What Is Multi-factor Authentication?

Cybersecurity is constantly gaining importance. As people conduct more and more of their lives online, they need access to systems that they can trust to protect their information. User authentication tends to be one of the greatest challenges of security because it will always rely to some extent on users who are not experienced with security. Multi-factor authentication provides a powerful solution.

Multi-factor Authentication

In digital security, authentication is the process of establishing that a user is who he or she claims to be. The majority of systems require a username and password to authenticate the user. If used alone, this could be a single factor authentication. What is multi-factor authentication? you may ask. Multi-factor authentication is the process of establishing the user’s identity using multiple factors.

For example, to withdraw cash from a bank account, you need several factors of authentication. You need to have the bank card (debit or ATM card), you need to know the PIN and you need to be in an authorized location (and ATM or a bank). Although it is still possible to defeat this security, it is substantially stronger than just a username and password because an attacker would need to defeat multiple factors.

Understanding the Factors

Most people follow a model of three factors (sometimes a fourth is added). These are the main three and what they mean:

Something You Know: The user needs to know some secret information to authenticate. This is typically a password or PIN. Although the user also needs to know his or her username, this is not treated as secret information. So, a username alone would not be considered an authentication factor.

Something You Have: The user needs to have something to prove his or her identity. As mentioned above, this could be a debit card, key or another similar physical item. For online systems, the most common iteration of this factor is a mobile phone. The mobile app gives you a temporary code to log in to the system. Alternatively, a code could be sent via SMS, but this is considered less secure. Some organizations also achieve this with a dedicated token that can produce a one-time code.

Something You Are: The user needs to provide some inherent characteristics. This could be something biometric such as a fingerprint or retina scan. Often, your location (on a certain computer network or at a designated terminal) is also included in this factor. However, somewhere you are may also be considered a fourth factor.

The Benefits of Using MFA

The key benefit of using multi-factor authentication is that it increases the challenge of attacking a system. Doubling up on the same factor would not achieve the same benefits. For example, if you were to have two passwords, it would only make attacking the system slightly more challenging. Phishing, keylogging and brute password decrypting would still be highly effective.

However, MFA makes each of these attacks insufficient on their own. If a hacker was to capture a password and one-time code from a mobile app, he or she would still be unable to log in to the system because the one-time code would immediately become invalid. Therefore, two separate attacks are necessary.

How It Works in Practice

The most common variant of MFA is using a password and a one-time code. This is best implemented as a mobile application. However, some systems use SMS or email (both of these can be spoofed by an attacker to trick the user).

Another common variant of MFA is using a combination of a PIN and a physical card. As mentioned, this is used by banks. It is also common for accessing secure rooms such as servers in businesses. For extremely secure locations, a fingerprint may also be necessary. Retinal scanners are less common, but also effective.

Learn More

Discover more about multi-factor authentication and how you could use it to protect your business’s IT resources.