Multi-Factor Authentication Examples: MFA in the Wild

In today’s world where cyber threats are becoming increasingly sophisticated and prevalent, traditional password-based authentication is no longer enough to ensure the security of online accounts and systems. Multi-factor authentication (MFA) has emerged as a crucial tool in fighting off cyber threats, offering an additional layer of security by requiring users to provide more than one form of identification to access their account. 

MFA can be implemented in many ways, including something the user knows, something the user has, and something the user is. In this article, we’ll explore examples of multi-factor authentication implementation in real life—including common authentication factors used in MFA systems, practical approaches to deploying MFA, and common MFA use cases.

In this article:

• Examples of MFA Types
  • Identification Through What the User Knows
  • Identification Through Something the User Possesses
  • Identification Through Who the User Is
  • Identification Through Location and Time
• Examples of MFA Approaches
  • Always on Approach
  • Opt-in Approach
  • Step-up Authentication
  • Time-Sensitive Re-Verification
• Examples of Multi-Factor Authentication Use Cases
  • Remote Access to Company Resources
  • Logging into Proprietary Software
  • Logging into a Bank Account
• Authentication and Authorization with Frontegg

Examples of MFA Types 

MFA can make use of four main authentication types:

Identification Through What the User Knows

In this type of authentication, users are required to provide information that only they are expected to know. Some common examples of this type of authentication include:

• Passwords: Users are asked to provide a password, typically a string of characters that they have chosen themselves. This type of authentication is widely used as the first authentication factor in many systems.
• Security questions: Users are asked to answer one or more personal questions, such as their mother’s maiden name or the name of their first pet. This type of authentication is used as a secondary factor to verify the identity of the user when they forget their password.
• Personal Identification Numbers (PINs): Users are asked to provide a numerical code that they have chosen themselves. This type of authentication is commonly used with ATM cards and other financial systems.
• Knowledge-based authentication (KBA): Users are asked to provide information about their personal life that only they are expected to know. For example, this can be the address they lived in 10 years ago or their high school graduation year.

These additional factors provide an additional layer of security and can make it more difficult for an attacker to access a system or network, even if they have illegally obtained access to one of the authentication factors.

Identification Through Something the User Possesses

In this type of authentication, the user is required to present an object that they physically possess in order to prove their identity. Some common examples of this type of authentication include:

• Security tokens: These are small physical devices that generate one-time passwords or time-based codes that are used in conjunction with a password to provide an additional layer of security. The user must have the token in their possession in order to access a system or network.
• Smart cards: These are credit card-sized devices that contain a microprocessor and a secure storage area for sensitive information. Users must physically insert the smart card into a card reader in order to prove their identity.
• Mobile devices: Mobile phones or tablets can be used as a form of multi-factor authentication. Users receive a one-time code via text message or an authentication app, which they must enter in order to access a system or network.
• USB security keys: These are small physical devices that the user inserts into a USB port on their computer. The device verifies the user’s identity and then provides access to a system or network.

By requiring something that the user possesses in addition to a password or other form of identification, MFA makes it more difficult for attackers to gain unauthorized access to a system or network, even if they have obtained information the user knows, such as their password or the answer to their security question.

Identification Through Who the User Is

This type of multi-factor authentication uses unique biological characteristics to verify the identity of an individual. Some common examples of this type of authentication include:

• Fingerprint recognition: Users place their finger on a sensor, which reads their unique fingerprint patterns. This information is then compared to a stored image of the user’s fingerprint to verify their identities.
• Facial recognition: Users look into cameras, and the software analyzes the unique characteristics of their faces, such as the distance between their eyes, the shape of their nose, and the contours of their cheekbones. This information is then compared to a stored image of the user’s face to verify their identities.
• Voice recognition: The users speak a specific phrase, and the software analyzes the unique characteristics of their voice, such as the pitch, rhythm, and accent. This information is then compared to a stored sample of their voices to verify their identity.
• Iris recognition: The users look into a camera, and the software analyzes the unique pattern of the iris in their eyes. This information is then compared to a stored image of the iris to verify their identity.

Biometric authentication provides an additional layer of security. Additionally, biometrics cannot be easily lost, forgotten, or stolen, as can be the case with passwords and security tokens.

