What is Multi-factor authentication (MFA) and how it works
Multi-factor authentication (MFA) is a way to check a user's identity when they log in. It checks a user's identity in two or more steps when they log in by using secure authentication tools. Adding MFA keeps your data secure.
When you log into your online accounts, you “authenticate” yourself to the service. Typically, a username and password are used. That’s a bad strategy. Usernames are often your email address. People choose basic passwords or reuse them across sites since they’re hard to remember.
Almost all online services, including banking, social networking, ecommerce, and Microsoft 365, have implemented security measures. The good ones use “Two-Step Verification” or “Multifactor Authentication” First-time logins on a new device or program (such a web browser) require more than the username and password. Second “factor” needed to confirm identity.
What is multi-factor authentication?
Multifactor authentication (MFA) is a security technology that uses more than one way to verify a user’s identity for a login or other transaction. Each method comes from a different category of credentials. Multifactor authentication uses two or more independent pieces of information about the user, such as a password, a security token, or biometric methods to verify who the user is.
The goal of MFA is to build a defense with multiple layers that makes it harder for an unauthorized person to get into a target, like a building, computer, network, or database. Even if one factor is broken or compromised, the attacker still has to get past at least one or more barriers before they can get into the target.
Two-factor authentication was usually used in MFA systems in the past two-factor authentication (2FA). Multifactor is a term that vendors are using more and more to describe any authentication method that needs two or more identity credentials to make it harder for hackers to break in. Multifactor authentication is one of the most important parts of a system for managing who has access to what.
How MFA works?
The vast majority of multi-factor authentication systems won’t do away with usernames and passwords. Instead, they add one more verification mechanism on top of the others to make sure that only the right individuals are let in and that criminals are kept out.
- Registration: In order to register, a user must first assert ownership of a piece of property by connecting it to the system, like a mobile phone or a key fob, and then linking the item to the system.
- Login: A person can “login” to a secure system by providing the system with a username and a password.
- Verification: The system establishes a connection with the item that has been registered. There is a possibility that key fobs will light up or that phones will ping with verification numbers.
- Reaction: The action that follows is the individual finishing the procedure with the validated item. The following step often entails either entering verification numbers or pushing a button on a key fob.
The following is an example of a typical MFA procedure:
While several systems remember your device, others require you to go through this verification process every time you log in. It is possible that you will not be required to verify your identity on each visit if you always log in using the same mobile device or computer. However, if you try to log in on a different computer than usual or at an odd hour of the day, you might be asked for additional verification.
MFA may appear straightforward, but it is actually rather powerful. For instance, Microsoft claims that MFA is capable of preventing approximately one hundred percent of account hacks. This one very small step could go a very long way toward protecting your safety.
Why use MFA-Multi-factor authentication?
Users may have trouble storing, remembering, and managing usernames and passwords for multiple accounts, and many people reuse passwords across services and make passwords that aren’t very complex. This makes authentication based on usernames and passwords alone unreliable and hard to use. Passwords are also not very secure because hackers, phishers, and malware can easily get them.
Multi-factor authentication is important because it makes it harder for the average thief to steal your information. If your information isn’t very interesting, thieves are more likely to go after someone else.
As the name suggests, MFA is a mix of at least two different things. One is usually your login name and password, which you know. The other possibility is:
- You have something. You could prove who you are with a phone, a key card, or a USB.
- That which you are. You can prove that you are who you say you are with your fingerprints, iris scans, or some other biometric data.
By adding this extra step to your username and password, your privacy is protected. And most people can set it up in a very short time.
MFA methods of authentication
An authentication factor is a type of credential that is used to check someone’s identity. For MFA, each extra factor is meant to make it more likely that a person or thing that is communicating or asking to get into a system is who or what it says it is. Using more than one way to prove who you are can make it harder for hackers to get in.
