Multi-Factor Authentication (MFA)

What Is MFA?

MFA stands for multi-factor authentication. It requires a user to present multiple authentication factors when logging into a website or service. These factors can be linked to something they know, something they have and/or something that is inherent to them (such as a fingerprint). 

Multi-factor authentication is a means of online identity verification. Companies use it to protect against fraudulent login activity and thus, account takeovers. It is more secure than using just a username and password and, as we’ve seen in the past few years, it’s becoming more and more widespread in the online world.

With MFA, the user must use two or more factors to verify their digital identity. The role of these factors is to have the software confirm that the user is who they claim to be. By using MFA to make the login process more complex, companies can enhance their security to deter fraudsters and other cybercriminals.

What Is 2FA (Two-Factor Authentication)?

Two-factor authentication is a type of multi-factor authentication that involves two factors specifically. In other words, there are two things that the customer needs to provide, prove or share – such as a password, a fingerprint scan, or a scan of one’s iris.

MFA vs 2FA 

The terms “multi-factor authentication” (MFA) and “two-factor authentication” (2FA) are often used interchangeably, but they are not the same thing. As the term implies, 2FA is a form of MFA where exactly two factors are used to authenticate the user. MFA, meanwhile, might use two factors but it might also use more. In other words, all 2FA is MFA. But not all MFA is 2FA. 

It might be easier to understand the differences between MFA and 2FA by comparing the two directly. Let’s break it all down:

What Is Passwordless Authentication?

Passwordless authentication is a type of passwordless credential and specifically describes a user being able to log into a website or service without needing to use a password. Instead, they use a different method to verify their identity, such as access via email message or their voice. 

Perhaps the simplest form of passwordless authentication involves following a link from your email account or SMS. But they can also be linked to biometrics, gestures, uniquely generated one-time codes, etc.

Passwordless Authentication vs MFA

Multi-factor authentication and passwordless authentication are not the same thing. The passwordless approach simply replaces the use of a password with a different authentication factor. When used on its own – so not in combination with a passphrase, biometrics, etc. – it is a form of single-factor authentication which nevertheless is considered safer than a simple password.

That said, passwordless authentication can also be used as part of a multi-factor authentication process – which is why people sometimes confuse the two.  

How Does Multi-Factor Authentication Work?

MFA works by adding layers to the login process. The user must present at least two factors in order to verify their digital identity, with these factors including three categories:

• Something the user knows: This could be a password, a PIN or a piece of information about the user (their mother’s maiden name is a common example). 
• Something the user has: This could be hardware, such as a cellphone or a computer, or a digital asset such as a software token or a security key. 
• Something inherent to the user: Fingerprint, iris and voice are most commonly used for this kind of biometric verification. 

Multi-factor authentication uses two or more of these categories. 

For example, a company may require a user to enter a password and also a code that the company sends to them via SMS. This requires something they know (the password) and something they have (the cellphone that receives the SMS). The company could also require a fingerprint or iris scan – something inherent to the user – for additional security. 

Passive vs Active Authentication 

Some MFA factors are active. This is where the user must complete an action, such as entering a password or saying a passcode. Others are passive, such as the user simply holding their camera up to their face or having access to a known, pre-verified device.

Many companies use a combination of passive and active authentication steps, with passive authentication reducing friction and thus improving the customer experience. Passive, frictionless authentication can also include passive checks such as those conducted by fraud prevention software under the hood, based on the customer’s hardware and software – as well as other starting data points. 

What Are the Types of Multi-Factor Authentication?

Multi-factor authentication solutions differ from company to company. However, they usually fall into one of the following types of MFA. 

Biometrics 

Allied Market Research projects that the mobile biometrics market will grow from a value of $24.6 billion in 2021 to $184.8 billion by 2031. Biometric authentication can use someone’s voice, fingerprints, or facial or retinal recognition. It can also be linked to typing behavior recognition (typing cadence), as this is another characteristic that is inherent to the user. 

One-Time Passcodes 

One-time passcodes (OTPs) are codes that a user receives to a trusted device or account and then must enter within a specified time limit. The user usually receives the code on their cellphone or computer via SMS or email or through an app on their phone. 

OTPs are usually numeric codes but can also be alphanumeric. They may also be provided in the form of a browser link that the user must click. This type of MFA factor is very widely used, yet it is important to note that it is possible for bad actors to intercept these communications in their effort to gain access to user accounts.

Apps 

In addition to receiving OTPs as part of the authentication process, official mobile and tablet apps can also be used for authorization via on-device prompts, where the user can approve or deny the authentication attempt. 

