The Secret Security Wiki


Multi Factor Authentication (MFA)

Multi-Factor Authentication (aka MFA) is an authentication method that requires the authenticating party (be it a person, software or a hardware module) to produce several separate identifiers (or “factors”) that are indicative to its identity, instead of the previously standard single identifier, usually a password, required by default in many systems.

Our age’s high dependency on digital services, whether business or personal, has changed the way companies and regulators see user authentication. As the threat of cyber attacks targeting authentication mechanisms specifically keep growing (most attacks on business data today leverage stolen or weak passwords to some degree [Verizon DBIR]), and countless incidents of account takeovers and data breaches are reported annually, all parties realize that standard password-dependent authentication is a huge security liability and require users and clients to use some sort of MFA.

MFA dramatically improves security since an attacker would need to gain possession of multiple identifiers at the same time, a much tougher challenge than getting a single username-password combination. The set of identifiers used to authenticate users is typically comprised of at least two different types of factors:

  • Something the user knows (i.e. a password, PIN or pattern)
  • Something the user has (i.e. a physical OTP (one-time-password) token or security USB key
  • Something the is inherent to the user (typically a biometric signature)
    Note: in some cases, location and network indicators are also used as additional authentication factors.

A common authentication scenario relying on MFA would look similar to this:

  1. A user will request access by a standard login interface, supplying a username and a password.
  2. The authentication mechanism will accept the user’s credentials and will ask for an OTP code shown on his token or mobile app.
  3. The user will enter the additional ephemeral code and gain access.

Many other combinations of identifiers can be used, including a password plus SMS-code to a registered mobile device, a passphrase plus a biometric identifier from a fingerprint sensor, a physical token plus an answer to pre-determined authentication questions, etc.

Since passwords are considered a relatively vulnerable authentication factor due to their common simplicity, shareability, and re-use, more advanced implementations of 2FA/MFA can include a combination of authentication factors that do not include passwords whatsoever. And then there is Passwordless Authentication, which negates the need for MFA since, when done correctly, is inherently multi-factor and removes the vulnerable part – i.e. the password.

Implementing MFA mechanisms dramatically boosts security in any computer systems, whether it if fully internal or outward-facing. In fact, most companies today are mandating (or at least strongly advise) the use of MFA for both employees and customers.
And since passwords have become very vulnerable users and employees are getting on board despite the added friction. Still, passwords remain the most popular form of authentication despite their clear disadvantages – they rely on human memory, they’re commonly re-used, written down, shared, stolen, or simply forgotten. The latter is especially true when an organizational policy demands a long and complex password. This is no longer advised by industry leaders and regulators, but many still believe it gives additional security regardless of evidence.

Types of Authentication Factors typically used in MFA:

Hardware tokens – these can be old-school OTP tokens with a synchronized code that changes periodically or more advanced USB security keys used in combination with standard credentials. “Hard Tokens” as they are sometimes called are very useful when there’s no cellular coverage or smartphones are banned, but they are costly, hard to distribute and replace when lost, and add obvious friction to the user experience.

Software Tokens – These are software modules implemented in mobile or desktop apps that contain a shared secret or a pre-determined code, similar to those placed in hardware keys. Software tokens are easier to deploy or replace, but also susceptible to duplication and malware attacks.

SMS – An easily implemented 2nd factor that requires a phone and network coverage. SMS has been wildly used until determined unsafe due to common attacks against the cellular network.

Digital cryptographic certificate – A digitally signed file issued by a certificate authority, that is saved on user’s devices.

Other authentication factors that are more commonly integrated rather than being used separately are biometric signatures, behavioral authentication, location signals, or network data.

  • What is multi-factor authentication?

    MFA is an authentication scheme that requires the access-requesting party (typically a user, but can also be software or a machine) to produce multiple identifiers – multiple factors – in order to be authenticated.

  • Which factors can be used as multi factor authentication?

    Identifiers used to authenticate users can include something the user knows (i.e. a password, knowledge-based authentication questions, etc.), something the user has (i.e. a physical one-time passwords (OTP) generator device, a registered mobile device or computer, etc.) or something the user is (biometric data such as fingerprint, face, unique behavioral patterns, etc.).

  • Which is the strongest form of multi factor authentication?

    The strongest factors are those that are hardest to steal or forge. Physical authenticators are hard to steal and forge. Biometric signatures are hard to forge, and when implemented properly, can be difficult to steal. Passwords on the other hand are notoriously vulnerable and in many cases considered easy to steal and forge.