The three most common categories, or authentication factors, are something you know, or the knowledge factor, something you have, or the possession factor, and something you are, or the inherence factor. MFA works by putting together two or more of these things.
1. Knowledge factor
The user usually has to answer a personal security question as part of knowledge-based authentication. Passwords, four-digit personal identification numbers (PINs), and one-time passwords are common types of knowledge factor technologies (OTPs). Here are some common ways people use it:
- Swiping a debit card and entering a PIN at the grocery store checkout
- Downloading a virtual private network client with a valid digital certificate and logging in to the VPN before getting access to a network
- Giving information, like your mother’s maiden name or a previous address, to get into a system.
2. Possession factor
To log in, users need to have something with them, like a badge, token, key fob, or subscriber identity module (SIM) card for their phone. Along with an OTP app, a smartphone is often used as the possession factor for mobile authentication.
These technologies are part of the possession factor:
- Security tokens – They are small pieces of hardware that store personal information about a user and are used to electronically verify that person’s identity. The device could be a smart card, an object with an embedded chip like a USB drive, or a wireless tag.
- Soft tokens – A one-time login PIN is made by a software-based security token application. Soft tokens are often used for multifactor authentication on mobile devices, where the device itself, like a smartphone, provides the possession factor.
Here are some common ways that possession factor is used:
Mobile authentication. With mobile authentication, users get a code on their phone to gain or deny access. There are different ways to do this, such as sending a user an out-of-band text message or phone call, using smartphone
USB hardware token. OTP apps, SIM cards, or smart cards that store authentication data, or attaching a USB hardware token to a desktop that generates an OTP and using it to log in to a VPN client.
3. Inheritance factor
Any of the user’s biological traits that are checked in order to log in. Some technologies that use the “inherence factor” are: Methods of biometric verification:
- Fingerprint scan
- Hand geometry
- Retina or iris scan
- Voice authentication
- Facial recognition
- Digital signature scanners
- Earlobe geometry
The parts of a biometric device include a reader, a database, and software to turn the scanned biometric data into a standard digital format and compare the match points of the observed data with the data that has been stored.
The following are examples of typical inherence factor situations:
- Using a fingerprint or face recognition to open a smartphone
- Giving a digital signature at a store checkout
- Figuring out who a criminal is by looking at the shape of their earlobes
People often say that a user’s location could be a fourth factor for authentication. Again, the fact that smartphones are so common can help make authentication easier. Users usually carry their phones with them, and even the most basic smartphones can track their location using the Global Positioning System. This makes it more likely that the login location is accurate.
Time-based authentication is another way to prove a person’s identity. It does this by checking for their presence at a certain time of day and letting them into a certain system or place. For instance, a bank customer can’t use the same ATM card in the U.S. and then 15 minutes later in Russia. Many types of online bank fraud can be stopped with these kinds of logical locks.
4. Based on location and time
MFA can be done with GPS coordinates, network parameters, metadata about the network being used, and device recognition. Adaptive authentication combines these data points with user data from the past or from the user’s current environment.
These things work in the background and don’t require much input from users, which means they don’t get in the way of productivity. But since they need special software and knowledge to use, they are best for large organizations that have the resources to manage them.
5. One-time password based on time (TOTP)
This is usually used in 2FA, but it could be used in any MFA method where a second step is added dynamically at login after a first step has been completed. Most of the time, it doesn’t take long to wait for the second step, in which temporary passcodes are sent by SMS or email. The process is easy to use for a wide range of users and devices. This method is used a lot right now.
On the business side, two-step authentication needs software or a third-party service provider to work. Mobile networks can have their own security problems, just like using mobile devices as physical tokens.
Most of the time, the security key is a QR code that the user scans with a mobile device to get a number sequence. The user then puts those numbers into the website or app to get in. After a certain amount of time, the passcodes stop working, and a new one is made the next time a user logs in to an account.