Hard Tokens vs Soft Tokens

Hard tokens are physical objects that are used during the authentication process. Key fobs, smart cards, and USB drives are all examples of hard tokens. They are often seen as very secure, as the user must have the hard token with them during the login attempt. However, they are vulnerable to man-in-the-middle attacks, as well as to theft. Users can also lose them. 

Soft tokens, on the other hand, use software that can be embedded on a device and that companies can update automatically. They are far cheaper and easier to deploy than hard tokens but come with their own share of shortcomings, including hacking.

Why Is MFA Important?

Multi-factor authentication is important because it helps companies protect their data – and that of their users. There is more and more at stake with account takeover attacks today compared to previous decades, because so many customer accounts contain information about one’s credit cards. 

For example, Amazon invites shoppers to store their card information so as to be able to check out more quickly. But this means that a fraudster has much more to benefit from if they do manage to gain access to this shopper’s account.

Information security is of paramount importance. Fortune Business Insights projects that the information security market will reach a value of $366.1 billion by 2028, while Accenture reports that 68% of business leaders feel that the cybersecurity risks that they face are increasing. 

Worryingly, given these figures, Sophos reports that 54% of companies feel their IT isn’t sophisticated enough to handle advanced cyberattacks. Cisco, meanwhile, reports that 42% of companies suffer from cyber fatigue or apathy when it comes to proactively defending against attacks. 

The scale of the problem is apparent when we consider that data breaches exposed a staggering 22 billion records in 2021, with the Identity Theft Resource Center reporting that data breaches jumped 68% during the year. 

The Benefits of MFA

MFA can significantly impede malicious attempts to fraudulently log in to accounts. This is one reason why security requirements such as strong customer authentication (SCA) are so important. 

According to Google research, 2FA using an SMS sent to a user’s phone can block 76% of targeted phishing attacks, 96% of bulk phishing attacks, and 100% of automated bot attacks. Even better, 2FA using on-device prompts increases these figures to 90% of targeted attacks, 99% of bulk phishing attacks and 100% of automated bot attacks. 

Microsoft, meanwhile, found that MFA can block over 99.9% of account compromise attacks. 

What Kind of Attacks Does Multi-Factor Authentication Prevent?

MFA helps prevent a range of fraudulent attacks. It can protect against:

• account takeovers
• brute force and reverse brute force attacks
• credential stuffing
• card fraud enabled by the illegal sign-on  
• man-in-the-middle (MitM) attacks
• money laundering schemes using stolen accounts

Of course, multi-factor authentication can also protect companies from all attacks that begin with a user’s account being compromised – which can have repercussions on the account holder themselves, the company where the account is set up, as well as third parties.

How Does MFA Help Stop Fraud?

Multi-factor authentication helps stop fraud by making it harder for fraudsters to gain access to and control of users’ accounts. Single-factor authentication, where a user only provides a password, is relatively easy for criminals to bypass. MFA authentication is much harder because the person logging in needs to guess, spoof or acquire more than one factor – for instance, guessing a password, spoofing a fingerprint, and gaining access to someone’s email in order to intercept one-time passwords. 

Of course, no solution is perfect or entirely foolproof. As MFA methods increase in sophistication, so too do fraudsters’ attempts to circumvent these defenses. 

For example, in recent years, analysts have sounded the alarm on the fact that biometrics checks aren’t impossible to mimic or spoof, which underscores just how important public awareness is. 

In the image above you can see one more scenario: The fraudster has used a phishing attack to trick the user into installing malware. This will collect the victim’s credentials, such as passwords as well as one-time passwords, and send them directly to the fraudster in real-time, who will utilize them to get control.

However, MFA still provides a great deal more security than single-factor authentication, which is why so many companies use it to protect their services and data. 

For those companies who want to go beyond this rudimentary protection without adding friction to the customer experience, sophisticated fraud prevention software will look at hundreds of data points involving a user’s device and software, as well as their location and credentials, to gauge their true intentions.

But more than anything, a good security system is never one-size-fits-all. Instead, it adjusts itself to optimize the customer journey, escalating friction based on perceived risk.

What does this mean? Here is an example: Someone logging in from a suspicious device might be asked for several factors of authentication, whereas an individual accessing from a device and IP where they’ve been seen several times before might be asked for just the minimum.

This strategy can apply to everything from MFA to fraud prevention, ordering and beyond, by companies looking to keep their customers as happy as possible without compromising security.

Related Terms

Related Articles

Sources