Multi-factor Authentication (MFA)

Narendran Vaideeswaran - November 17, 2023

What is multi-factor authentication?

Multi-factor authentication (MFA) is a multi-layered security access management process that grants users access to a network, system, or application only after confirming their identity with more than one credential or authentication factor. This is usually done through the combination of a username, a password, and another factor, such as a verification code or one-time password (OTP) delivered via text or email, a security token from an authenticator app, or a biometric identifier.

By requiring multiple authentication factors, organizations can significantly improve their security posture. This is because even if the primary authentication factor is compromised or disabled, access is not granted unless the user also has possession of or control over the secondary authorization factor.

Importance of multi-factor authentication

Analysis from the CrowdStrike® Falcon OverWatch™ team indicates that 80% of breaches are identity-driven. Identity-driven attacks are extremely challenging to detect using traditional security measures and tools because these solutions are typically not designed to monitor the activity of approved users or to detect when an authorized user’s credentials have been compromised.

MFA is considered a core component of a strong identity and access management (IAM) framework. This means that MFA is primarily an access tool as opposed to a security solution.

Put another way, though MFA can prevent access to users who cannot verify their identity, it cannot differentiate between a request from a legitimate user and someone masquerading as one. Further, once the user is granted access to the network, application, endpoint, or system, an MFA solution cannot detect or prevent identity-driven attacks in real time.

As such, organizations should consider MFA as one component within their broader IAM framework and one link within the broader cybersecurity strategy and architecture.

Learn More

Gaining credentials allows attackers to impersonate the account owner and appear as someone who has legitimate access, such as an employee, contractor, or third-party supplier. Learn how MFA can strengthen user authentication.Credential Theft: An Adversary Favorite

Multi-factor authentication vs. two-factor authentication (2FA)

Two-factor authentication (2FA) is a term sometimes used interchangeably with MFA. Technically speaking, 2FA is a type of multi-factor authentication that limits the user to two authentication credentials, whereas MFA requires at least two forms of authentication.

By default, most MFA systems follow the 2FA model, though some organizations may require additional authentication methods, especially when the user is attempting to log in to the network or access resources from an unusual or suspicious location.

Learn More

MFA vs. SSO

While MFA works to improve security, single sign-on (SSO) is a system that focuses on improving employee productivity by reducing the amount of times they have to input login credentials to access resources. It essentially lets them have a set of master credentials to access all resources. SSO works alongside MFA by using MFA to authenticate a user when they first log in and sharing the authentication with different applications.

How does multi-factor authentication work?

MFA works by requiring one or more verification factors in addition to a traditional user ID and password. It usually follows the same process:

  1. Registration: MFA systems require multiple forms of ID for users to register. Once registered, the user links devices to be used for the authentication, such as a cellphone or computer. A user can also be authenticated through an email address, phone number, or authenticator app.
  2. Authentication: Once a user and all their devices are registered, when they log in to a website or app that requires MFA, they will be prompted for their username and password and an authentication response from one of their registered devices.
  3. Reaction: The user now has to respond to the authentication request. Depending on the MFA method they chose, they might be prompted to enter a code received on the registered device or to press a button to authenticate.

Learn More

Read our article on identity protection to learn why identity protection solutions like MFA tools are an important part of your overall cybersecurity strategy. Identity Protection

Common multi-factor authentication types and methods

Most authentication methods can be categorized into one of the following group types:

1. Something you know (knowledge-based)

This refers to any knowledge-based credential. It is the simplest, most common form of verification. This category includes PINs, passwords created by the user, and answers to security questions.

Methods

  • One-time passwords: OTPs are the most commonly used MFA factor. OTPs are numerical codes sent via email, SMS, or a mobile application like Google Authenticator, Microsoft Authenticator, or Salesforce Authenticator. OTPs are regenerated after a defined time frame has passed or each time a new authentication request is submitted. The code is based on a seed value assigned to the user upon initial registration and an additional time-based factor.
  • Personal security questions: Sometimes, you might be asked to answer personal security questions (i.e., questions that only you could know the answers to). Some answers to common security questions include your grandmother’s maiden name, the name of your childhood best friend, the city you were born in, the name of your first pet, and the name of the street you lived on when you were a child.

