What is Multi-factor Authentication (MFA)?
Multi-factor authentication (MFA) is a multi-layered security system that grants users access to a network, system or application only after confirming their identity with more than one credential or authentication factor. This is usually done through the combination of a username and password, plus another factor, such as a verification code or one-time password (OTP) delivered via text or email; a security token from an authenticator app; or a biometric identifier.
By requiring multiple authentication factors, organizations can significantly improve their security posture. This is because even if the primary authentication factor is compromised or disabled, access is not granted unless the user also has possession of or control over the secondary authorization factor.
Multi-Factor Authentication (MFA) vs. Two Factor Authentication (2FA)
Two Factor Authentication (2FA) is a term sometimes used interchangeably with MFA. Technically speaking, 2FA is a type of multi-factor authentication that limits the user to two authentication credentials, whereas MFA requires at least two forms of authentication
By default, most MFA systems follow the 2FA model, though some organizations may require additional authentication methods, especially when the user is attempting to log in to the network or access resources from an unusual or suspicious location.
Importance of Multi-factor Authentication
Analysis from the CrowdStrike OverWatch™ team indicates that 80% of breaches are identity-driven. Identity-driven attacks are extremely challenging to detect using traditional security measures and tools because these solutions are typically not designed to monitor the activity of approved users, nor detect when an authorized user’s credentials have been compromised.
MFA is considered a core component of a strong identity and access management (IAM) framework. This means that MFA is primarily an access tool, as opposed to a security solution.
Put another way, while MFA can prevent access to users who cannot verify their identity, it cannot differentiate between a request from a legitimate user and someone masquerading as one. Further, once the user is granted access to the network, application, endpoint or system, the MFA solution cannot detect or prevent identity-driven attacks in real time.
As such, organizations should consider MFA as one component within the broader IAM framework and but one link within the broader cybersecurity strategy and architecture.
How Multi-Factor Authentication Works
MFA works by requiring one or more verification factors in addition to a traditional user ID and password. Most authentication factors can be categorized into one of the following groups:
1. Something You Know
This refers to any knowledge-based credential. It is the simplest, most common form of verification. This category includes PINs and passwords created by the user, as well as answers to security questions.
2. Something You Have
This possession-based credential requires users to generate or receive assets such asa security token or certificate. This can be done through the use of an authenticator application like Google Authenticator or Microsoft Authenticator, or a time-sensitive OTP delivered by text, email or secure link.
3. Something You Are
This is the most challenging verification factor to mimic. It includes biometric identifiers based on physiological characteristics such as fingerprints, facial recognition or iris scans, or behavioral characteristics such as keystroke patterns.
Common Multi-Factor Authentication Methods
While many users are most familiar with MFA delivered through an OTP or biometric indicator, there are several other types of multi-factor authentication, each of which employs a different verification method. Here we review some of the most common authentication methods and how they work:
One-time Password (OTP)
The most commonly used MFA factor is the one-time password. OTPs are numerical codes sent via email, SMS or a mobile application, such as Google Authenticator, Microsoft Authenticator or Salesforce Authenticator. OTPs are regenerated after a defined time frame has passed or each time a new authentication request is submitted. The code is based on a seed value assigned to the user upon initial registration and an additional time-based factor.
Biometrics and Behavioral Analytics
Another common MFA technique measures innate biometric characteristics, such as fingerprints, facial features, iris or retina scans, or voice ID to confirm the identity of the user. While this technique was initially seen as an extremely strong authentication factor, excitement waned when it became clear that 3-D printing and AI-generated fingerprints could circumvent these techniques.
To a lesser extent, some organizations may also use behavioral biometrics to confirm a user’s identity. This method leverages uniquely identifiable and measurable patterns in an individual’s behavior to verify their identity. For example, keystroke dynamics is the analysis of the speed, rhythm and pressure during typing which can confirm the user’s identity.
Soft Token Software Development Kits (SDKs)
This verification method uses cryptographic operations such as digital signatures embedded in mobile apps to authenticate the user and device. Soft-token SDKs offer a frictionless user experience since the user doesn’t have to switch between applications or utilize a hardware device.
Hardware One-Time Password (OTP) Tokens
Commonly used in the banking sector, hardware OTP tokens are devices that generate single-use codes via a cryptographic key stored inside the device and on the server. During a login, the system authenticates the user by confirming the device key and server key match.
Smartcards and Cryptographic Hardware Tokens
Smartcards and Cryptographic Hardware Tokens are physical devices that can perform cryptographic operations such as decryption and signing, while the internal keys are physically secure inside a fully isolated enclave. They can be used for computer login (for example, via Windows Smartcard Logon) and digital signature-based verification to authorize transactions. Smartcards may be contactless or require a dedicated reader, while cryptographic hardware tokens require a USB for connection.
