What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is an access management component that requires users to prove their identity using at least two different verification factors before gaining access to a website, mobile application, or other online resource. With MFA, if one factor is compromised, an attacker still has at least one more barrier to breach before they can gain access to the target’s account.

How does Multi-Factor Authentication work?

Multi-factor authentication (MFA) uses multiple technologies to authenticate a user's identity. In contrast, single factor authentication (or simply “authentication”) uses a single technology to prove the user’s authenticity. With MFA, users must combine verification technologies from at least two different groups or authentication factors. These factors fall into three categories: something you know, something you have, and something you are. This is why using a PIN with a password (both from the “something you know” category) would not be considered multi-factor authentication, while using a PIN with facial recognition (from the “something you are” category) would be. Note that a password is not required to qualify for MFA. An MFA solution can be entirely passwordless.

It is also acceptable to use more than two authentication methods. However, most users want frictionless authentication (the ability to be verified without the need to perform verification).

What authentication factors are used in MFA?

Following are the three main categories:

  • Something you know (knowledge factor)
    This is typically a password, PIN, or passphrase, or a set of security questions and their corresponding answers known only to the individual. To use a knowledge factor for MFA, the end user must correctly enter information matching details that were previously stored in the online application.
  • Something you have (possession factor)
    Before smartphones, users carried tokens or smartcards that generated a one-time password or passcode (OTP) that could be entered into the online application. Today, most users install an authenticator app on their smartphone to generate OTP security keys.
  • Something you are (inherence factor)
    Biometric data about an individual ranges from fingerprints, retina scans, facial recognition, and voice recognition to behaviors (such as how hard or fast the person types or swipes on a screen).

To achieve multi-factor authentication, at least two different technologies from at least two different technology groups must be used for authentication process. As a result, using a PIN coupled with a password would not be considered multi-factor authentication, while using a PIN with facial recognition as a second factor would be. It is also acceptable to use more than two forms of authentication. However, most users increasingly want frictionless authentication (the ability to be verified without the need to perform verification)

What is the difference between two-factor and multi-factor authentication?

To be considered two-factor authentication (2FA), a solution always requires the user to present two authentication factors from two different categories, such as a possession factor and a knowledge factor, to verify their identity. Multi-factor authentication is broader than two-factor authentication. It requires the organization to use two or more factors in the authentication process.

KuppingerCole 2018 Leadership Compass: Cloud-based MFA Solutions
Analyst Report

KuppingerCole Leadership Compass Cloud-based MFA Solutions

Overview of the SaaS MFA market, with top requirements, insights on 12 leading vendors, and the latest innovations.

Download Now

What are the different types of multi-factor authentication technologies?

Following are common MFA technologies:

  • Biometric authentication
    Biometric technologies are a form of authentication that accurately and securely authenticate users through their mobile devices. The most common biometric modalities are fingerprint scan and face recognition. Biometric authentication also includes behavioral biometrics, which provides an invisible layer of security by continuously authenticating an individual based on the unique ways they interact with their computer or mobile device: keystrokes, swipe pattern, mouse movements, and more.
  • Hardware tokens
    Hardware authenticators are small, easy-to-use devices that an owner carries to authorize access to a network service. By supporting strong authentication with one-time passcodes (OTPs), the physical tokens provide a possession factor for multi-factor authentication while enabling enhanced security for banks and application providers that need to secure multiple applications with a single device.
  • Mobile authentication
    Mobile authentication is the process of verifying a user via their Android or iOS device or verifying the device itself. This technology allow users to login to secure locations and access resources from anywhere with enhanced security.
  • Out-of-band authentication
    This authentication type requires a secondary verification method through a separate communication channel, typically the person’s Internet connection and the wireless network on which their mobile phone operates. These are examples of out-of-band technologies:
    • Cronto® code
      This color QR-like code can authenticate or authorize a financial transaction. The individual sees this color QR-like code displayed through their web browser. Only the person’s registered device can read and decrypt the code. It contains transaction details that the user can verify before completing the transaction, which makes it very secure.
    • Push notification
      Push notifications deliver an authentication code or one-time passcode on the user’s mobile device. Unlike an SMS message, the notification appears on the lock screen of the device.
    • SMS text message or voice message
      One-time passcodes are delivered to the user’s mobile device through an SMS text message or a voice message.
    • Soft token
      Software authenticators or “app-based tokens” generate a one-time login PIN. Often these software tokens are used for MFA use cases where the user’s device – in this case a smartphone – provides the possession factor.

Why do organizations need multi-factor authentication?

Account takeover fraud (ATO) is a surging cybersecurity threat, fueled by sophisticated social engineering (i.e. Phishing attacks), mobile malware, and other attacks. Properly designed and implemented MFA methods are more reliable and effective against sophisticated attacks than outdated single-factor username/password authentication, which can easily be compromised by cybercriminals via widely available hacking tools.

