What is multi-factor authentication? MFA examples

Multi-factor authentication (MFA) is a user verification method that requires two or more identification pieces to allow access to accounts or company resources. The factors that MFA use for authentication fall into different categories and typically involve:

• Something the user knows (like a password or PIN).
• Something they have (for example, authentication apps or email accounts).
• Something they are (such as a fingerprint or face scan).

With multiple factors to authenticate users, MFA creates a layered security mechanism that reduces the risk of unauthorized access. Even if a threat actor compromises the first verification element (a password), they will unlikely be able to meet the remaining authentication requirements and gain entry to the account.

Many enterprises have also seen the benefits of using an authentication system that dynamically adjusts to the risk factors involved, called adaptive MFA. It uses contextual information and user behavior patterns to determine the level of risk associated with the connection and which authentication factors to apply.

The contextual information used by adaptive authentication may include the following:

• The location from which the user tries to connect.
• Devices used for the login.
• Time of day when the user attempts to connect.
• If the user is connecting through a private or public network.
• Number of failed login attempts.

Adaptive MFA prompts a particular verification method comparing the context in which the user tries to connect and the regular circumstances for the connection. If the attempted connection seems too risky, the system may not allow the user to log in or ask for additional information.

Multi-factor authentication requests the user to provide specific information to fulfill at least two prompts that differ in their nature. These prompts fall into different categories: the first is typically a password the user creates, followed, for instance, by a request to provide a one-time password (OTP) sent via SMS or a fingerprint scan. Proving the user’s identity by multiple pieces of evidence lessens the chances of threat actors impersonating the user and gaining access to private or company resources.

Let’s look into the breakdown of how MFA works starting from its initial stages.

1. When the user registers for an account with MFA, they have to create a username and password and provide any other type of possible authentication item, for instance, their phone number, email address, or fingerprint.
2. Whenever users want to access online accounts or data secured by MFA, they must provide their username, password, and additional verification prompt set at the initial stages of creating their account. It can be an authentication code sent via SMS, their face scan or fingerprint.
3. Once all the verification steps are accomplished, the user gains access to the system.

Multi-factor authentication is important because it adds another layer of protection and reduces the chances of unauthorized entities gaining access to sensitive data. As more information is stored in various cloud-based platforms, safeguarding it with just a password is no longer practical. For one, users may create weak passwords that hackers can easily crack during brute-force attacks or malware intrusion. Losing your password to hackers may lead to even graver consequences if you use the same password over multiple accounts, compromising all of them. Meanwhile, an additional MFA factor can help block unauthorized access to your accounts even when your password has been stolen.

MFA can benefit both businesses and individuals by providing a layered approach to access and security. Let’s look into its major advantages:

• Enhanced security. Employing multiple authentication factors, MFA can secure accounts even if the first layer of verification — a password — has been breached or lost. It’s an effective tool to reduce the possible damage of phishing attacks: Even if a scammer tricks the user into revealing their password, secondary authentication layers will restrict the scammer’s access to the account. MFA minimizes the risks associated with compromised passwords, human error, or cyber attacks targeting sensitive information.
• Flexibility and compatibility. MFA provides a number of user verification methods that vary in nature, such as authentication codes or biometric data. Businesses can choose which MFA authentication methods best suit their needs and assets and what’s most convenient to their users. It’s the main reason why Nord Account implemented MFA security. Organizations can also implement MFA on various applications and access points, securing a wide range of resources.
• Customer trust. Using MFA can increase customer confidence and appeal because its verification method puts less emphasis on passwords and more on other forms of authentication. It makes the MFA system more forgiving of human error.

MFA authentication methods can be classified depending on which resources the user uses to access the account. Let’s take a look at the most common authentication methods.

Knowledge

The knowledge factor refers to information that only the user would know, its examples being:

• Password or a PIN created by the user.
• Security question, such as the name of the user’s pet or a relative.

Once the user puts this piece of information into the MFA system, they are led to the following authentication steps.

Possession

The authentication method concerns the possession of an item, users identifying themselves by something they have. These may include:

• Physical devices, such as mobile phones, tablets, or hardware fobs.
• Digital assets, including email accounts or SMS service.
• Authentication applications, like Google Authenticator or Authy, which generate time-based one-time codes (TOTPs).

At the time of authentication, the user receives a temporary code to enter into an MFA application or a push notification they need to confirm. After the user accomplishes the prompt, they are either let into the account or receive another verification request.

Inherence

The inherence factor indicates something that the user is. Here are some examples:

• Fingerprint or eye scan.
• Voice or facial recognition.
• Keystroke dynamics, including typing speed or specific use of the device.

MFA has to collect and store the user’s biometric data upon registration to use this authentication mode. Biometric factors are unique and always tied to the user, which makes this inherence category one of the most substantial barriers to entering the account.

Location

The location factor depends on the user’s physical location, including:

• Geolocation where the user is based at the moment of log in.
• IP address of the device the user is trying to connect through.

The location authentication method uses GPS coordinates and network parameters to determine whether the user’s location doesn’t seem unusual. The location parameters typically run in the background. If the MFA system suspects unusual activity, it may block users from getting into the account or ask to fulfill additional verification steps.

Time

The time factor tracks when the user is trying to log in. It determines whether the user can access the account based on:

• The specific time period during which the user is allowed to access the resources.

If the user tries to log in to the system at odd hours, for instance, in the middle of the night, the MFA may block their attempt to connect or ask for additional verification.

Even though MFA is a great tool to enhance the security of users’ accounts and companies’ resources, it has some drawbacks. Here are MFA downsides to consider:

• Lockouts. If the user loses or damages their phone or other hardware for verifying their identity, MFA will block their access to the account. It may cause significant delays and require external help to regain access to the account.
• Increased login times. Fulfilling MFA’s request may require some time, especially if the system identifies your connection as risky.
• Dependent on third parties. Some verification steps may require installing additional apps to send users a TOTP or push notifications, using up space on their devices.
• Vulnerable to targeted attacks. Although MFA is an effective system against automated cyber attacks, it is less resistant to hackers with specific targets. Threat actors can exploit user behaviors or use elaborate phishing schemes to convince users to collaborate when accessing restricted accounts.

MFA and two-factor authentication (2FA) are both verification methods that require users to prove their identity multiple times before they are allowed to access the account. The main distinction between the two lies in the number of authentication steps the system requires.

2FA requires two distinct forms of identification, which typically involve the knowledge factor (password) in combination with the possession (mobile device) or inherence (biometric data) factor. For example, when using 2FA, you’d be asked to provide a password and enter the code sent to you by SMS or use your fingerprint.

Meanwhile, MFA can ask for two or more identification methods that go together with the password. For example, when the user is asked to accept push notifications sent to their mobile device, the MFA system may also check the location from which the user is trying to connect and evaluate the risk.

2FA is a subset of MFA, with MFA providing more flexible and robust solutions that help to determine if the connection to the account is legitimate.

MFA can provide a robust layer of security that goes beyond the traditional password-based access systems. MFA technology uses authentication methods that are personalized and based on real-time circumstances, making it much more challenging for threat actors to compromise accounts. This feature helps to significantly lower the risk of unauthorized access to accounts and resources with only minimal trade-off in potential inconvenience to the user.