Approaches to Multi-Factor Authentication

You can use Multi-Factor Authentication (MFA) in a variety of ways depending on the desired balance between security and usability. An MFA solution makes the system more secure because when you use more than one authentication factor you have a stronger proof of the user's identity. This article will look into how your use case affects the MFA solution, types of authentication factors and four examples of how you can implement multi-factor authentication.

How Use Cases Affect Multi-factor Authentication

MFA is an approach, not a concrete solution or a product. What factors you use, how you configure MFA, when you enable it, or for who you enforce it depends on your concrete use case. When designing an MFA solution, you should start with the use case and understand the requirements and limitations. Below you will find a few examples, however this is by no means an exhaustive list.

Protecting Personal Accounts For Internet Users

When you run a system where you let anyone sign up, you will have little knowledge and control over the systems and devices these users operate. You will not know what is their skill level when it comes to using more complex authentication factors or whether they have easy access to additional hardware (like security keys). This means you will usually let people choose whether to use MFA or not and which factors they use. Sometimes, however, you will run a service containing sensitive data or have a service targeted at technically savvy users. Then it might be beneficial to enforce MFA even if it would mean losing part of your user base — the security of users' data should have a higher priority than maximizing signup numbers.

Administrators Controlling How Employees Access Corporate Data

In a setup where you need to control employees' access to corporate systems, you can enforce MFA. For example, you can ensure that whenever you onboard an employee, you preconfigure MFA for them. You can even refer to stronger security solutions and provide all employees with external security keys.

Cases That Require Strong Identity Assurance

If your system allows access to highly sensitive data, like medical or financial data, you will have to strongly verify the user's identity. In such a case, you use MFA not only to strengthen the access security but also to make sure that the user accessing the system is really the person who they claim to be. You will most probably use factors that include biometric verification or that use government-issued eIDs (e.g. an eID presented using Decentralized Identity).

Types of Authentication Factors

Every authenticator (authentication factor) that you use to identify a user falls into one of these three types:

• Something the user knows, like a password or a PIN.
• Something that the user has, like a smartcard, mobile device, a security key fob, eID, or access to an email account.
• Something the user is, e.g. recognizing the user's face (with FaceID, etc.), fingerprints or typing patterns.

An important aspect of a multi-factor authentication is that you should mix factors from at least two different groups. For exampe, asking the user to submit two different passwords should not be considered as MFA (the user will most probably have both passwords written down on the same post-it).

MFA Implementation Approaches

1) Always on Approach

The first approach to MFA is the Always on Approach. This approach directs the user to use two or more factors at every login. While this might be effective as far as security is concerned, it has drawbacks from a usability perspective. Users are often put off by frequent requests for additional factors and not all data requires the same level of protection. A more flexible approach to MFA often better serves the interests of both data providers and users.

2) Opt-in Approach

One such flexible approach is to allow users to opt in to MFA, particularly in situations where they are primarily concerned with protecting their own data and that data is not particularly sensitive. This approach gives users more decision power in the process as the user can choose whether they want to use multi-factor authentication or not, and to choose from a few different options that they can configure such as WebAuthn, passkeys, a key fob, SMS or an email link. Email service providers, for example, have an interest in protecting user data but at the same time may fear users will switch providers if security burdens are considered too heavy. In such cases, users who sign on with a single factor can be encouraged to set up MFA but not required to do so.

User Experience and Opt-In MFA

MFA often needs to be balanced with usability:

• Gradual rollout that users configure when it suits them
• Time to live so that MFA is not needed on every login
• Ability for user to manage and change their own factors
• Recovery codes to ensure reliability if a device is lost

3) Step-up Authentication

Sometimes a user only needs access to information that requires a minimum of protection. In such cases, signing on with a single factor, generally a password, may be preferable to using MFA from the beginning. The user is not burdened with additional login requirements and the data provider does not have to overprotect less sensitive information.

However, as soon as the user attempts to access more sensitive information or to engage in a transaction, the user can be prompted for additional factors, thus stepping up from one factor to two or more.

This approach is often taken in the financial services industry, where, for example, customers may simply wish to check their account balance or credit score. If MFA was used at the outset, users might be less inclined to access the site for such simple queries. Being able to access basic information with a single factor sign-on process can enhance user experience without jeopardizing security.

At the same time, step-up authentication ensures that when users want access to more sensitive data, such as when they want to transfer money or apply for a loan, they can be immediately challenged to provide additional authentication. They step up to MFA only when the need for heightened security requires it.

4) Time-sensitive Re-verification

Another approach to MFA that can improve usability while maintaining security involves fine-tuning the TTL (Time to Live) of the different authentication factors. In this case, the user logs on for the first time with two or more factors so that MFA is established from the beginning. If the user continues to use the same browser and a trusted device, however, it may be unnecessary for the user to go through this entire process again for an extended period of time.

Google uses such an approach for its user accounts. If a user signs up for MFA, or what Google calls “2-Step Verification,” the user must initially log on with two factors: a password and a code provided by SMS, email, or voice over a phone. After that, provided the user continues using the same browser and machine, the user may only occasionally be prompted for a password and even more rarely challenged for an access code.

The TTL for the two factors are set for different durations, with the lifespan of the password set at a shorter interval than that of the code. However, if the user tries to access the same account from a different machine or on another browser, both authentication factors would again be required for re-verification.

With this approach, the TTL of various factors could be set to whatever lengths are required to optimize user experience while maintaining adequate levels of security.

Summary

MFA can be applied to multiple use cases and requires your IAM system to provide extensibility features. These various approaches to MFA all involve trade-offs between usability and security. But they strike very different balances between the two. The Always on approach stresses security needs over usability concerns. The Opt-in approach lets users decide how much security they require, allowing them to shift the balance away from usability if they wish. Step-up authentication opts for ease of use on the initial login, stepping up to MFA when greater security is needed. Time-sensitive re-verification, on the other hand, uses MFA from the start but staggers the re-verification process to reduce demands on the user without sacrificing MFA-level protections.