What is multi-factor authentication (MFA)?

Need to strengthen authentication

Traditional password-only authentication is vulnerable to many risks. Passwords can be weak, easy to guess, reused across multiple sites, and can be stolen through phishing attacks, keyloggers or data leaks from sites. MFA adds an extra layer of security, making it so that even if an attacker knows a user’s password, they will still need at least one additional factor to gain access to the account.

Categories of authentication factors

There are three main categories of authentication factors, and MFA requires the use of at least two of them:

• Something you know (Knowledge factor): Information known only to the user, such as password, PIN, answer to a security question.
• Something you own (Possession factor): A physical object owned by the user, such as a cell phone (for receiving SMS codes or push notifications), a hardware token that generates one-time passcodes (OTP – One-Time Password), a smart card, a USB security key (e.g. YubiKey).
• Something You Are (Inherence factor): Unique biometric characteristics of the user, such as fingerprint, iris or retina scan, facial recognition, hand geometry, voice pattern.

Two-factor authentication (2FA) uses two factors from different categories. MFA can use two or more factors.

Examples of MFA implementations

In practice, MFA can be implemented in a variety of ways:

• Password + SMS code: The user enters a password and then enters a one-time code received by SMS to the registered phone number. (A popular method, but considered less secure due to the risk of SMS interception).
• Password + code from authentication app: The user enters a password and then enters a one-time code (TOTP – Time-based One-Time Password) generated by a special application on a smartphone (e.g. Google Authenticator, Microsoft Authenticator, Authy).
• Password + push notification: the user enters the password, and then must approve the login on a notification sent to their smartphone via the authentication app.
• Password + USB security key: the user enters the password, and then must insert the USB key into the port and tap it. This is one of the most secure methods.
• Password + Biometrics: The user enters a password and then confirms identity with a fingerprint or facial scan on their device.
• Passwordless login with MFA: Login methods that do not require a password, but are still based on a number of factors, such as using a security key or biometrics in conjunction with a registered device, are becoming increasingly popular.

The importance of MFA for security

Implementing MFA is now considered one of the most important and effective methods of protecting user accounts and systems from unauthorized access. It makes it significantly more difficult to take over an account even if the password is compromised. It is a standard security recommendation for all online services, especially those storing sensitive data.

Summary

Multi-factor authentication (MFA) is a key security mechanism that requires users to present at least two different pieces of ID when logging in. By adding additional layers of verification, MFA significantly increases the protection of accounts against unauthorized access compared to traditional password-only authentication. Implementing MFA is now a standard of good practice in cybersecurity.