Identification Through Location and Time

This type of authentication is used to ensure that access to a system or network is only granted from approved locations and during approved times. Some common examples of this type of authentication include:

• Geolocation: The user’s device is equipped with a GPS or other geolocation technology that provides location information. The system or network verifies that the user is accessing it from an approved location before granting access.
• Time-of-day restrictions: The system or network is configured to only allow access during certain times of the day. For example, access might only be allowed between 9 AM and 5 PM.
• Time-based one-time passwords (TOTP): The user is required to enter a one-time password that is generated based on the current time. This password changes every few seconds, so the user must enter it within a limited window of time in order to access the system or network.

Examples of MFA Approaches 

Here are commonly used MFA approaches that balance differently between usability and security:

Always on Approach

With this approach, MFA is required for every login, transaction, and access request. This provides the highest level of security, as it requires multiple forms of identification from the user before access is granted. 

The main disadvantage of this approach is that it can be time-consuming and cumbersome for users, who must complete the MFA process for every action they take within the system or network. This approach is best suited for systems or networks that require the highest level of security, such as financial systems or government networks.

Opt-in Approach

With this approach, MFA is optional and only required when a user wants to access a particularly sensitive resource or perform a high-risk transaction. This approach provides a good balance between security and ease of use, as users can choose when they want to complete the MFA process. 

The main disadvantage of this approach is that it relies on users to make informed decisions about when to use MFA, which can be challenging if they are not well-versed in security best practices. This approach is best suited for systems or networks that need to balance security and user convenience.

Step-up Authentication

With this approach, MFA is only required if the system detects that a login or access request is potentially high risk. This approach provides a higher level of security than the opt-in approach, as it can detect and prevent unauthorized access before it happens. 

The main disadvantage of this approach is that it requires sophisticated algorithms and machine learning models to accurately determine when MFA is necessary, something that can be complex to implement and maintain. This approach is best suited for systems or networks that need to balance security and ease of use, and organizations with the resources to adopt these technologies.

Time-Sensitive Re-Verification

With this approach, MFA is required periodically, such as once a day or once a week, to verify the user’s identity. This approach is useful for maintaining security over a long period of time, as it requires the user to complete the MFA process periodically even if they have already been granted access to the system or network. 

The main disadvantage of this approach is that it can be disruptive to users who are actively using the system or network and are suddenly required to complete the MFA process. This approach is best suited for organizations that need to maintain a high level of security over a long period of time and have the resources to adopt the necessary technologies.

Examples of Multi-Factor Authentication Use Cases 

Remote Access to Company Resources 

MFA can be used to authenticate remote users who are accessing the company’s network or systems from outside the office. For example, employees who work from home or are on the road may need to access company resources, such as email inboxes or internal databases. To secure these resources, the company can implement MFA, requiring the employee to provide a password and a one-time code sent to their mobile phone, for example. This provides an additional layer of security beyond a password and helps to prevent unauthorized access to the company’s resources.

Logging into Proprietary Software

For software that contains confidential information or provides access to sensitive systems, MFA can be used to ensure that only authorized users are able to log in. For example, a user may be required to enter a password and provide a second form of authentication, such as a security token or biometric data, in order to log into a proprietary software system.

Logging into a Bank Account

When logging into a bank account, MFA can be used to ensure that only the account owner is able to access the account. For example, a user may be required to enter a password and provide a second form of authentication, such as a one-time code sent to their phone or a biometric scan, in order to log into their bank account. This helps prevent unauthorized access to sensitive financial information and helps protect against fraud.

Authentication and Authorization with Frontegg

The industry standard today involves the use of authentication providers to “build the door”, but what about Authorization (the door knob)? Most authentication vendors don’t go that extra mile, forcing SaaS vendors to invest in expensive in-house user management development. This often leads to delays in core technology development, which negatively impacts innovation and time-to-market (TTM) metrics. 

Frontegg’s end-to-end user management platform allows you to authenticate and authorize users with just a few clicks. Integration takes just a few minutes and a few lines of code, thanks to its plug-and-play nature. It’s also multi-tenant by design and self-served by nature, something that helps reduce friction and improves user satisfaction. Also, all roles and permissions can be managed via a centralized dashboard. It’s really that easy.

Start For Free