Multi-factor Authentication (MFA) is the practice of chaining several authentication methods together when determining whether to grant access to a user. Combining several independent authentication factors makes verifying a user’s identity easier and more precise.
Today MFA is considered best practice and helps protect both users and organizations from cybercriminals. Using multi-factor authentication significantly reduces the risk of user accounts being compromised due to password theft.
1) MFA and Two-Factor or Two-Step Authentication. Are They the Same?
Strictly speaking, two-factor authentication is a subset of MFA and the simplest form of a multi-factor strategy. Multi-factor authentication is not limited to only two factors. Ever-greater security requirements demand a more secure approach than just two factors can usually provide.
2) Not All Authentication Factors Are the Same
Authentication factors are divided into four main categories. They are:
- Knowledge factors
Modern knowledge factors include user names or IDs, passwords, PINs, and the answers to security questions.
- Possession factors
Possession factors are such things as bank or ID cards, security tokens, one-time passwords (OTP), and, increasingly, smartphones.
- Inherence factors
Inherence factors are rapidly expanding with developments in biometrics technology. In addition to fingerprints, these factors now include facial and voice recognition, retina scans, even an individual’s typing patterns on a keyboard.
- Location factors
Location factors refer to the user’s physical location at the time of authentication. In general, these factors do not require any user input but are determined automatically, for example, by looking up IP addresses.
The choice of a particular factor depends on the use case and the organization’s specific security needs.
3) Use a Mix of Authentication Types
The basic principle of MFA is to vary the categories of factors. Access should be granted or denied depending on what someone knows, what someone has, or what someone uniquely is.
A system built on passwords and security questions (both knowledge factors) is generally less secure than one that employs passwords and SMS messages delivered over your phone.
Another general principle is that users should not be able to go from one factor to two, especially if it is critical to ensure that the users are who they claim to be.
If, for example, a user signs up for an email account, creates a username and password, and then adds a phone number, this is essentially going from one factor to two. The addition of the second factor may provide the user with some additional security, but it does not increase confidence in their identity. When identity assurance is important, users should not be able to go from one factor to two. Identity can be much better asserted by going from two factors to two.
4) MFA Schools of Thought
There are two primary perspectives on MFA:
1. The focus should be on protecting the user and the user’s data,
2. The focus is on ensuring that the user’s identity remains consistent over time, meaning that the user attempting to gain access is the same user that gained access the last time.
Even though the focus of these two perspectives on MFA is different, creating a robust MFA system is generally in everyone’s interest.
Read more about it here.
5) Different MFA approaches
Multi-Factor Authentication can be used in a variety of ways depending on the desired balance between security and usability:
- Always-on MFA
- Opt-in MFA
- Step-up Authentication
- Time-Sensitive Re-verification
The Always-On approach stresses security needs over usability concerns. The Opt-In approach lets users decide how much security they require, allowing them to shift the balance away from usability if they wish. Step-up Authentication opts for ease of use on the initial login, stepping up to MFA when greater security is needed. Time-sensitive Re-verification, on the other hand, uses MFA from the start but staggers the re-verification process to reduce demands on the user without sacrificing MFA-level protections.
To learn more about MFA:
- Check out Curity’s resources library on MFA
- Read a Curity blog post on User Opt-In Multi-Factor Authentication by Jacob Ideskog
- Register for the upcoming webinar Flavors of Multi-Factor Authentication to learn more about MFA approaches, user experience and reliability best practices, different use cases, and other things to consider when choosing a particular approach or authenticator.
