What is multi-factor authentication?
Multi-factor authentication (MFA) is a multi-layered security access management process that grants users access to a network, system, or application only after confirming their identity with more than one credential or authentication factor. This is usually done through the combination of a username, a password, and another factor, such as a verification code or one-time password (OTP) delivered via text or email, a security token from an authenticator app, or a biometric identifier.
By requiring multiple authentication factors, organizations can significantly improve their security posture. This is because even if the primary authentication factor is compromised or disabled, access is not granted unless the user also has possession of or control over the secondary authorization factor.
Importance of multi-factor authentication
Analysis from the CrowdStrike® Counter Adversary Operations team indicates that 80% of breaches are identity-driven. Identity-driven attacks are extremely challenging to detect using traditional security measures and tools because these solutions are typically not designed to monitor the activity of approved users or to detect when an authorized user’s credentials have been compromised.
MFA is considered a core component of a strong identity and access management (IAM) framework. This means that MFA is primarily an access tool as opposed to a security solution.
Put another way, though MFA can prevent access to users who cannot verify their identity, it cannot differentiate between a request from a legitimate user and someone masquerading as one. Further, once the user is granted access to the network, application, endpoint, or system, an MFA solution cannot detect or prevent identity-driven attacks in real time.
As such, organizations should consider MFA as one component within their broader IAM framework and one link within the broader cybersecurity strategy and architecture.
Multi-factor authentication vs. two-factor authentication (2FA)
Two-factor authentication (2FA) is a term sometimes used interchangeably with MFA. Technically speaking, 2FA is a type of multi-factor authentication that limits the user to two authentication credentials, whereas MFA requires at least two forms of authentication.
By default, most MFA systems follow the 2FA model, though some organizations may require additional authentication methods, especially when the user is attempting to log in to the network or access resources from an unusual or suspicious location.
How does multi-factor authentication work?
MFA works by requiring one or more verification factors in addition to a traditional user ID and password. It usually follows the same process:
- Registration: MFA systems require multiple forms of ID for users to register. Once registered, the user links devices to be used for the authentication, such as a cellphone or computer. A user can also be authenticated through an email address, phone number, or authenticator app.
- Authentication: Once a user and all their devices are registered, when they log in to a website or app that requires MFA, they will be prompted for their username and password and an authentication response from one of their registered devices.
- Reaction: The user now has to respond to the authentication request. Depending on the MFA method they chose, they might be prompted to enter a code received on the registered device or to press a button to authenticate.
Common multi-factor authentication types and methods
Most authentication methods can be categorized into one of the following group types:
1. Something you know (knowledge-based)
This refers to any knowledge-based credential. It is the simplest, most common form of verification. This category includes PINs, passwords created by the user, and answers to security questions.
Methods
- One-time passwords: OTPs are the most commonly used MFA factor. OTPs are numerical codes sent via email, SMS, or a mobile application like Google Authenticator, Microsoft Authenticator, or Salesforce Authenticator. OTPs are regenerated after a defined time frame has passed or each time a new authentication request is submitted. The code is based on a seed value assigned to the user upon initial registration and an additional time-based factor.
- Personal security questions: Sometimes, you might be asked to answer personal security questions (i.e., questions that only you could know the answers to). Some answers to common security questions include your grandmother's maiden name, the name of your childhood best friend, the city you were born in, the name of your first pet, and the name of the street you lived on when you were a child.
2. Something you have (possession-based)
Possession-based credentials require users to generate or receive assets such as a security token or certificate. This can be done through the use of an authenticator application like Google Authenticator or Microsoft Authenticator or a time-sensitive OTP delivered by text, email, or secure link.
Methods
- One-time password: OTP is also considered a possession-based method because you are required to have a physical device — such as a smartphone or computer — to access the OTP.
- Smartcards and cryptographic hardware tokens: These are physical devices that can perform cryptographic operations such as decryption and signing, and the internal keys are physically secure inside a fully isolated enclave. They can be used for computer login (for example, via Windows smart card sign-in) and digital signature-based verification to authorize transactions. Smartcards may be contactless or require a dedicated reader, while cryptographic hardware tokens require a USB for connection.
- Hardware OTP tokens: Commonly used in the banking sector, hardware OTP tokens are devices that generate single-use codes via a cryptographic key stored inside the device and on the server. During a login, the system authenticates the user by confirming the device key and server key match.
- Soft token software development kits (SDKs): This verification method uses cryptographic operations such as digital signatures embedded in mobile apps to authenticate the user and device. Soft token SDKs offer a frictionless user experience since the user doesn’t have to switch between applications or utilize a hardware device.
3. Something you are (inherence-based)
This is the most challenging verification factor to mimic. It includes biometric identifiers based on physiological characteristics such as fingerprints, facial recognition, iris scans, or behavioral characteristics such as keystroke patterns.
