What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) provides a constructive element of layered security by requiring users to prove their identities using two or more verification methods before they can be authenticated. In this way, if one factor is compromised or broken, the attacker still has at least one more barrier to breach before they can gain access to the target’s account. Most multi-factor authentication implementations utilize at least two authentication factors.
How does Multi-Factor Authentication work?
Multi-Factor Authentication (MFA) is the process whereby multiple technologies are used to authenticate the user's identity. In contrast, single factor authentication (or simply “authentication”) uses a single technology to prove the user’s authenticity. With Multi-factor authentication, users must combine verification technologies from at least two different groups or authentication factors.
- Something you know.
This is usually a password, PIN, passphrase or questions and their corresponding answers. In order to satisfy this technology, the user must enter information that the backend can then match against that which has been previously setup or stored.
- Something you have
Before the advent of smartphones, users would carry around tokens or smartcards. These devices would generate a one-time passcode (OTP) that could then be typed or entered into the backend system. Today, most users leverage their smartphone with authenticator app as the device that generates these codes or allows them to respond back to a server with a one-time passcode behind the scenes.
- Something you are.
This is anything from fingerprints, retina scans, facial recognition, voice recognition, or a user’s behavior (such as how hard or fast they type or swipe on a screen) that can be used to identify a unique user.
To achieve multi-factor authentication, at least two different technologies from at least two different technology groups must be used for authentication process. As a result, using a PIN coupled with a password would not be considered multi-factor authentication, while using a PIN with facial recognition as a second factor would be. It is also acceptable to use more than two forms of authentication. However, most users increasingly want frictionless authentication (the ability to be verified without the need to perform verification)
The Difference Between Two-factor and Multi-factor Authentication
The difference between multi-factor authentication and two-factor authentication is straightforward. In order for an authentication solution to be considered two-factor authentication, it must require the user to present two authentication factors, such as “what you have” and “what you know”, to clear the challenge.
Multi-factor authentication is broader. It merely requires the organization to use two or more factors in the authentication process.
Benefits of Multi-factor Authentication
Multi-factor authentication provides several key benefits to organizations using it as part of their security strategy:
- Improved Security
Multi-factor authentication provides increased security over static passwords and single-factor authentication processes.
- Achieves Compliance
Multi-factor authentication can help organizations comply with their industry regulations. For example, MFA is necessary to satisfy the strong authentication requirement of PSD2.
- Increased Flexibility and Productivity
Breaking the reliance on passwords can improve the customer experience. By focusing on low-friction authentication challenges, organizations can potentially increase security and improve the user-experience.
What Are the Types of Multi-factor Authentication Technologies?
- Hardware tokens
Small, easy-to-use hardware devices that an owner carries with them to authorize access to a network service. Supporting strong authentication with one-time passwords (OTPs), these hardware tokens provide the possession factor for multi-factor authentication while enabling enhanced security for banks and application providers who need to secure multiple applications with a single device.
- Soft tokens:
Software or “app-based tokens” generate a one-time use login PIN. Often these tokens are used for multi-factor authentication in which the device – in this case a smartphone – provides the possession factor.
- SMS Text-Message and Voice 2FA:
SMS-text message and voice 2FA provide one-time passwords to the user to authenticate. That password is delivered through a voice message or an SMS-text message to the user’s mobile device.
- Push Notification:
Push notifications deliver the authentication code or one-time password through a push notification on the user’s mobile device. Rather than receiving an SMS message, the notification appears on the lockscreen of the device.
- Visual Cryptogram:
Visual Cryptogram MFA solutions utilize a unique visual challenged contained in a graphical cryptogram consisting of a matrix of colored dots. The customer uses the camera on their mobile device to photograph the cryptogram and decrypt the transaction details housed within.
- Mobile authentication:
Mobile authentication is the process of verifying a user via their phone or verifying the device itself, allowing users to log into secure locations and access resources from anywhere with enhanced security.
- Biometric authentication:
This includes leveraging a fingerprint scan or face recognition to accurately and securely authenticate users, even on mobile devices as well as behavioral authentication which provides an invisible layer of security that continuously authenticates end users by the unique ways they interact with their computer or mobile device via keystroke, swipe pattern, mouse movement and more.
Why Do I Need Multi-Factor Authentication?
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multi-factor authentication methods are more reliable and a stronger deterrent for cyber criminals than outdated single-factor username/password user authentication, which are harder to defend against security breaches, compromising data security. These data breaches could potentially result in serious damage to the consumer or organization with lost / stolen data, identity theft, and phishing attacks, etc.
Multi-factor authentication requires users to prove their identities using two or more verification methods before they can be authenticated. In this way, if one factor is compromised, the attacker still has at least one more barrier to breach before breaking into the target.
Where can I use MFA?
Multi-factor authentication should be used when accessing any sensitive data. For example:
- When you access your bank account at an ATM, you use MFA by having something you know, (the PIN), and something you have, (the ATM Card).
- When you visit your Facebook, Google or Microsoft account from a new location or device, you use multi-factor authentication by having something you know, (the password), and something you have, (your mobile phone that receives the notification you must approve before allowing you to login).
- When you use your mobile phone, you use multi-factor authentication by something you have, (the phone), and something you are, (your fingerprint or facial scan), or other biometric technology available on the device.
- Good multi-factor authentication (MFA) allows you to be secure and provides the ability to do so seamlessly when accessing the features and functions of a service provider.
How do I Get Started with Multi-Factor Authentication?
OneSpan’s multi-factor authentication solutions have been designed from the ground up to safeguard accounts and transactions by offering two or three factors of security, while meeting user demand for a simple sign-in process. OneSpan has invested considerable time and resources to create easy-to-use, scalable, and reliable solutions that deliver strong authentication using a range of easy verification options — such as color QR codes and Bluetooth. These include: