Multi-factor authentication (MFA) is an approach that applies several security layers to protect data and applications. It requires a user to perform authentication using two or more types of credentials to verify their identity before they are allowed to log into a system.
MFA hardens security by ensuring that if one credential or authentication method gets compromised, unauthorized users cannot access a computing device, database, network, or physical space, because they cannot meet the second authentication requirement.
Common authentication methods used in MFA systems include knowledge-based factors (such as passwords), physical factors (such as mobile devices), inherent factors (such as a user’s face or fingerprint), and location factors (such as the user’s IP address or inferred geolocation).
In this article:
- Why is Multifactor Authentication Important?
- How Does Multi-factor Authentication Work?
- Common MFA Types and Methods
- MFA: Benefits and Challenges
- What is an Adaptive MFA?
- MFA and SSO
- MFA: 4 Tips for Successful and Secure Deployments
Why Is Multi-Factor Authentication Important?
Traditional logins based on a user ID and password can be easily compromised, either by tricking employees to disclose their credentials through social engineering, or through brute force attacks. A malicious individual could use automated tools to guess different username and password combinations, and can use previously compromised credentials or dictionaries of common passwords to shorten their search.
Locking out accounts after a certain number of incorrect login attempts can improve security, but there are many other ways hackers can gain unauthorized access to a system protected by passwords. Multi-factor authentication is widely recognized as a way to reduce these security risks, because it prevents the reliance on a password as one, relatively weak security measure.
How Does Multi-Factor Authentication Work?
MFA technology works by requiring multiple forms of identification from a user during account registration. The system stores this information and uses it to verify the user during login attempts. It turns any login attempt into a multi-step process that helps verify identification information and the associated password.
Here are the main steps in the MFA process:
A user creates an account with a username and a password and adds to their account other identification factors, like a mobile device or physical hardware fob, a mobile number, an authenticator app code, or an email address. Since these additional factors help to identify users, they must never share them with others.
Once a user logs into a system using MFA, they are prompted to enter the following:
- The first factor consists of what users know, such as username and password.
- The second factor requires what users have, such as a one-time password from a mobile device.
What this essentially means is after the system verifies the password, it attempts the second authentication factor. For instance, it can send a code by SMS to the user’s registered mobile device or issue a number code to the user’s hardware device.
To complete the authentication process, the user must verify their identity using the second authentication factor. For instance, they can press a button on their mobile device or enter the code they received from the system. The user can access the system only after the MFA process verifies all the other information.
Related content: Read our guide to authentication types
Common MFA Types and Methods
Knowledge-based MFA is based on memorized information such as passwords and personal PINs. The user can be asked for a piece of information only they know—these can include application passwords, network passwords, smartphone lock pattern, or security questions from the user’s personal life.
Advantages of this approach: Inexpensive to implement, is highly customizable for individual users, and passwords or secrets are easy to change.
Disadvantages of this approach: Users can easily forget their passwords, credentials can be stolen if not recorded or stored securely, and in many cases secrets selected by users can be found in publicly available databases. This method can also be vulnerable to phishing.
Physical MFA tools are based on physical objects a user carries to verify their identity. Examples include a physical token (also known as fob), an access control app installed on the user’s smartphone, a government issued ID, or a FIDO2 security key (based on the WebAuthn specification, using public key cryptography).
Advantages of this approach: Physical tokens come at various prices with varying functionality, letting the organization choose a solution that meets its needs and budget. At least theoretically, physical MFA tokens are immune to phishing attacks. This means they are much more secure compared to knowledge-based authentication.
Disadvantages of this approach: Some tokens are small and users can easily lose them. They can be damaged by improper storage and maintenance, and in some cases might be poorly manufactured, leading to malfunctions. Some solutions are expensive and might require a large upfront investment.
Inherent MFA tools don’t require special knowledge or a physical key; instead it uses the user’s unique presence. This type of verification can identify physical features such as fingerprints, handprint, voice, the shape of the iris, or the user’s face, using machine learning (ML) algorithms to find a match between a stored image or audio file and a current biometric measurement.
Advantages of this approach: Considered highly secure and convenient for users.
Disadvantages of this approach: Requires advanced technology to properly capture and identify a user’s inherent features, might be expensive and could malfunction at times. Increasingly, attackers are finding ways to fake biometric measurements.
It is common for Internet services, such as web-based email or streaming service, to deny access or require extra authentication due to the user’s current location. Location-based MFA tools evaluate whether a user is in the right location or on the right device. They might use IP address, geolocation services, or other techniques to identify the user’s location.
Advantages of this approach: Relatively inexpensive to implement and difficult for attackers to forge. Does not require a user to memorize a secret or keep a physical device.
Disadvantages of this approach: Can violate user privacy, or require user consent to share their location. This method can also lead to false positives—for example, blocking access when a legitimate user is on the road or traveling abroad.
Common MFA Mechanisms
Here are some common factors used in MFA implementations:
- Push notifications – a user receives a push notification to a pre-registered device, typically via a mobile device. The user can immediately allow or deny account access.
- SMS notifications – a user receives a one-time code over SMS, and is prompted to enter this code before they are allowed access.
- Voice notifications – the system establishes an automated voice call. In this call, a code is relayed to the user, which they are asked to type in for authentication.
- One-time passwords (OTP) – users install an authentication app, such as Google Authenticator, on their personal device. The app generates an OTP that changes with every access attempt, and can be entered as a second authentication factor.
