA
MFA methods are becoming more sophisticated as they integrate with artificial intelligence (AI) and machine learning. Some of the new MFA methods include:
Location based MFA methods use the users internet provider (IP) address and geo location to block an unauthorized users access. If the unauthorized users IP address and geo location doesnt match the information on a whitelist. This information can also get used as its own form of authentication, along with other verification factors like an OTP or password to verify the users identity.
The most common way to verify geo location is with the users smartphone, since most users carry a smartphone on their person and most smartphones contain a GPS device. A smartphone with GPS abilities provides a reasonable surety about the login location.
Sometimes, the current time of day or night is seen as an authentication factor. The system may verify a users work schedule with their employee ID to ensure the user is attempting to login at an appropriate time. Location based MFA and time based MFA can get used in conjunction to prevent a users account from being hijacked.
For example, a credit card customer cant possibly use their credit card in their hometown and then an hour later use that same credit card in a foreign country like Italy. The combination of incompatible location and time would flag the card to get locked and alert the bank to possible fraud.
Risk based authentication, or adaptive authentication, analyzes additional verification factors by taking into consideration behavior and context during authentication. It then assigns a value or risk level associate with the attempt to login, for example:
Depending on the risk value assigned to the login attempt, the system can determine whether a user gains access or gets prompted to answer more authentication factors. For example, if a user normally logs in to their account every morning at 8:00am from their office, it may prompt them just to enter their username and password. If that same user tries to login to their account at 10:00pm from a coffee shop, it may prompt them to enter an OPT texted to their smartphone.
MFA example scenarios
Here are some example scenarios of typical multi-factor authentication:
In order to support the MFA scenarios listed above, certain technologies are necessary to support the MFA methods. Here is a description of those technologies:
What is meant by MFA?
- Things you know (knowledge), such as a password or PIN.
- Things you have (possession), such as a badge or smartphone.
- Things you are (inherence), such as a biometric like fingerprints or voice recognition.
What is MFA example?
- Log in to your Office 365 Control Panel.
- From the left menu, select Office 365 Admin Center.
- From the top menu, select Multi-factor authentication.
- Select the check box next to the user you need to enable multi-factor authentication for.
- Under quick steps, select Enable.
Why do I need an MFA?
What is an MFA certificate?