Methods
- Biometrics: Another common MFA technique measures innate biometric characteristics, such as fingerprints, facial features, iris or retina scans, or voice ID to confirm the identity of the user. Though this technique was initially seen as an extremely strong authentication factor, excitement waned when it became clear that 3D printing and AI-generated fingerprints could circumvent these techniques.
- Behavioral analytics: To a lesser extent, some organizations may also use behavioral biometrics to confirm a user’s identity. This method leverages uniquely identifiable and measurable patterns in an individual’s behavior to verify their identity. For example, keystroke dynamics is the analysis of the speed, rhythm, and pressure during typing and can confirm a user’s identity.
Benefits of multi-factor authentication
MFA offers many important benefits to organizations, including:
Benefits | Description |
---|---|
1. Stronger security | Despite not being a security tool in the technical sense, MFA is an important line of defense for organizations in that it grants access to systems and networks only to fully authenticated users. Enforcing the use of one or several MFA factors via an OTP, biometric indicator, or physical hardware key makes it far more difficult for hackers and other cybercriminals to gain access to the system under the guise of a legitimate user. This not only means that cybercriminals must identify an alternative avenue for access but that traditional security measures are far more likely to be able to detect and stop such activity. |
2. Seamless accessibility for remote workers | The widespread shift to hybrid and remote work has dramatically increased organizations’ exposure to cyberattacks and breaches as workers access company applications, documents, and data via personal networks and devices. At the same time, workers experience login fatigue when they are required to sign in to multiple accounts in a single work session. When paired with advanced login techniques such as SSO, MFA adds a layer of security and simplifies the sign-in process for legitimate users. The moment the user has been validated in SSO, the system automatically logs them in, and they gain access to the application or document without needing to sign in to each application individually. |
3. Improved regulatory compliance | Corporate data and identity security are of heightened importance to businesses that operate within high-risk industry sectors such as healthcare, education, medical research, finance, and military defense. Most organizations’ IT departments believe they comply with leading cybersecurity standards, despite research showing that many do not. Multi-factor authentication is often mandatory for compliance with industry regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) is a regulatory standard for organizations that operate in the credit card sector. It requires MFA to be implemented to prevent unauthorized users from accessing systems. Even when application updates lead to system instability, MFA compliance ensures that systems remain impenetrable with up to 99% certainty. |
Challenges with multi-factor authentication
As with any technology, implementation and operation of MFA can create challenges for organizations. For example:
- If an employee loses a mobile phone or other personal device that is part of the layered defense method, it may temporarily impact their system access and, by extension, their productivity.
- Biometric data used by MFA algorithms requires thorough and accurate initial entry. It is possible for the system to produce false positives or negatives if the original input was not conducted correctly.
- MFA verification may become temporarily unavailable if a business experiences a network or internet outage.
Frictionless Zero Trust 'Never Trust, Always Verify'
The traditional “trust but verify” method of threat protection, in which trusted users and endpoints are automatically allowed network access, puts organizations at risk of a wide array of security threats. Learn why this approach is obsolete and five best practices for implementing a frictionless Zero Trust model.
Download the InfographicThe future of multi-factor authentication
MFA is by no means a foolproof security process. Just as cybercriminals are working around the clock to develop new techniques to breach networks, they are also working to find ways to circumvent MFA security measures, intercept tokens, or forge secondary credentials. To mitigate these potential weak spots, MFA techniques must be continuously upgraded to protect against evolving threats and reinforced by other security tools and solutions.
In addition to implementing MFA, organizations should consider improving their security posture through the following identity security best practices, which are designed to limit network access and account privileges and contain a hacker’s movement in the event of a breach:
- The principle of least privilege (POLP): The POLP is a computer security concept and practice that gives users limited access rights based on the tasks necessary to their job. It ensures only authorized users whose identities have been verified have the necessary permissions to execute jobs within certain systems, applications, data, and other assets. It is widely considered to be one of the most effective practices for strengthening an organization’s cybersecurity posture because it allows organizations to control and monitor network and data access.
- Zero Trust: Zero Trust is a security framework requiring authentication, authorization, and continuous validation of all users (whether they are inside or outside the organization’s network) before they receive access to applications and data. It combines advanced technologies such as risk-based MFA, identity protection, next-generation endpoint security, and robust cloud workload technology to verify a user’s or system’s identity, consider access at that moment in time, and maintain system security. Zero Trust also requires data encryption, securing email, and verifying the hygiene of assets and endpoints before they connect to applications.
- Privileged access management (PAM): PAM is a cybersecurity strategy that focuses on maintaining the security of privileged credentials.
- Identity segmentation: Identity segmentation is a method to restrict user access to applications or resources based on identities.
- IT hygiene: An IT hygiene tool provides visibility into the use of credentials across an organization to detect potentially malicious admin activity. The account monitoring feature allows security teams to check for the presence of accounts created by attackers to maintain access. It also helps ensure that passwords are changed regularly so that stolen credentials can’t be used forever.