Introduction to Multi-Factor Authentication
On this page
What is Multi-factor Authentication (MFA)?
Multi-factor authentication (MFA) is the name for an authentication method that relies on more than one factor when determining whether to grant access to a user. It has become an increasingly important means of proving identity and securing information.
From the moment the first treasure was amassed, limiting access to it became a priority. If buried in the ground, knowledge of the location was critical. If a locked chest or storage room were involved, a key was required. If guards were posted, recognition of the rightful owner was vital.
Today data is the great treasure that must be secured, but the means of protecting it still often involve these elemental factors: knowledge, possession and inherence. In other words, access is granted or denied depending on what someone knows, what someone has or what someone uniquely is.
When talking about internet security, some multi-factor authentication examples include:
- Providing a username and password, then confirming it with a code generated by the Google Authenticator app (a Time-based One Time Password).
- Logging in with a Facebook account, then clicking on a link received to an e-mail account associated with the Facebook account.
- Logging in with username and password, then confirming it with a hardware security key, like a Yubikey.
Different Categories of Authentication Factors
- Knowledge factors
- Possession factors
- Inherence factors
- Location factors
Modern knowledge factors include usernames or IDs, passwords, PINs, and the answers to security questions. Possession factors are such things as bank or ID cards, security tokens, one-time passwords (OTP) — very often these factors will be kept on a smartphone. Inherence factors are rapidly expanding with developments in biometrics technology. In addition to fingerprints, these factors now include facial and voice recognition, retina scans, or an individual’s typing patterns on a keyboard. Location factors refer to the user's physical location at the time of authentication. Generally, these factors do not require any user input but are determined automatically, for example by looking up IP addresses.
Single-factor authentication has obvious limitations. Passwords, for example, are often used as a virtual one-factor authorization method but passwords are easily forgotten, easily stolen, and sometimes easily hacked. Consequently, even in the consumer world, there has been a growing push toward Two-factor Authentication (2FA), also sometimes called Two-step Verification or Two-step Authentication. Strictly speaking, 2FA is a subset of MFA and the simplest form of a multi-factor strategy.
Other Names for Multi-Factor Authentication
- Two-factor Authentication
- Two-step Verification
- Two-step Authentication
In Two-factor Authentication, a second factor, or step, is added to the first to increase the overall level of security. This second factor can be as simple as having a bank card (a possession factor) to be used in tandem with a password or PIN (a knowledge factor). More complicated two-factor scenarios now often involve the use of smartphones, SMS messages, and OTP apps.
A basic principle of good MFA practice is to vary the categories of factors involved. A system built on passwords and security questions (both knowledge factors) is generally less secure than one that employs passwords and SMS messages delivered to your phone. Another general principle is that in scenarios where it is critical to ensure that the user is who they claim to be, the user should not be able to go from one factor to two on their own. If, for example, a user signs up for an email account, creates a password and username and then adds a phone number, this is essentially going from one factor to two. The addition or “bootstrapping” of the second factor may provide the user with additional security, but it does not increase confidence in his or her identity.
Identity can be much better asserted by going from two factors to two. In Bank ID systems, for example, the user must appear at a bank with some form of approved ID. The user then receives a device and a PIN. The device, when accessed with the PIN, can be used to generate codes that permit the user to receive a Bank ID. This in turn can be used to access the user’s bank account or to sign up for things that involve additional multi-factors. In this example, the additional factors were not bootstrapped from one factor since the initial assertion of identity involved multiple factors.
Two Schools of Thought on MFA
There are two primary perspectives on MFA depending on 1) whether the focus is on protecting the user and the user’s data, or 2) it is on ensuring that the user’s identity is validated; that is, the user attempting to gain access is the actual physical person that they claim to be.
In the email example above, users may be primarily interested in protecting their identity and their data and may feel that going from one factor to two provides them with sufficient security. Banks, on the other hand, are interested in both protecting user data and having a high degree of confidence in the user's identity, and so have good reason to insist on MFA that goes from two factors to two.
Even though the focus of these two perspectives on MFA is different, creating a robust MFA system is generally in everyone’s interest, and one of the first requirements of such a system is that it enables to configure multi-step authentication with factors coming from different categories. Moreover, ever-greater security requirements demand a more secure approach than just two factors can usually provide.
The Curity Identity Server has the power and flexibility to create a truly robust multi-factor authentication flow capable of producing complex layered defenses to meet an organization’s specific security needs.