MFA is short for multi-factor authentication. It is a multi-layered approach to verifying a user’s identity in order to ensure they can access a protected website, application, network, or other digital systems or perform a protected task within a digital system.
The purpose of MFA is to ensure that users successfully present two or more identity credentials, called factors, before clearing. At first log in (but not always), the authentication factor prompt usually appears; sometimes, it is scattered throughout a digital experience.
Why is MFA necessary?
Cybercriminals are becoming increasingly sophisticated as time passes. With the aid of advanced tools, they can now generate and test different username and password combinations until they find the combination that will allow them to gain access to the system they wish to breach.
Another problem is that users often pick weak, obvious passwords and repeat them across multiple accounts, giving hackers access to various systems with a single username and password.
Due to this, passwords alone are no longer sufficient to protect sensitive online data. In fact, 81% of all data breaches can be traced to weak or stolen passwords, and the Open Web Application Security Standard (OWASP) now encourages all authentication flows to treat passwords as “pre-breached.”
In light of this threat, MFA increases the security of online systems. MFA reduces the probability of unauthorized logins and fraudulent transactions by requiring the use of multiple factors in verifying identity, not just a single password or alternative. Therefore, it has become one of the cornerstones of cybersecurity.
How does MFA work?
Layered security is the basis of multi-factor authentication. Users are required to provide additional forms of identification in an effort to increase the likelihood that they are who they claim to be, thus reducing overall risk.
It is common for a user to be asked to enter all their credentials at first login. It is typical for them to submit their username and password (factor 1), answer a security question (factor 2), then enter a one-time passcode sent to them via text or email (factor 3). After the user has completed all steps, they have access to the entire application.
MFA can also be implemented in a route-based (aka just-in-time) manner. In this scenario, users present one credential at login to gain access and perform essential functions like checking account balances and viewing completed orders. Additionally, they are only required to provide additional authentication information when accessing sensitive data or to perform particularly sensitive tasks within an application they already have access to (e.g., moving money between accounts, making a purchase, etc.).
As this approach is perceived as more user-friendly, users who are only looking to perform relatively low-risk functions do not have to go through the friction of performing multiple security checks.
Types of MFA factors
The benefit of Multi-Factor Authentication isn’t just that it requires more than one form of identification; it also requires different types of identification. These are the most common kinds of factors used in multi-factor authentication:
- Knowledge-based (things a user knows)
- Possession-based (things a user has)
- Inherence-based (things a user is)
Knowledge-based factors include identifying information such as usernames and passwords, PINs, and answers to personal security questions (e.g., Where did you grow up?).
Possession-based factors include hardware and software security tokens (such as a digital certificate or a fob or badge with an embedded chip) as well as a range of mobile-friendly solutions:
- Magic links – is a method of instantly logging in through a URL sent to a pre-registered email address
- SMS one-time passcodes (OTPs) – which require the user to enter a unique numeric or alphanumeric code mailed to a known mobile phone number
- Time-based one-time passcodes (TOTPs) – which ask users to confirm control of their device within a specified period of time using a passcode generated by a smartphone app such as Google Authenticator
- Push authentication – is a method of requesting users’ approval to log in by sending them notifications on their devices.
Inherence-based factors based on a user’s biological traits, biometric authentication methods such as fingerprints, iris scans, and voice recognition technology can serve as a biometric authentication method. An excellent example of an inheritance-based authentication solution is WebAuthn.
MFA vs. two-factor authentication (2FA)
Two-factor authentication (2FA) and multi-factor authentication (MFA) are not fundamentally different. As a subset of multi-factor authentication, two-factor authentication utilizes two verification factors to verify a user’s identity. Multi-factor authentication is an umbrella term for all forms of authentication involving more than one verification factor.
In other words, all two-factor authentication is multi-factor authentication. Still, not all multi-factor authentication is two-factor authentication since some of these applications may require three or even more factors.
Pros and cons of MFA
Compared to single-factor authentication, multi-factor authentication makes it significantly more difficult for hackers to breach a system. It’s a huge advantage, particularly when considering the exorbitant costs incurred by organizations and individuals whose security has been compromised.
MFA can add some friction to the user experience to enhance system security, but that can be mitigated by smart authentication design.
As discussed above, one way to avoid undue hassles and frustrations is to use a route-based, just-in-time approach. A different approach would be to completely eliminate passwords as a verification factor, as entering and remembering passwords create friction in their own right.
A passwordless authentication method is simpler and faster than a password, increasing customer retention. Since they can be easily layered into a multi-factor authentication approach and avoid the security risks posed by weak or compromised passwords, they are inherently more secure.