2FA vs MFA: What’s the difference—in practice—and how much authentication is enough?
Access Management and MFA
2FA vs MFA: What’s the difference—in practice—and how much authentication is enough?
We hear the terms two-factor authentication (2FA), or two-factor verification, and multi-factor authentication (MFA) a lot these days – from vendors, cyber liability insurance providers, federal and industry regulators, and in security frameworks like MITRE ATT&CK. On the surface, 2FA sounds simpler and MFA sounds stronger, but often the terms get used interchangeably, and the differences seem to be nuanced or mostly semantic at times.
But in practice, 2FA and MFA should mean different things and convey different levels of advanced security. In the real world, strong authentication stems less from the number of steps required for users to authenticate into portals and applications, and more so from the type and sophistication of the techniques employed.
In this post, we’ll try to sort through some of the confusion.
2FA Evolved into MFA
In the most literal sense, adding a second factor of any kind to the authentication process constitutes a “multi-factor” approach (all 2FA is technically MFA). And, often, what we call multi-factor, or MFA, consists today of two basic steps (all MFA is at least 2FA).
In the early stages, the term “2FA” generally meant authenticating into devices, apps, and services using a password and one additional form of authentication such as a PIN or security question to verify identity. The use of a security question simply added a second degree of “something users know” in addition to their secret passwords.
Having the second factor be a PIN number or one-time passcode (OTP) sent via SMS or email added another dimension. Now, in addition to credentials, a user had to have access to the mobile phone or email account where the PIN or OTP got sent. Since “what users know” is the least secure and most exploitable pillar of authentication – what we know can be revealed, leaked, lost, or stolen – adding this second dimension of “something users have” significantly strengthened authentication.
Thus SMS-based OTPs moved us into the realm of what we now think of as MFA: the use of multiple authentication vectors – layering something users have (the right phone or PC) on top of something they know (usually passwords). This approach to MFA is considered stronger even though, technically, only two methods of authentication still get used.
Industry giants use 2FA and MFA interchangeably
Over time, major device and application providers expanded the spectrum of “something users have,” and the working definition of 2FA, to include more sophisticated options:
- Physical USB keys
- Hardware token-based devices that generate OTPs
- Previously registered mobile devices
Even with the broader scope, Apple uses 2FA and MFA somewhat interchangeably when describing two-factor authentication as:
designed to make sure that you’re the only one who can access your Apple ID account — you need to provide two pieces of information to sign in with your Apple ID to a new device or on the web:
- The first piece of information is your Apple ID password
- A security key can act as the second piece of information, instead of the six-digit verification code that is normally used
Apple recently announced support for using FIDO-certified physical security keys – “small external devices that look like thumb-drives or tags to provide extra protection against phishing or social engineering campaigns.” The company noted:
“The key replaces six-digit verification codes used in 2FA. Because you use a physical key instead of the six-digit code, security keys strengthen the two-factor authentication process and help prevent your second authentication factor from being intercepted or requested by an attacker.”
While the process Apple describes still technically consists of only two steps – and they still call it 2FA—the addition of physical keys strengthens authentication considerably. So much so that, if the physical keys get lost, users themselves may find themselves permanently locked out of accounts:
Similarly, Microsoft uses 2FA and MFA interchangeably in prescribing strong authentication into online services:
Almost all online services – banks, social media, shopping and yes, Microsoft 365 too – have added a way for your accounts to be more secure. You may hear it called “Two-Step Verification” or “Multifactor Authentication” but the good ones all operate off the same principle.
When you sign into the account for the first time on a new device or app (like a web browser) you need more than just the username and password. You need a second thing – what we call a second “factor” – to prove who you are.
Here again, the general presumption is that authentication consists of a username and password along with a token from a physical smart card or token generator. The Microsoft Authenticator app allows users to sign into accounts on new devices for the first time with two-step verification that, “uses a second step like your phone to make it harder for people to break into your account.” Microsoft also gives customers the option to create “app passwords” that bolster security on a case-by-case basis.
Raising the bar on MFA: how much is too much, or not enough?
A few years back, Microsoft stated that MFA could block over 99.9% of account compromise attacks.
Yet according to the 2021 Verizon Data Breach Investigations Report, the “human element” still factors into 82% of breaches, with lost or stolen credentials playing a prominent role:
The Verizon findings seem to indicate that whatever we’re doing in 2FA or MFA still isn’t enough to secure the login process. Some companies added even more steps to the authentication process, including biometrics that bring a third authentication vector – something users are – to bear.
