Traditional, password-based authentication is insecure. People commonly choose weak passwords or reuse the same password across multiple different accounts. This makes it easy for cybercriminals to guess or steal passwords, providing access to legitimate user accounts.
Multi-factor authentication (MFA) is designed to improve authentication security by requiring more than a password for authentication. If a password is weak or leaked, this isn’t enough for an account takeover attack. In this article, we answer what is MFA?
Two-factor authentication (2FA) and multi-factor authentication (MFA) get their names from the fact that they require multiple different “factors” for a user to authenticate. 2FA requires two factors, while MFA requires two or more factors.
The factors used in MFA fall into three categories:
A combination of knowledge-based and possession-based factors is the most common form of MFA. For example, a user may authenticate by entering a password (“something you know”) and a one-time passcode texted to their smartphone (“something you have”). To authenticate, a user needs to both know the password and have the phone, making this MFA.
However, other combinations are possible. For example, passwordless MFA combines possession-based and inherence-based factors. This could include using fingerprint recognition (“something you are”) to authenticate a user and reading an authentication token from a device (“something you have”).
No, different types of MFA factors offer different levels of security:
The primary benefit of MFA is improved account security. If an authentication system relies on a single factor, then an attacker only needs to learn or steal that factor. The use of multiple factors makes it more difficult for an attacker to successfully take over a user account.
However, the security benefits that an MFA solution provides depend on its implementation, the factors used, and whether or not it truly uses two distinct types of factors. For example, some websites use an emailed one-time code as a possession-based factor alongside a password. However, if the user authenticates to the email account using a password and if this password is the same as the other account, then both factors are actually knowledge-based and MFA provides no additional security.
MFA provides additional security, but this can come at the cost of convenience in some cases. For example, a possession-based factor requires a user to have and use a physical device as part of the authentication process.
While the security benefits of MFA may be necessary in some cases, this may not always be the case. A company may decide that MFA is unnecessary in low-risk situations, but that the protection provided by multiple factors may be required in other scenarios. For example, password-based authentication may be acceptable when working from the office, but a remote worker may need the security provided by MFA.
Adaptive MFA makes this possible by allowing an organization to define rules for the authentication process. The user’s computer can provide contextual information (such as location and time of day) that can be used to determine risk levels. Based on the level of risk, an application could choose to forgo MFA or even require additional factors for extremely high-risk scenarios.
Single sign-on (SSO) and the Security Assertion Markup Language (SAML) are other technologies designed to improve the security and usability of authentication systems. Instead of requiring a user to use different credentials to authenticate to different accounts, SSO and SAML allow a single authentication that provides access to multiple applications.
SSO and SAML can help to limit weak passwords and the burden of authentication, but an attacker that compromises a user’s SSO or SAML account has full access to linked accounts. By combining MFA with SSO or SAML, an organization can more strongly verify a user’s identity before providing them with access to multiple accounts.
MFA improves account security by bolstering a weak password with another authentication factor. However, this provides limited protection if both factors are insecure.
Passwordless authentication addresses the problem of insecure passwords by replacing a password with a non-password factor, such as “something you have” or “something you are”. Passwordless MFA combines the two concepts, using multiple non-password factors for user authentication.
Multi-factor authentication uses two or more “factors” to authenticate a user. A common example includes combining a password with a one-time code sent by SMS or email or generated via an authenticator app.
Multi-factor authentication requires the use of two different authentication factors to log into a system. For example, a website may require a password and a one-time code sent via text message.
Multi-factor authentication provides stronger security than single-factor authentication. Cybercriminals commonly use weak or breached passwords to access online accounts. With MFA, an attacker would need access to multiple factors to authenticate as the user.
Multi-factor authentication is important because it improves account security and makes it harder to hack. Weak and reused passwords are common, making it easier for attackers to gain access to online accounts. MFA makes this harder because a password is no longer enough for authentication.
MFA provides much stronger protection than single-factor authentication systems, especially password-based ones. Whenever possible, application developers should enforce the use of MFA using strong factors for user accounts.
A common form of multi-factor authentication is a password combined with a single-use code sent by SMS or email.
The three primary factors of multi-factor authentication are “something you know” (knowledge), “something you have” (possession), and “something you are” (inherence). Some solutions may use location as a fourth factor option.
MFA providers offer an organization access to an existing MFA solution. This is often easier to use and more secure than writing a custom solution.
Two-factor authentication (2FA) is a form of multi-factor authentication (MFA) that uses exactly two factors for authentication. MFA can use two or more factors.
More factors are always more secure, so MFA with three or more factors is stronger than 2FA. However, most MFA uses two factors, which is the same as 2FA.
MFA tokens are physical devices used as a possession-based factor for MFA. A common example is a Yubikey.
SSO solutions allow access to multiple accounts after a single authentication. SSO can use MFA for improved security.
No. SAML allows users to authenticate once and gain access to multiple different accounts. SAML solutions may use MFA for better security but are not the same thing.
Adaptive MFA tailors the authentication process to the level or risk associated with a request. For example, working from a coffee shop is riskier than working from the office, and making a transaction is riskier than just looking at an online bank statement. Adaptive MFA may forgo MFA for low-risk actions while requiring it for higher-risk ones.
Passwordless MFA uses possession-based and inherence-based factors for authentication rather than a knowledge-based one like a password. For example, a passwordless MFA system may combine a fingerprint scan with reading a digital certificate stored on the user’s device.