Benefits of Multi-Factor Authentication
MFA offers many important benefits to organizations, including:
1. Stronger Security
Despite not being a security tool in the technical sense, MFA is an important line of defense for organizations in that it grants access to systems and networks only to fully authenticated users.
Enforcing the use of one or several MFA factors via an OTP, biometric indicator or physical hardware key makes it far more difficult for hackers and other cybercriminals to gain access to the system under the guise of a legitimate user. This not only means that cybercriminals must identify an alternative avenue for access, but that traditional security measures are far more likely to be able to detect and stop such activity.
2. Seamless Accessibility for Remote Workers
The widespread shift to hybrid and remote work has dramatically increased organizations’ exposure to cyberattacks and breaches as workers access company applications, documents and data via personal networks and devices. At the same time, workers experience login fatigue when they are required to sign in to multiple accounts in a single work session.
When paired with advanced login techniques such as single sign-on (SSO), MFA adds a layer of security and simplifies the sign-in process for legitimate users. The moment the user has been validated in SSO, the system automatically logs them in, and they gain access to the application or document without needing to sign in to each application individually.
3. Improved Regulatory Compliance
Corporate data and identity security are of heightened importance to businesses that operate within high-risk industry sectors such as healthcare, education, medical research, finance and military defense. Most organizations’ IT departments believe they comply with leading cybersecurity standards, despite research showing that many do not.
Multi-factor authentication is often mandatory for compliance with industry regulations. For example, the Payment Card Industry Data Security Standard (PCI-DSS) is a regulatory standard for organizations that operate in the credit card sector. It requires MFA to be implemented to prevent unauthorized users from accessing systems. Even when application updates lead to system instability, MFA compliance ensures that systems remain impenetrable with up to 99% certainty.
Challenges with Multi-Factor Authentication
As with any technology solution, implementation and operation of MFA can create challenges for the organization. For example:
- If an employee loses a mobile phone or other personal device that is part of the layered defense method, it may temporarily impact their system access and, by extension, their productivity.
- Biometric data used by MFA algorithms require thorough, accurate initial entry. It is possible for the system to produce false positives or negatives if the original input was not conducted correctly.
- MFA verification may become temporarily unavailable if a business experiences a network or internet outage.
Frictionless Zero Trust 'Never Trust, Always Verify'
The traditional “trust but verify” method of threat protection, in which trusted users and endpoints are automatically allowed network access, puts organizations at risk of a wide array of security threats. Learn why this approach is obsolete and five best practices for implementing a frictionless Zero Trust model.Download the Infographic
Future of Multi-Factor Authentication
MFA is by no means a foolproof security solution. Just as cybercriminals are working around the clock to develop new techniques to breach networks, so too are they working to find ways to circumvent MFA security measures, intercept tokens or forge secondary credentials. To mitigate against these potential weak spots, MFA techniques must be continuously upgraded to protect against these evolving threats and reinforced by other security tools and solutions.
In addition to implementing MFA, organizations should consider improving their security posture through the following identity security best practices, which are designed to limit network access and account privileges and contain the hacker’s movement in the event of a breach:
- Principle of least privilege (POLP): Principle of least privilege (POLP) is a computer security concept and practice that gives users limited access rights based on the tasks necessary to their job. It ensures only authorized users whose identity has been verified have the necessary permissions to execute jobs within certain systems, applications, data and other assets. It is widely considered to be one of the most effective practices for strengthening the organization’s cybersecurity posture, because it allows organizations to control and monitor network and data access.
- Zero Trust: Zero Trust is a security framework requiring authentication, authorization and continuous validation of all users (whether in or outside the organization’s network) before receiving access to applications and data. It combines advanced technologies such as risk-based MFA, identity protection, next-generation endpoint security and robust cloud workload technology to verify a user or systems identity, consideration of access at that moment in time, and the maintenance of system security. Zero Trust also requires consideration of encryption of data, securing email and verifying the hygiene of assets and endpoints before they connect to applications.
- Privileged access management (PAM): Privileged access management (PAM) is a cybersecurity strategy that focuses on maintaining the security or an administer account privileged credentials.
- Identity segmentation: Identity segmentation is a method to restrict user access to applications or resources based on identities.
- IT hygiene: An IT hygiene tool provides visibility into the use of credentials across the organization to detect potentially malicious admin activity. The account monitoring feature allows security teams to check for the presence of accounts created by attackers to maintain access. It will also help ensure that passwords are changed regularly, so stolen credentials can’t be used forever.