2. Something you have (possession-based)

Possession-based credentials require users to generate or receive assets such as a security token or certificate. This can be done through the use of an authenticator application like Google Authenticator or Microsoft Authenticator or a time-sensitive OTP delivered by text, email, or secure link.

Methods

  • One-time password: OTP is also considered a possession-based method because you are required to have a physical device — such as a smartphone or computer — to access the OTP.
  • Smartcards and cryptographic hardware tokens: These are physical devices that can perform cryptographic operations such as decryption and signing, and the internal keys are physically secure inside a fully isolated enclave. They can be used for computer login (for example, via Windows smart card sign-in) and digital signature-based verification to authorize transactions. Smartcards may be contactless or require a dedicated reader, while cryptographic hardware tokens require a USB for connection.
  • Hardware OTP tokens: Commonly used in the banking sector, hardware OTP tokens are devices that generate single-use codes via a cryptographic key stored inside the device and on the server. During a login, the system authenticates the user by confirming the device key and server key match.
  • Soft token software development kits (SDKs): This verification method uses cryptographic operations such as digital signatures embedded in mobile apps to authenticate the user and device. Soft token SDKs offer a frictionless user experience since the user doesn’t have to switch between applications or utilize a hardware device.

3. Something you are (inherence-based)

This is the most challenging verification factor to mimic. It includes biometric identifiers based on physiological characteristics such as fingerprints, facial recognition, iris scans, or behavioral characteristics such as keystroke patterns.

Methods

  • Biometrics: Another common MFA technique measures innate biometric characteristics, such as fingerprints, facial features, iris or retina scans, or voice ID to confirm the identity of the user. Though this technique was initially seen as an extremely strong authentication factor, excitement waned when it became clear that 3D printing and AI-generated fingerprints could circumvent these techniques.
  • Behavioral analytics: To a lesser extent, some organizations may also use behavioral biometrics to confirm a user’s identity. This method leverages uniquely identifiable and measurable patterns in an individual’s behavior to verify their identity. For example, keystroke dynamics is the analysis of the speed, rhythm, and pressure during typing and can confirm a user’s identity.

Expert Tip

Adaptive multi-factor authentication and AI

Adaptive multi-factor authentication, also known as risk-based authentication, takes an additional step in authenticating users by considering contextual and behavioral factors. It then calculates the risk level for each individual user. Based on this risk value, the system will determine whether to grant you access right away, to require an additional authentication method (such as an answer to a security question), or to not let you continue.

Adaptive multi-factor authentication uses AI and machine learning (ML) to analyze these behavioral and contextual factors and establish a baseline for each individual user. This allows it to determine specific user trends and catch unusual or suspicious activity as soon as it happens to help prevent vulnerability exploitation or an attack.

Some behavioral and contextual factors it considers include:

  • Device being used
  • Geographical location
  • Number of failed login attempts
  • Speed between login attempts
  • IP address
  • Date and time of attempt
  • Network privacy

Benefits of multi-factor authentication

MFA offers many important benefits to organizations, including:

BenefitsDescription
1. Stronger securityDespite not being a security tool in the technical sense, MFA is an important line of defense for organizations in that it grants access to systems and networks only to fully authenticated users.

Enforcing the use of one or several MFA factors via an OTP, biometric indicator, or physical hardware key makes it far more difficult for hackers and other cybercriminals to gain access to the system under the guise of a legitimate user. This not only means that cybercriminals must identify an alternative avenue for access but that traditional security measures are far more likely to be able to detect and stop such activity.
2. Seamless accessibility for remote workersThe widespread shift to hybrid and remote work has dramatically increased organizations’ exposure to cyberattacks and breaches as workers access company applications, documents, and data via personal networks and devices. At the same time, workers experience login fatigue when they are required to sign in to multiple accounts in a single work session.

