TerM

Multi-Factor Authentication (MFA)

TerM

Multi-Factor Authentication (MFA)

Introduction

Access credentials for digital accounts and systems are being stolen on an increasing basis. If a company requires only one credential for its accounts and systems, it’s not providing much protection against criminals wanting to compromise its data and accounts – and, more importantly, those of its clients, customers, and partners. That’s why many organizations are implementing multi-factor authentication to keep their accounts and data more secure.

So what is multi-factor authentication, how does it work, and why is it becoming such an important part of digital security? We’ll explore those questions throughout this article.

We’ll start with a multi-factor authentication definition to give a more general idea of what it is.

Bad Fraud Practices Hand-Out

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication is a security technology that controls access to websites, applications, or data by requiring users to prove their identity in at least two ways. Credentials could include a username and password combination, a code sent to a mobile device, a biometric scan, and more.

The Importance of Multi-Factor Authentication

So why use multi-factor authentication? The answer is that it makes it more difficult for criminals to compromise a company’s platform or data. That includes customer data, which may contain sensitive financial information. Protecting these things helps to ensure that transactions are authentic, mitigate fraud and identity theft, and increase customer confidence in a business.

Criminals can fake or steal forms of authentication, but adding more required credentials creates more barriers they need to get around. So the importance of multi-factor authentication is to act as a greater deterrent to criminals thinking about bypassing those locks to access data or control an account

By extension, multi-factor authentication also helps to prevent more wide-ranging cyberattacks that affect not only an account user but also the organization (as the account’s host) and even other parties the business is affiliated with.

MFA vs. 2FA

2FA (two-factor authentication) is one of the specific types of multi-factor authentication. It requires exactly two valid credentials from a user trying to access something to authorize them.

MFA (multi-factor authentication) is a more general term that describes any security system that involves at least two credentials for verifying a user’s identity. However, MFA could involve three, four, or even more credentials to authenticate a user. It doesn’t necessarily involve exactly two credentials as 2FA does.

How Does Multi-Factor Authentication Work?

If you’re wondering how to use multi-factor authentication, the short answer is to add more steps to logging into an online account or database. Each step can require a user wanting access to an account or system to prove their identity, typically based on something they know, something they have, or something inherent to them as a person.

A graphic depicting the MFA process

There are certain other conditions that can be used as credentials, such as where someone is attempting to log in from or another risk-based behavioral context (e.g. time of day, type of device, public vs. private network).

In addition, security factors can be classified as active (i.e. the user has to complete an action, like typing in a password or inserting a USB security token into their computer) or passive (i.e. the system verifies behind the scenes, such as with a facial feature scan or built-in security tokens only on specific devices).

One of the biggest multi-factor authentication challenges is balancing active and passive factors to find the right level of friction. ‘Friction,’ in this case, refers to the amount of work or information a user has to provide to be verified.

Too little friction increases the risk that unauthorized users can easily break into accounts or systems. Too much friction, however, can make a system difficult to use, even for authorized users. In the case of customers, it may even cause them to abandon the platform.

4 Types of Multi-Factor Authentication: Main Factors to Consider

Multi-factor authentication methods for identifying a user require information or conditions that typically fall into one of these four categories.

Knowledge

Knowledge refers to information that only an authorized user knows.

Examples include passwords, personal identification numbers (PINs), and security questions. These are important for security because they’re things an authorized user can recall easily, but would be difficult (yet not impossible) for someone unauthorized to figure out.

Possession

Possession refers to an object that only an authorized user will have.

An example might be a key to a lock, an ID card, or a security token that’s only present on specific computers, smartphones, or removable drives. This adds a layer of security because faking or stealing a tangible object can be more difficult than faking, stealing, or guessing intangible information.

Inherence

Inherence refers to data that is fundamentally tied to who a person is.

Mainly, this refers to biometrics such as a person’s fingerprints, facial features, voice patterns, or eye construction. This type of factor is expected to be the future of security because it doesn’t rely on information or objects that could easily be forgotten, lost, stolen, guessed, or faked. That makes it both user-friendly and hard to circumvent.

Location

Location is a relatively new factor that considers where a person physically is as an authorization credential.

This could be the IP or other network address of a device they’re using, or their geographic coordinates. This type of security can be used to block access or require additional credentials if a person is trying to gain access to an account or database from an unsecured or suspicious location.

Benefits of Multi-Factor Authentication

The benefits of multi-factor authentication come down to better securing online customer and company accounts from hijacking or theft. Basically, it’s a failsafe in case a criminal manages to steal, guess, or fake a credential needed for authorization. 

The idea is that if a criminal needs to do this multiple times to gain access to an account or database, there’s a greater chance they will judge that the effort required isn’t worth the potential rewards of unauthorized entry.

Multi-Factor Authentication Recommendations and Best Practices

One of our top multi-factor authentication recommendations is to design your company’s system to use factors of different types (i.e. knowledge, possession, inherence). 

This better deters criminals because they need to spoof several different kinds of information to gain unauthorized access to an account or system. Just make sure that the specific factors are familiar to your organization’s staff, customers, and partners because you don’t want them to have a hard time accessing your platform.

Another of our recommended multi-factor authentication best practices is to use location-based or behavior-based factors to create a flexible, tiered MFA system. For example, users trying to log in from suspicious places or with suspicious behavior have to submit several valid credentials, while someone logging in from a whitelisted IP address and device may only need a password. This makes it harder for criminals to hack your system while allowing legitimate users easy access.

MFA is a critical component of identity verification when it comes to transactions. It’s important to monitor transactions beyond customer onboarding to ensure transactions are coming from authentic users.

Download Operating System Product Guide