What are some key benefits of MFA?

As part of their security strategy, organizations use MFA to achieve:

  • Improved security
    Multi-factor authentication provides increased security over static passwords and single-factor authentication processes.

  • Regulatory compliance
    Multi-factor authentication can help organizations comply with their industry regulations. For example, MFA is necessary to satisfy the strong authentication requirement of PSD2 for Strong Customer Authentication (SCA).

  • Improved user experience
    Breaking the reliance on passwords can improve the customer experience. By focusing on low-friction authentication challenges, organizations can increase security and improve the user experience.

How is cloud computing making an impact on MFA?

Banks, financial institutions, and other financial services organizations are beginning to shift from internally hosted applications in favor of cloud-based software-as-a-service (SaaS) applications, such as Office 365, Salesforce, Slack, and OneSpan Sign. As a result, the amount of sensitive data and files hosted in the cloud is increasing, elevating the risk of a data breach of compromised personal information (PII) which drives account takeovers. Adding to the security risk, users of SaaS apps can be located anywhere, not just within corporate networks. The extra layers of security provided by MFA vs. simple password protection can help counter these risks. In addition to knowledge, possession, and inherence factors, some MFA technologies use location factors, such as media access control (MAC) addresses for devices, to ensure that the resource is accessible only from specified devices.  

Another way cloud is affecting MFA is through cloud hosting of MFA solutions, which are typically more cost-effective to implement, less complex to administer, and more flexible than on-premises solutions. Cloud-based products may provide more options targeted to mobile users, such as mobile authenticator apps, push notifications, context analytics like geolocation, and biometrics.

How can banks get started with multi-factor authentication?

OneSpan’s multi-factor authentication solutions have been designed from the ground up to safeguard accounts and transactions by offering multiple authentication factors while meeting demands for a simple sign-in process. OneSpan has invested considerable time and resources to create easy-to-use, scalable, and reliable solutions that deliver strong authentication using a range of easy verification options — such as color QR codes and Bluetooth. These include:

Intelligent Adaptive Authentication White Paper
White Paper

Adaptive Authentication | Growth Through Intelligent Security

Download this white paper to help improve the customer experience, reduce fraud and achieve growth.

Get the White Paper

Why should financial services consumers use MFA?

Consumers should use MFA whenever they access sensitive data. A good example is using an ATM to access a bank account. The account owner uses MFA by combining something they know (the PIN) and something they have (the ATM card). Similarly, when logging in to a Facebook, Google, or Microsoft account from a new location or device, consumers use MFA by entering something they know (the password) and a second factor, something they have (the mobile app that receives the push or SMS notification).

Multi-factor authentication FAQ

What makes MFA so secure?

Multi-factor authentication adds an extra layer of authentication that makes it much harder for cybercriminals to successfully hack accounts. Standard credentials (username and password) are relatively easy for threat actors to obtain using phishing and other widely available tools and resources. Also, the common practice of reusing a password makes it possible for a hacker to compromise multiple accounts with one successful attack. With MFA, authorization credentials must come from two or more different categories: something you know (a password), something you have (an SMS code, smartcard, authenticator app, or hardware token, also known as a key fob), and something you are (a biometric). Thieves would have to steal items beyond a password—such as your smartphone or bank card—making it much harder for them to compromise your account. The National Institute of Standards and Technology (NIST) recommends using MFA whenever possible, especially when it comes to the most sensitive data like your financial accounts and health records.

What are “implicit attributes,” and do they count as factors?

Also referred to as contextual authentication, implicit attributes use geolocation, IP address, time of day and device identifiers such as the operating system or the mobile phone’s browser version, to help determine whether a user’s identity is authentic. While implicit attributes are not authentication factors because they do not confirm a user’s identity or provide identity verification, they can help strengthen barriers to cyberattacks.

What is the difference between two-factor authentication and MFA?

Two-factor authentication (2FA) is a subset of MFA that uses two factors from two of these categories—something you know, something you have, and something you are—to verify identity. Multi-factor authentication could involve more than two factors, although many multi factor authentication solutions use two.
A logical question is whether MFA is more secure than second factor authentication. In general, the more factors required, the stronger the access management protection; however, the type of factor also plays a role. Biometrics are far harder to steal than passwords. Further, most end users desire a simpler authentication process and may try to find workarounds if the number of required factors becomes burdensome. As a result, modernizing the authentication user experience is now a primary goal for many banks and financial institutions, especially for mobile users using the bank’s mobile app.

Which types of cyberattacks can MFA help to prevent?

MFA helps to thwart the following types of cyberattacks by requiring additional information or credentials from the user.