When paired with advanced login techniques such as SSO, MFA adds a layer of security and simplifies the sign-in process for legitimate users. The moment the user has been validated in SSO, the system automatically logs them in, and they gain access to the application or document without needing to sign in to each application individually.
3. Improved regulatory complianceCorporate data and identity security are of heightened importance to businesses that operate within high-risk industry sectors such as healthcare, education, medical research, finance, and military defense. Most organizations’ IT departments believe they comply with leading cybersecurity standards, despite research showing that many do not.

Multi-factor authentication is often mandatory for compliance with industry regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) is a regulatory standard for organizations that operate in the credit card sector. It requires MFA to be implemented to prevent unauthorized users from accessing systems. Even when application updates lead to system instability, MFA compliance ensures that systems remain impenetrable with up to 99% certainty.

Challenges with multi-factor authentication

As with any technology, implementation and operation of MFA can create challenges for organizations. For example:

  • If an employee loses a mobile phone or other personal device that is part of the layered defense method, it may temporarily impact their system access and, by extension, their productivity.
  • Biometric data used by MFA algorithms requires thorough and accurate initial entry. It is possible for the system to produce false positives or negatives if the original input was not conducted correctly.
  • MFA verification may become temporarily unavailable if a business experiences a network or internet outage.

Frictionless Zero Trust 'Never Trust, Always Verify'

The traditional “trust but verify” method of threat protection, in which trusted users and endpoints are automatically allowed network access, puts organizations at risk of a wide array of security threats. Learn why this approach is obsolete and five best practices for implementing a frictionless Zero Trust model.

Download the Infographic

The future of multi-factor authentication

MFA is by no means a foolproof security process. Just as cybercriminals are working around the clock to develop new techniques to breach networks, they are also working to find ways to circumvent MFA security measures, intercept tokens, or forge secondary credentials. To mitigate these potential weak spots, MFA techniques must be continuously upgraded to protect against evolving threats and reinforced by other security tools and solutions.

In addition to implementing MFA, organizations should consider improving their security posture through the following identity security best practices, which are designed to limit network access and account privileges and contain a hacker’s movement in the event of a breach:

  • The principle of least privilege (POLP): The POLP is a computer security concept and practice that gives users limited access rights based on the tasks necessary to their job. It ensures only authorized users whose identities have been verified have the necessary permissions to execute jobs within certain systems, applications, data, and other assets. It is widely considered to be one of the most effective practices for strengthening an organization’s cybersecurity posture because it allows organizations to control and monitor network and data access.
  • Zero Trust: Zero Trust is a security framework requiring authentication, authorization, and continuous validation of all users (whether they are inside or outside the organization’s network) before they receive access to applications and data. It combines advanced technologies such as risk-based MFA, identity protection, next-generation endpoint security, and robust cloud workload technology to verify a user’s or system’s identity, consider access at that moment in time, and maintain system security. Zero Trust also requires data encryption, securing email, and verifying the hygiene of assets and endpoints before they connect to applications.
  • Privileged access management (PAM): PAM is a cybersecurity strategy that focuses on maintaining the security of privileged credentials.
  • Identity segmentation: Identity segmentation is a method to restrict user access to applications or resources based on identities.
  • IT hygiene: An IT hygiene tool provides visibility into the use of credentials across an organization to detect potentially malicious admin activity. The account monitoring feature allows security teams to check for the presence of accounts created by attackers to maintain access. It also helps ensure that passwords are changed regularly so that stolen credentials can’t be used forever.

Learn More

Explore Falcon Identity Protection’s frictionless MFA capabilities and how you can extend risk-based MFA to any resource or application, including legacy systems like desktops that are not covered by cloud-based MFA solutions, tools like PowerShell, and protocols like RDP over NTLM. CrowdStrike Falcon® Identity Protection

GET TO KNOW THE AUTHOR

Narendran is a Director of Product Marketing for Identity Protection and Zero Trust at CrowdStrike. He has over 17 years of experience in driving product marketing and GTM strategies at cybersecurity startups and large enterprises such as HP and SolarWinds. He was previously Director of Product Marketing at Preempt Security, which was acquired by CrowdStrike. Narendran holds a M.S. in Computer Science from University of Kiel, Germany.