5 Things to Know about Multi-Factor Authentication

Multi-factor Authentication (MFA) is the practice of chaining several authentication methods together when determining whether to grant access to a user. Combining several independent authentication factors makes verifying a user’s identity easier and more precise.

Today MFA is considered best practice and helps protect both users and organizations from cybercriminals. Using multi-factor authentication significantly reduces the risk of user accounts being compromised due to password theft.

1) MFA and Two-Factor or Two-Step Authentication. Are They the Same?

Strictly speaking, two-factor authentication is a subset of MFA and the simplest form of a multi-factor strategy. Multi-factor authentication is not limited to only two factors. Ever-greater security requirements demand a more secure approach than just two factors can usually provide.

2) Not All Authentication Factors Are the Same

Authentication factors are divided into four main categories. They are:

  • Knowledge factors

Modern knowledge factors include user names or IDs, passwords, PINs, and the answers to security questions.

  • Possession factors

Possession factors are such things as bank or ID cards, security tokens, one-time passwords (OTP), and, increasingly, smartphones.

  • Inherence factors

Inherence factors are rapidly expanding with developments in biometrics technology. In addition to fingerprints, these factors now include facial and voice recognition, retina scans, even an individual’s typing patterns on a keyboard.

  • Location factors

Location factors refer to the user’s physical location at the time of authentication. In general, these factors do not require any user input but are determined automatically, for example, by looking up IP addresses.

The choice of a particular factor depends on the use case and the organization’s specific security needs.

3) Use a Mix of Authentication Types

The basic principle of MFA is to vary the categories of factors. Access should be granted or denied depending on what someone knows, what someone has, or what someone uniquely is.

A system built on passwords and security questions (both knowledge factors) is generally less secure than one that employs passwords and SMS messages delivered over your phone.

Another general principle is that users should not be able to go from one factor to two, especially if it is critical to ensure that the users are who they claim to be.

If, for example, a user signs up for an email account, creates a username and password, and then adds a phone number, this is essentially going from one factor to two. The addition of the second factor may provide the user with some additional security, but it does not increase confidence in their identity. When identity assurance is important, users should not be able to go from one factor to two. Identity can be much better asserted by going from two factors to two.

4) MFA Schools of Thought

There are two primary perspectives on MFA:

1. The focus should be on protecting the user and the user’s data,

2. The focus is on ensuring that the user’s identity remains consistent over time, meaning that the user attempting to gain access is the same user that gained access the last time.

Even though the focus of these two perspectives on MFA is different, creating a robust MFA system is generally in everyone’s interest.

Read more about it here.

5) Different MFA approaches

Multi-Factor Authentication can be used in a variety of ways depending on the desired balance between security and usability:

  • Always-on MFA
  • Opt-in MFA
  • Step-up Authentication
  • Time-Sensitive Re-verification

The Always-On approach stresses security needs over usability concerns. The Opt-In approach lets users decide how much security they require, allowing them to shift the balance away from usability if they wish. Step-up Authentication opts for ease of use on the initial login, stepping up to MFA when greater security is needed. Time-sensitive Re-verification, on the other hand, uses MFA from the start but staggers the re-verification process to reduce demands on the user without sacrificing MFA-level protections.

To learn more about MFA:

  1. Check out Curity’s resources library on MFA
  2. Read a Curity blog post on User Opt-In Multi-Factor Authentication by Jacob Ideskog
  3. Register for the upcoming webinar Flavors of Multi-Factor Authentication to learn more about MFA approaches, user experience and reliability best practices, different use cases, and other things to consider when choosing a particular approach or authenticator.




Curity is the leading supplier of API-driven identity management, providing unified security for digital services. Visit curity.io or contact info@curity.io

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

EOSC Weekly Report #106

I got ninety nine regulatory compliance problems…

Pandora Walkthrough — Hack The Box

IDO is Live now!!

TRY HACK ME: Write-Up Privilege Escalation: Linux PrivEsc –Kernel Exploits, Sudo, SUID

{UPDATE} 4 Fotos 1 Palabra Hack Free Resources Generator

A Dive into the BGP protocol

Complete Guide To Start Bug Bounty In 2022

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Curity is the leading supplier of API-driven identity management, providing unified security for digital services. Visit curity.io or contact info@curity.io

More from Medium

Openssl for IOT system security development series (Part 1) —  Set up tls client/server from…

Advent Of Code 2021 — Binary Diagnostic — Puzzle 3

AWS: Getting started with Amazon Web Services Command Line Interface (CLI) Part II

How to upgrade Zabbix Network Monitoring tools 5.4 from version 5.2/5.0