  • Phishing attack:
    Particularly now, with the huge increase in remote work, phishing attacks are being used to trick workers into giving up network credentials, often through the use of malicious links and attachments or bogus log-in pages for SaaS apps like Microsoft Office 365. When organizations require at least two types of authentication, such as a one-time passcode in addition to user ID and password, identity thieves have a harder time infiltrating the corporate network or VPN.
  • SIM swap:
    This type of attack involves impersonating a mobile device user. The attackers tries to persuade the user’s cellular service provider to move their data to a new SIM (subscriber identity module) card because the original card or device has been lost or damaged. If successful, a SIM swap transfers “ownership” of the mobile number to the attacker, who can then intercept SMS codes sent to the device. To combat SIM swaps, MFA offers a range of strong authentication methods (biometrics, software tokens, security keys) that avoid the use of SMS codes.
  • Mobile malware:
    This type of malicious software targets mobile devices to gain access to private data. Examples include banking Trojans and mobile ransomware. Unfortunately, hackers are increasingly focused on bypassing MFA protections for mobile devices, especially one-time passwords sent using SMS. To combat MFA bypass efforts, it is recommended to avoid SMS and choose stronger methods such as biometrics (fingerprint, face or retina scan) and push notifications

What is adaptive authentication?

Adaptive authentication, also called risk-based authentication, is a type of MFA that adjusts required authentication factors based on a transaction’s level of risk. It uses anti-fraud rules to produce a pre-defined reaction to the authentication attempt. The appropriate type of authentication can be defined for the appropriate type of perceived risk based on known points of data.  For instance, attempts from a specific location (e.g., outside the customer’s country) might be defined to trigger a certain type of MFA combination.
Adaptive authentication eliminates the “one size fits all” problem that plagues most authentication systems today: a daily login from the same location requires the same level of authentication as a brand-new login from a heavily attacked location. These two logins should be treated with different levels of authentication.
Intelligent adaptive authentication takes this a step further by using anti-fraud rules together with machine learning algorithms to become familiar with the user’s role and typical access scenarios, including locations, devices, and IP addresses. Each time the user tries to authenticate, an intelligent adaptive authentication system analyzes all contextual data, scores it to determine the propensity for risk, and adapts the authentication workflow to that level of risk.
One benefit of this approach is flexibility. Instead of enforcing the same standard MFA requirement for every user, adaptive authentication adjusts to the situation by making routine, low-risk access attempts simpler and faster and adding more security for higher-risk access attempts.

What are out-of-band mechanisms in MFA, and how do they work?

Out-of-band authentication is a type of MFA that requires a secondary verification method through a separate communication channel. Typically, this involves sending a one-time passcode (OTP) to the user’s mobile phone to be applied in conjunction with their password-protected Internet connection on a different device, such as a desktop or laptop.
Authentication via two separate, unconnected channels that would have to be simultaneously breached by an attacker makes a successful compromise much less likely. Out-of-band authentication is often used by banks and other financial institutions with stringent security requirements.

There are several ways to deliver one-time passwords to a mobile device:

  • QR code or visual cryptogram
  • Push notification
  • SMS (Note that SMS is no longer a recommended security measure because it is very easy for a hacker to steal a user’s mobile number using the SIM swap method in order to obtain SMS passwords).

Other methods include requiring the user to:

  • Make a phone call from a registered device (often used to activate a new credit card)
  • Respond to an automatically generated phone call from the bank or other institution
  • Receive an OTP on their phone app or via push notification to authorize an ATM transaction or access a web portal.

What technologies are being explored to streamline MFA for mobile users?

Because MFA solutions enforce additional authentication measures, they can make the process of accessing an account or portal more burdensome, particularly for mobile phone users. This added burden, which slows people down or makes it harder for them to accomplish a task, is called “friction.” To help streamline the authentication process and reduce friction, new “passive” technologies work in the background without requiring user action. One example is behavioral biometric authentication, which identifies a person based on their unique patterns of typing or swiping when interacting with a smartphone or tablet.
The Fast Identity Online (FIDO) Alliance was created to help reduce dependence on passwords through the use of passwordless authentication. FIDO protocols support authentication technologies, including biometrics. The FIDO 2 protocol, implemented by Google, Microsoft, and other vendors, allows people to use FIDO-compliant hardware tokens to authenticate to their browser without having to type their username and password. Similarly, many large banks implement the protocol to allow FIDO-enabled mobile devices to authenticate into their banking application without requiring the end user to type a username and password.

What is the WebAuthn standard and how can it help strengthen security for online banking?

WebAuthn attempts to bring FIDO-style authentication technology to web applications.  It provides a standard way for web application developers to implement secure multi factor authentication without having to use third-party authentication libraries and systems.  WebAuthn brings the safety of biometrics and strong authentication to web applications that previously required heavy back-ends and additional engineering considerations. The WebAuthn protocol is designed to give developers of newer single page applications (SPAs) and progressive web apps (PWAs) a way to implement strong authentication leveraging built-in local device technologies that web pages couldn’t easily access before.

Get in touch with us

Get in touch with one of our security experts to learn more about how our solutions can help with your digital security needs