6. Push based authentication factor
Push-based 2FA is better than SMS and TOTP 2FA because it adds more security and makes it easier to use. It verifies a user’s identity by using a number of factors that other methods can’t do. Because push-based 2FA sends notifications over data networks like cellular or Wi-Fi, users must have data access on their mobile devices to use the 2FA feature.
7. Social Media
In this case, a user gives a website permission to use their username and password from a social media site to log them in. This makes it easy for all users to sign in, and all users can use it.
But online criminals often go after social media networks because they have a lot of information about their users. Some users may also worry about how sharing logins with social media networks might affect their security and privacy.
8. Risk-based authentication factor
This method combines adaptive authentication with algorithms that calculate risk and look at the context of each login request. This method is sometimes called adaptive multi-factor authentication. The goal of this method is to cut down on duplicate logins and make the workflow easier to use.
Risk-based authentication can save a lot of time for users who have to log in to many different systems. But to deploy and manage it, you need software that learns how users interact with a system and IT skills.
Difference between 2FA and MFA
When authentication strategies were first made, the goal was to keep things as simple as possible while still making sure they were secure. Users were only asked for two types of security keys that would let a system know they were real and allowed to use it. Two-factor authentication was often done with a user ID and password or a bank card and PIN for an ATM.
Hackers quickly found ways to buy or break passwords and to steal information from debit cards at ATMs. This made companies and security vendors look for more secure ways to verify a user’s identity that used more than one security factor.
What are the benefits and drawbacks of MFA?
Multifactor authentication was created to make it harder for hackers to get into systems and apps using both hardware and software. The goal was to make sure that users were who they said they were and that their digital transactions were safe. The problem with MFA is that users often forget the answers to the personal questions that verify their identity, and some users share their personal ID tokens and passwords. MFA also has some other pros and cons.
- MFA adds layers of security at the hardware, software, and personal ID levels
- Can use one-time passwords (OTPs) sent to phones that are randomly generated in real time and hard for hackers to break
- Can reduce security breaches by up to 99.9% compared to passwords alone
- Can be easily set up by users
- Lets businesses choose to limit access based on time of day or location
- Has scalable cost, as there are expensive and highly sophisticated MFA tools as well as cheaper ones for small businesses.
Flaws of multifactor authentication
- To get a text message code, you need a phone;
- Hardware tokens can get lost or stolen
- Phones can go missing or be stolen
- The biometric information that MFA algorithms use to make IDs,
- As thumbprints, are not always accurate and can lead to false positives or negatives
- MFA verification can fail if there’s a problem with the network or the internet;
- Criminals work hard to find ways to break MFA techniques, so they must be updated all the time.
How to ease the challenges with multifactor authentication
Adding more security to MFA makes it harder for people who have to remember more than one password to use. So, the goal of MFA is to make it easy for users to use MFA techniques. Here are three ways that MFA is being made easier to use:
- Adaptive MFA. This applies knowledge, business rules, or policies to user-based factors like a device or location. For example, a corporate VPN knows that it’s OK for a user to sign on from home because it can see where the user is and figure out how likely it is that the user will misuse or compromise the network. But if an employee uses the VPN from a coffee shop, the system will be set off and they will have to enter their MFA credentials.
- Sign-on only once (SSO). This one-stop authentication method lets users keep one account that automatically logs them in to multiple applications or websites with a single ID and password. SSO works by figuring out who the user is and then sharing this information with every system or application that needs it.
- Push authentication method. This is a method for automatically authenticating a mobile device. The security system sends a third, one-time-use identification code to the user’s mobile device. For example, if a user wants to access a secure system, they enter their user ID and password, and the security system sends a third, one-time-use code to their mobile device. People need to put that code into the system to get in. MFA is made easier by giving users a third code that they don’t have to remember. This is called “push authentication.”
A compromised password is one of the most common methods that malicious actors might get access to sensitive information such as a user’s data, identity, or finances. Using multiple forms of verification at once is one of the simplest ways to make things significantly more difficult for them.