Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login or other transaction. Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.
The goal of MFA is to create a layered defense that makes it more difficult for an unauthorized person to access a target, such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.
In the past, MFA systems typically relied on two-factor authentication (2FA). Increasingly, vendors are using the label multifactor to describe any authentication scheme that requires two or more identity credentials to decrease the possibility of a cyber attack. Multifactor authentication is a core component of an identity and access management framework.
Why is multifactor authentication important?
One of the biggest shortcomings of traditional user ID and password logins is that passwords can be easily compromised, potentially costing organizations millions of dollars. Brute-force attacks are also a real threat, as bad actors can use automated password cracking tools to guess various combinations of usernames and passwords until they find the right sequence. Although locking an account after a certain number of incorrect login attempts can help protect an organization, hackers have numerous other methods for system access. This is why multifactor authentication is so important, as it can help reduce security risks.
MFA authentication methods
An authentication factor is a category of credential used for identity verification. For MFA, each additional factor is intended to increase the assurance that an entity involved in some kind of communication or requesting access to a system is who -- or what -- it says it is. The use of multiple forms of authentication can help make a hacker's job more difficult.
The three most common categories, or authentication factors, are often described as something you know, or the knowledge factor; something you have, or the possession factor; and something you are, or the inherence factor. MFA works by combining two or more factors from these categories.
Knowledge factor. Knowledge-based authentication typically requires the user to answer a personal security question. Knowledge factor technologies generally include passwords, four-digit personal identification numbers (PINs) and one-time passwords (OTPs). Typical user scenarios include the following:
- swiping a debit card and entering a PIN at the grocery checkout;
- downloading a virtual private network client with a valid digital certificate and logging in to the VPN before gaining access to a network; and
- providing information, such as mother's maiden name or previous address, to gain system access.
Possession factor. Users must have something specific in their possession in order to log in, such as a badge, token, key fob or phone subscriber identity module (SIM) card. For mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app.
Possession factor technologies include the following:
- Security tokens are small hardware devices that store a user's personal information and are used to authenticate that person's identity electronically. The device may be a smart card, an embedded chip in an object, such as a Universal Serial Bus (USB) drive, or a wireless tag.
- A software-based security token application generates a single-use login PIN. Soft tokens are often used for mobile multifactor authentication, in which the device itself -- such as a smartphone -- provides the possession factor authentication.
Typical possession factor user scenarios include the following:
- mobile authentication, where users receive a code via their smartphone to gain or grant access -- variations include text messages and phone calls sent to a user as an out-of-band method, smartphone OTP apps, SIM cards and smart cards with stored authentication data; and
- attaching a USB hardware token to a desktop that generates an OTP and using it to log in to a VPN client.
Inherence factor. Any biological traits the user has that are confirmed for login. Inherence factor technologies include the following Biometric verification methods:
- retina or iris scan
- fingerprint scan
- Voice authentication
- hand geometry
- digital signature scanners
- facial recognition
- earlobe geometry
Biometric device components include a reader, a database and software to convert the scanned biometric data into a standardized digital format and to compare match points of the observed data with stored data.
Typical inherence factor scenarios include the following:
- using a fingerprint or facial recognition to access a smartphone;
- providing a digital signature at a retail checkout; and
- identifying a criminal using earlobe geometry.
User location is often suggested as a fourth factor for authentication. Again, the ubiquity of smartphones can help ease the authentication burden: Users typically carry their phones, and all basic smartphones have Global Positioning System tracking, providing credible confirmation of the login location.
Time-based authentication is also used to prove a person's identity by detecting presence at a specific time of day and granting access to a certain system or location. For example, bank customers cannot physically use their ATM card in the U.S. and then in Russia 15 minutes later. These types of logical locks can be used to help prevent many cases of online bank fraud.
What are the pros and cons of MFA?
Multifactor authentication was introduced to harden security access to systems and applications through hardware and software. The goal was to authenticate the identity of users and to assure the integrity of their digital transactions. The downside to MFA is that users often forget the answers to the personal questions that verify their identity, and some users share personal ID tokens and passwords. MFA has other benefits and disadvantages.
- adds layers of security at the hardware, software and personal ID levels;
- can use OTPs sent to phones that are randomly generated in real time and is difficult for hackers to break;
- can reduce security breaches by up to 99.9% over passwords alone;
- can be easily set up by users;
- enables businesses to opt to restrict access for time of day or location; and
- has scalable cost, as there are expensive and highly sophisticated MFA tools but also more affordable ones for small businesses.
- a phone is needed to get a text message code;
- hardware tokens can get lost or stolen;
- phones can get lost or stolen;
- the biometric data calculated by MFA algorithms for personal IDs, such as thumbprints, are not always accurate and can create false positives or negatives;
- MFA verification can fail if there is a network or internet outage; and
- MFA techniques must constantly be upgraded to protect against criminals who work incessantly to break them.
Multifactor authentication vs. two-factor authentication
When authentication strategies were first introduced, the intent was to enforce security but to also keep it as simple as possible. Users were asked to supply only two forms of security keys that would inform a system that they were authentic and authorized users. Common forms of 2FA were user ID and password or automated teller machine (ATM) bank card and PIN.
Unfortunately, hackers quickly discovered ways to buy or break passwords or to skim debit cards at ATMs. This prompted companies and security vendors to look for more hardened forms of user authentication that used additional security factors for verification.
Addressing the challenges of multifactor authentication
Adding security factors to MFA further complicates ease of use for users who must remember multiple passwords. Consequently, the goal of MFA is to simplify MFA techniques for users. Here are three approaches being used to simplify MFA:
- Adaptive MFA. This applies knowledge, business rules or policies to user-based factors, such as device or location. For example, a corporate VPN knows that it is OK for a user to sign on from home because it sees the user's location and can determine the risk of misuse or compromise. But an employee who accesses the VPN from a coffee shop will trigger the system and be required to enter MFA credentials.
- Single sign-on (SSO). This one-stop authentication method enables users to maintain one account that automatically logs them in to multiple applications or websites with a single ID and password. SSO works by establishing the user's identity and then sharing this information with each application or system that requires it.
- Push authentication. This is an automated mobile device authentication technique where the security system automatically issues a third, single-use identification code to the user's mobile device. For example, users who want to access a secured system enter their user ID and password and a security system automatically issues a third, single-use identification code to their mobile device. Users enter that code into the system to gain access. Push authentication simplifies MFA by providing users with a third code, eliminating the need to remember it.
Learn more about application login weaknesses that are often overlooked during penetration testing.