Adding physical keys, tokens and biometrics (fingerprints, iris or retinal scans, voice, or facial recognition) along with credentials makes us arguably safer, but piling on too many steps starts to drive users crazy. The user experience (UX) degrades as workers waste considerable time simply authenticating into applications, sites, devices, SSO portals, and other resources all day long.
“MFA fatigue” has become a very real and alarming source of friction:
Confused, unhappy users translate into Help Desk calls, and in turn, into frustrated, unhappy IT professionals.
Users want less, regulators want more
While users complain that MFA is too complex, regulators around the world contend that it’s not complex enough. Governments worldwide have set forth mandates to upgrade authentication in federal and critical infrastructure ecosystems to create phishing-resistant MFA in the very near future.
Cyber insurance companies are or will follow suit in making phishing-resistant MFA a base requirement for coverage in the event of cyberattacks, and for good reason. Statistics bear out the claim that, while today’s MFA reduces the chance of attackers leveraging credentials to gain initial access, move laterally through your network, and compromise privileged information, it hasn’t stopped modern phishing and social engineering attacks. [Read the blog on phishing-resistant MFA.]
And so, as it stands now, MFA as we know it misses the mark by going too far or not far enough. Shortcomings of conventional approaches include:
- Only requiring additional factors when users first sign into apps or devices for the first time.
- Increasing cost with hardware-based authenticators without demonstrably improving security. Apple permits registration of up to six physical keys ranging in price from about $50 – $100 per user account.
- Adding so many steps that users complain
- Adding deployment complexity
- Not stopping modern man in the middle (MITM) phishing attacks
All of which raises the question: what else can be done about it? Where does the industry go from here?
Can passwordless MFA be the final frontier?
By now you may be asking: “Does it really even matter if we use the terms 2FA and MFA interchangeably?” The answer is yes, and no, because even with what we commonly call MFA, attackers have developed elaborate workarounds such as man in the middle (MITM) attacks in which OTPs get intercepted.
Some companies require three, four, even five steps to authenticate, and their approach may still fall victim to phishing attacks—if the foundational authentication vector is still something users know; namely, passwords. Taking user knowledge out of the mix, and users out of the secret-keeping business entirely, goes a long way toward overcoming this inherent shortfall.
Passwordless MFA can use two or more factors (it can technically be 2FA or MFA) including biometrics, asymmetric cryptography, or security keys. But as long as none of the steps require passwords, two factors is probably enough to improve security, phishing resistance, and the user experience simultaneously, and exponentially.
Removing passwords from user authentication generates three powerful benefits:
The biggest source of risk goes away. Experts estimate at least 15 billion credentials can now be obtained via hacker forums, over 5 billion of which are unique (and domain admin credentials alone can be auctioned for more than $100K). Passwordless authentication renders stolen passwords worthless.
A major source of friction disappears. Keying in passwords takes longer than pressing your thumb to a phone or slipping a key into a USB port. Employees may have dozens of credentials for online accounts, SSO portals, and a growing mix of legacy, SaaS, and mobile applications and passwords are the things that need to be remembered, rotated, and reset dozens of times throughout the year. Passwordless, especially when combined with single sign-on (SSO), saves users and IT a ton of time.
A huge chunk of cost gets eliminated. Depending on how you implement passwordless MFA, a major source of complexity, which translates into cost, goes away. For more information on how this works, check out the ROI Calculator or download the ebook, Users Love Passwordless MFA But IT is the Real Winner.
Our blog on phishing-resistance takes a closer look at why passwordless may be the final frontier for authentication, and with any luck, the last of the nuanced MFA terminology we need to define and deploy. In the meantime, we hope this post has clarified the technical and practical differences between 2FA and MFA and why these terms will soon be preceded by “phishing-resistant” or “passwordless” in the months to come.
- The terms “2FA” and “MFA” are often used interchangeably and distinctions may be semantic
- Regulators, security frameworks, and cyber insurance providers have or will begin specifying “phishing-resistant” MFA
- Eliminating “something users know” as the first step in the login process and replacing it with a combination of “something users have” and “something they are” creates stronger, phishing-resistant authentication
- Removing user passwords and password management from MFA reduces friction, MFA fatigue, and your overall security risk
Check out our Resource Center to learn more about the benefits of passwordless MFA.