How does Multi-Factor Authentication work?
Multi-factor authentication (MFA) uses multiple technologies to authenticate a user's identity. In contrast, single factor authentication (or simply “authentication”) uses a single technology to prove the user’s authenticity. With MFA, users must combine verification technologies from at least two different groups or authentication factors. These factors fall into three categories: something you know, something you have, and something you are. This is why using a PIN with a password (both from the “something you know” category) would not be considered multi-factor authentication, while using a PIN with facial recognition (from the “something you are” category) would be. Note that a password is not required to qualify for MFA. An MFA solution can be entirely passwordless.
It is also acceptable to use more than two authentication methods. However, most users want frictionless authentication (the ability to be verified without the need to perform verification).
What authentication factors are used in MFA?
Following are the three main categories:
- Something you know (knowledge factor)
This is typically a password, PIN, or passphrase, or a set of security questions and their corresponding answers known only to the individual. To use a knowledge factor for MFA, the end user must correctly enter information matching details that were previously stored in the online application.
- Something you have (possession factor)
Before smartphones, users carried tokens or smartcards that generated a one-time password or passcode (OTP) that could be entered into the online application. Today, most users install an authenticator app on their smartphone to generate OTP security keys.
- Something you are (inherence factor)
Biometric data about an individual ranges from fingerprints, retina scans, facial recognition, and voice recognition to behaviors (such as how hard or fast the person types or swipes on a screen).
To achieve multi-factor authentication, at least two different technologies from at least two different technology groups must be used for authentication process. As a result, using a PIN coupled with a password would not be considered multi-factor authentication, while using a PIN with facial recognition as a second factor would be. It is also acceptable to use more than two forms of authentication. However, most users increasingly want frictionless authentication (the ability to be verified without the need to perform verification)
What is the difference between two-factor and multi-factor authentication?
To be considered two-factor authentication (2FA), a solution always requires the user to present two authentication factors from two different categories, such as a possession factor and a knowledge factor, to verify their identity. Multi-factor authentication is broader than two-factor authentication. It requires the organization to use two or more factors in the authentication process.
What are the different types of multi-factor authentication technologies?
Following are common MFA technologies:
- Biometric authentication
Biometric technologies are a form of authentication that accurately and securely authenticate users through their mobile devices. The most common biometric modalities are fingerprint scan and face recognition. Biometric authentication also includes behavioral biometrics, which provides an invisible layer of security by continuously authenticating an individual based on the unique ways they interact with their computer or mobile device: keystrokes, swipe pattern, mouse movements, and more.
- Hardware tokens
Hardware authenticators are small, easy-to-use devices that an owner carries to authorize access to a network service. By supporting strong authentication with one-time passcodes (OTPs), the physical tokens provide a possession factor for multi-factor authentication while enabling enhanced security for banks and application providers that need to secure multiple applications with a single device.
- Mobile authentication
Mobile authentication is the process of verifying a user via their Android or iOS device or verifying the device itself. This technology allow users to login to secure locations and access resources from anywhere with enhanced security.
- Out-of-band authentication
This authentication type requires a secondary verification method through a separate communication channel, typically the person’s Internet connection and the wireless network on which their mobile phone operates. These are examples of out-of-band technologies:
- Cronto® code
This color QR-like code can authenticate or authorize a financial transaction. The individual sees this color QR-like code displayed through their web browser. Only the person’s registered device can read and decrypt the code. It contains transaction details that the user can verify before completing the transaction, which makes it very secure.
- Push notification
Push notifications deliver an authentication code or one-time passcode on the user’s mobile device. Unlike an SMS message, the notification appears on the lock screen of the device.
- SMS text message or voice message
One-time passcodes are delivered to the user’s mobile device through an SMS text message or a voice message.
- Soft token
Software authenticators or “app-based tokens” generate a one-time login PIN. Often these software tokens are used for MFA use cases where the user’s device – in this case a smartphone – provides the possession factor.
- Cronto® code
Why do organizations need multi-factor authentication?
Account takeover fraud (ATO) is a surging cybersecurity threat, fueled by sophisticated social engineering (i.e. Phishing attacks), mobile malware, and other attacks. Properly designed and implemented MFA methods are more reliable and effective against sophisticated attacks than outdated single-factor username/password authentication, which can easily be compromised by cybercriminals via widely available hacking tools.
What are some key benefits of MFA?
As part of their security strategy, organizations use MFA to achieve:
Multi-factor authentication provides increased security over static passwords and single-factor authentication processes.
Multi-factor authentication can help organizations comply with their industry regulations. For example, MFA is necessary to satisfy the strong authentication requirement of PSD2 for Strong Customer Authentication (SCA).
Improved user experience
Breaking the reliance on passwords can improve the customer experience. By focusing on low-friction authentication challenges, organizations can increase security and improve the user experience.
How is cloud computing making an impact on MFA?
Banks, financial institutions, and other financial services organizations are beginning to shift from internally hosted applications in favor of cloud-based software-as-a-service (SaaS) applications, such as Office 365, Salesforce, Slack, and OneSpan Sign. As a result, the amount of sensitive data and files hosted in the cloud is increasing, elevating the risk of a data breach of compromised personal information (PII) which drives account takeovers. Adding to the security risk, users of SaaS apps can be located anywhere, not just within corporate networks. The extra layers of security provided by MFA vs. simple password protection can help counter these risks. In addition to knowledge, possession, and inherence factors, some MFA technologies use location factors, such as media access control (MAC) addresses for devices, to ensure that the resource is accessible only from specified devices.
Another way cloud is affecting MFA is through cloud hosting of MFA solutions, which are typically more cost-effective to implement, less complex to administer, and more flexible than on-premises solutions. Cloud-based products may provide more options targeted to mobile users, such as mobile authenticator apps, push notifications, context analytics like geolocation, and biometrics.
How can banks get started with multi-factor authentication?
OneSpan’s multi-factor authentication solutions have been designed from the ground up to safeguard accounts and transactions by offering multiple authentication factors while meeting demands for a simple sign-in process. OneSpan has invested considerable time and resources to create easy-to-use, scalable, and reliable solutions that deliver strong authentication using a range of easy verification options — such as color QR codes and Bluetooth. These include:
- Software authentication
- Mobile authenticators
- SMS delivery
- Hardware authentication
- USB authenticators
- Smart card readers
- Biometric authentication
- Push Notification
Why should financial services consumers use MFA?
Consumers should use MFA whenever they access sensitive data. A good example is using an ATM to access a bank account. The account owner uses MFA by combining something they know (the PIN) and something they have (the ATM card). Similarly, when logging in to a Facebook, Google, or Microsoft account from a new location or device, consumers use MFA by entering something they know (the password) and a second factor, something they have (the mobile app that receives the push or SMS notification).