Multi-factor Authentication

Multi-factor authentication checks multiple aspects of a person’s identity before allowing them access to an application or database instead of just checking one. It is much more secure than single-factor authentication.

What is MFA (multi-factor authentication)?

Multi-factor authentication, or MFA, is a way to verify user identity that is more secure than the classic username-password combination. MFA usually incorporates a password, but it also incorporates one or two additional authentication factors. Two-factor authentication (2FA) is a type of MFA.

MFA is an important part of identity and access management (IAM), often implemented within single sign-on (SSO) solutions.

What are authentication factors?

Before granting a user access to a software application or a network, identity verification systems assess the user for specific characteristics to make sure they are who they say they are. These characteristics are also known as “authentication factors.”

The three most widely used authentication factors are:

  1. Knowledge: something the user knows
  2. Possession: something the user has
  3. Inherent qualities: something the user is

MFA refers to any usage of two or more authentication factors. If only two authentication factors are used, MFA can also be referred to as two-factor authentication or two-step verification. Three-factor authentication is another form of MFA.

What are some real-world examples of the three authentication factors?

  • Knowledge (something the user knows): This factor is knowledge only one user should have, like a username and password combination. Other knowledge factors include security questions, ID numbers, and Social Security numbers. Even a “secret handshake” may be something a user knows.
  • Possession (something the user has): This factor refers to the possession of a physical token, device, or key. The most basic example of this authentication factor is using a physical house key to enter one’s home. In a computing context, the physical object could be a key fob, a USB device, or a smartphone. Many modern MFA systems will text a temporary code to a user’s phone and ask them to enter the code to access their account. This demonstrates that the user possesses a phone that no one else possesses, helping establish their identity (unless an attacker has hijacked the user’s SIM card).
  • Inherent qualities (something the user is): This refers to a physical property of one’s body. The most basic version of this authentication factor is the ability to recognize someone by sight or by the sound of their voice. Humans use this ability constantly in their daily interactions. Checking one’s appearance against the photo on one’s ID card is another example of verifying inherent qualities. One example of this authentication factor in a computing context is Face ID, a feature many modern smartphones offer. Other methods may include fingerprint scanning, retina scans, and blood tests.

Why is MFA more secure than single-factor authentication?

Single-factor authentication uses just one of the above factors to identify a person. Requiring a username and password combination is the most common example of single-factor authentication.

The problem with single-factor authentication is that an attacker only needs to attack the user in one way to impersonate them successfully. If someone steals the user’s password, the user’s account is compromised. By contrast, if the user implements MFA, an attacker needs more than a password to gain access to the account — for example, they will likely need to steal a physical item from the user as well, which is much more difficult.

This issue also applies to other forms of single-factor authentication. Imagine if banks only required using a debit card for withdrawing money — the possession factor — instead of requiring a card plus a PIN. To steal money from someone’s account, all a thief would need to do is steal their debit card.

It is essential to remember that using different factors makes MFA secure, not multiple uses of the same element.

Suppose one application prompts a user to enter a password only while another prompts a user to enter both a password and an answer to a security question. Which application is more secure?

Technically, the answer is neither: both applications rely on one authentication factor, the knowledge factor. An application that requires a password and either a physical token or a fingerprint scan is more secure than an application that only requires a password and some security questions.

Which forms of MFA are the most effective?

This is a highly contextual question. Generally, multi-factor authentication will be much more secure than single-factor authentication.

With that said, certain forms of MFA are vulnerable to sophisticated attack methods. In one real-world example, attackers sent employees SMS phishing messages pointing to fake login pages for the organization’s single-sign-on service. If a user entered their username and password into this fake page, the following steps took place:

  1. The attackers used the stolen username and password on the organization’s actual login page.
  2. The real login page attempted to verify another authentication factor — possession — by sending a temporary code to the real user’s phone.
  3. The attackers redirected the user to another fake page, which asked them to enter the temporary code.
  4. If the user did so, the attackers used that code on the actual login page and gained access to the account.

By contrast, another way of verifying possession — a USB security token — would not be susceptible to this attack. If all users are given unique security tokens to plug into their computers and must physically activate them to authenticate, attackers possessing someone’s username and password would be unable to access accounts unless they stole that person’s computer. The same could be said of verifying identity using inherent qualities, e.g., a user’s fingerprint or facial scan.

Does this mean security tokens and fingerprint scans are more secure than one-time passwords? In a phishing context, yes. However, organizations should evaluate their security risks and needs before selecting an MFA method. Again, any form of MFA is more secure than single-factor authentication and would represent a significant step in an organization’s security journey.

Are there any other authentication factors?

Some security industry members have proposed or implemented additional authentication factors besides the three main ones listed above. Though rarely implemented, these authentication factors include the following:

Location: Where a user is at the time of login. For instance, if a company is based in the US and all its employees work in the U.S., it could assess an employee’s GPS location and reject a login from another country.

Time: When a user logs in, typically in context with their other logins and with their location. If a user appears to log in from one country and then attempts a subsequent login from another country several minutes later, those requests are not likely to be legitimate. A system might also reject login attempts outside of regular business hours — although this is more like a security policy than an identity authentication factor.

If these are both considered additional identity factors, which is up for debate, then four-factor and five-factor authentication are technically possible. Both fall under the umbrella of multi-factor authentication.

Implementing such strong security measures must be weighed against the toll this takes on the user since overly stringent security measures often incentivize users to circumvent official policies.

How can users implement MFA for their accounts?

Many consumer web services offer MFA today. Most applications that do have MFA submit a form of 2FA that requires the user to use their smartphone when logging in. Explore the security settings in each application to see if it is possible to activate 2FA.

How can businesses implement MFA?

Using an SSO solution is a recommended step for implementing MFA. SSO provides a single place for implementing MFA across all apps, whereas not all individual apps will support MFA.


Nord VPN
60% off Nord VPN
Coinbase - Getty Images - 1234552839
Coinbase – Crypto Currency – Sign up with this link and get $10 free?! Buy/sell/exchange crypto, and use their ATM card to access your cash easily!
Chase Sapphire Preferred - Travel Points
NordPass - Password Manager - CJ Banner
https://www.dpbolvw.net/click-100604079-15345170
Binance Cryptowallet - Buy/Sell
Binance Blockchain
Amazon - Daily Deals
Amazon’s Daily Deals!
Your favorite restaurants are delivered to your front door! Grubhub!
Game Fly
Game Fly Video Game Rentals!

Please enter CoinGecko Free Api Key to get this plugin works.