- Web authentication with security keys – users can authenticate themselves using FIDO-compliant security keys, using platforms like Yubikey or Google Titan.
- Web authentication with device biometrics – users leverage authentication mechanisms built into their devices, such as MacBook TouchBar, Windows Hello, iOS Touch or FaceId, and Android’s fingerprint or face recognition.
- Email notifications – users are sent a one-time password via email when they don’t have other authentication factors available.
Related content: Read our guide to 2 factor authentication (coming soon)
MFA Benefits and Challenges
MFA provides organizations with many important benefits, including:
Although not a security tool in a technical sense, MFA is an important line of defense for organizations because it allows only fully authenticated users to access systems and networks.
Applying one or more elements of MFA through one time passwords (OTP), biometric indicators, or physical hardware keys can make it more difficult for cybercriminals to gain access to your system by impersonating legitimate users. Not only does this mean that cybercriminals must find alternative approaches to gaining unauthorized access, it also means that existing security measures are more likely to detect and block such activity.
Accessibility for Remote Workers
The widespread shift to hybrid and remote work exposes organizations to cyberattacks and disruptions as employees access corporate applications, documents, and data through private networks and devices. At the same time, employees experience login fatigue when they have to log in to multiple accounts in a single work session.
Combined with technologies such as single sign-on (SSO), MFA adds an additional layer of security and simplifies the sign-in process for legitimate users. When a user is authenticated with SSO, the system automatically logs in, allowing them to access multiple systems without having to log in to each one individually.
Improved Regulatory Compliance
Enterprise data and identity security is becoming increasingly important for companies operating in high-risk industries such as healthcare, education, medical research, finance, and military defense. In many organizations, cybersecurity and specifically access control is lacking.
Multi-factor authentication is often required to comply with industry regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) is a regulatory standard for organizations operating in the credit card industry. It requires MFA to prevent unauthorized users from accessing credit cardholder systems.
What Is Adaptive MFA?
MFA provides additional security, which can sometimes come at the expense of convenience. For example, ownership-based authentication factors require the user to own and use a physical device as part of the authentication process.
In some cases, businesses may decide that MFA is not required in certain low-risk situations, but is required in other, higher-risk situations. For example, if a user is working in the company’s office, they can use password-based authentication, but remote workers may need improved security provided by MFA.
Adaptive MFA does this by allowing organizations to define rules for their authentication process. These rules typically use contextual information (such as the user’s location, the current time, or the user’s role), which can be used to determine the level of risk. Depending on the security context, applications may choose to authenticate users with or without MFA.
MFA and SSO
Single sign-on (SSO) is an authentication method that allows users to access multiple related applications and services using one set of login credentials. When a user logs in once, the SSO solution authenticates the user’s identity and generates a session authentication token. This token is used as a single security key for multiple applications or databases.
To reduce the risk of relying on a single set of login credentials for multiple applications, organizations often require adaptive authentication for SSO. This applies adaptive authentication capabilities to SSO scenarios. If a user attempts to log in via SSO or exhibits unusual behavior during an SSO authentication session, they are prompted to provide an additional factor of authentication. Examples of anomalous behavior might include connecting over an unrecognized VPN, or accessing additional applications or data which the user’s session authentication token does not support.
In a zero trust network security architecture, a user’s identity is never trusted and is always verified using a combination of adaptive SSO and MFA for authentication. Adaptive SSO and MFA improve access management, without compromising user experience, by continuously verifying user identity across sessions and requiring an additional risk-based authentication factor.
MFA: 4 Tips for Successful and Secure Deployments
Avoid Vulnerable MFA Factors
The main purpose of MFA is to implement a solution that actually makes authentication more secure. Systems using SMS OTP, email magic links, push notifications, and voice calls can all be attacked through various techniques.
The National Infrastructure and Security Agency (NIST) recommends deploying MFA with authentication factors that are not vulnerable to phishing and other credential theft attacks. This includes removing passwords as much as possible, leveraging public/private key cryptography, and eliminating other common vulnerabilities.
Separating MFA Processes from Identity Providers
Organizations often use multiple identity providers (IdPs). Many IdPs offer their own MFA, but they may not meet an organization’s security standards. This also means users have to learn multiple login methods using multiple authenticators. By decoupling authentication from identity providers, you can better control the MFA process and provide a unified experience for users.
Provide Secure Offline Authentication
The new reality of remote work means many users must authenticate over poorly secured or unsecured public networks. This makes it critical to use a shared secret model. For example, a PIN stored on a security token allows users to securely identify themselves offline and access the systems they need.
Make Employees Part of the Process
Deploying MFA is not just about technology—it is about people as well. Organizational changes, such as the introduction of new authentication systems, often fail because management does not include employees in the process. This can lead to resistance and lack of cooperation.
When an organization first decides to implement MFA, it is important to get employees involved. Ask for their opinions and address their concerns. Keeping an open line of communication during the MFA rollout will help get more user support.
For example, an organization can educate users about how attackers might abuse user accounts, and the benefits of adding MFA to the login process. Make sure users are trained on the new workflow, and don’t assume everyone will understand how to use the additional authentication steps out of the box. Familiarity with the process can also reduce user anxiety and resistance to change.
Authentication for SaaS with Frontegg
Frontegg’s solution provides a flexible authentication as a service for all use-cases. Starting from a powerful use based authentication, including powerful authentication protocols such as OAuth, Open ID connect, SAML and WebAuthN all the way to granular security policies such as MFA, User lockouts, Device verification and much more.