Learn how Multi-Factor Authentication (MFA) can prevent compromised credentials that lead to massive data breaches.

yonatan.azougy

23.08.2022

6 min read

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is an advanced method for confirming a user’s identity requiring multiple steps in addition to basic login credentials. The goal of MFA is to prevent unauthorized access even if an attacker has stolen or guessed the user’s password.

How Does MFA Work?

MFA adds extra layers of security to your account by presenting a series of login challenges to the user in addition to a username and password. 

A typical multi-factor authentication scheme requires one of each of the following:

• Something you know (such as a password)
• Something you have (a smartphone, USB dongle, etc.)
• Something you are (your fingerprint or other biometric identifiers)

If you had MFA at work, for example, you’d first enter your username and password on the login page. Then the system would ask for a shorter OTP passcode generated by your phone app, followed by a fingerprint scan. 

The reason for all these extra layers is to make it harder for threat actors to access your account while minimizing friction for everyday use. If the hackers don’t know your OTP secret, for example, they cannot generate the required code. Even if they could generate the secondary code, or trick you into providing it, they would still need that third factor such as a fingerprint or face scan to gain access.

MFA can be used for all kinds of accounts but is largely restricted to the enterprise, while consumer accounts for items such as social media and email are often protected by two-factor authentication (2FA).

What is the Difference Between MFA and 2FA?

MFA and two-factor authentication (2FA) are often used interchangeably, but 2FA is a subset of MFA and is the most common strategy. 

As its name implies, 2FA requires a second factor of authentication after a username and password. Thus you start by logging in with your credentials and then enter a second factor–often a one-time password from an app like Authy or Google Authenticator. 

While 2FA only requires a second factor after the username and password, MFA can require two additional factors or more. With MFA the user must verify each one before gaining access to the resource.

MFA Benefits

MFA is all about thwarting bad actors looking to harvest user credentials. Compromised credentials and weak passwords account for 80% of data breaches, leaving any organization vulnerable to brute force attacks.

At the enterprise level, credential harvesting is the first step of an advanced persistent threat actor. Using login credentials, hackers infiltrate a corporate network and then attempt to gain access to accounts with broader permission levels until gaining administrator rights. If successful, the hackers can then move on to exfiltrating data, inserting malware into the system, or kickstarting a supply-chain attack against the target company’s clients. 

That’s why multiple login factors can be so critical. If the hackers are able to gain access to your username and password through a phishing website, they still aren’t able to access the system. They’ll also need to figure out your one-time password code in real-time, or steal the USB dongle required to login. On top of that, they will also need your biometric login data. 

Although it’s a lot for threat actors to deal with, multi-factor authentication is relatively easy to use on a day-to-day basis. It does require some extra effort, but the security benefits easily justify the added burden.

Improved Security

As we’ve just discussed, multi-factor authentication is the best way to protect your users and your organization from credential theft. It protects against account takeover by preventing unauthorized access even if the password is compromised. It also improves the user experience as people can feel more confident that their account is protected. 

Regulatory Compliance

Increasingly stringent privacy regulations such as GDPR require businesses to implement strong authentication protocols like multifactor authentication (MFA). Many companies also use it to comply with Payment Card Industry Data Security Standard (PCI DSS).

With more than one method to prove their identity, people are less likely to fall victim to phishing attacks or other forms of fraud.

Prevent Compromised Passwords

If someone obtains your password, they can potentially access your account, which can lead to a chain reaction of compromised accounts. With MFA, however, hackers would need both your password and a physical device (like a smartphone, smartwatch, or USB dongle) to get into your account. This makes the task much harder since they would have to attack the phone directly or trick you via social engineering into providing an OTP passcode.

Single Sign-On (SSO) Compatibility

Single Sign-On (SSO) allows users to log into multiple applications using a single login, without having to remember multiple passwords. In the corporate world, there are a large number of SSO providers such as JumpCloud and Okta. Some consumer services also use a sort of SSO when, for example, you use your Google account to sign in to a non-Google service. 

Examples of MFA Methods

Passwords are often used in conjunction with one or more of the following multi-factor authentication methods:

• A USB dongle such as a YubiKey or RSA SecurID Token
• A smartphone app with a simple “Yes it’s me/No it’s not” challenge
• A smartphone app that generates one-time passwords such as Authy or Google Authenticator
• An SMS-based or call-based OTP (least secure option prone to SIM hijacking)
• Fingerprint or facial recognition scans
• Voice recognition

One-Time Password (OTP)

A One-Time Password is a short passcode that is only valid for a limited time. They are typically generated by a smartphone app or a keychain dongle, and they are based on a shared key (also called a secret) between the device and the service you’re logging into. 

OTPs can also be sent to your smartphone through an SMS or an automated voice call. These methods are the least secure, however, as they’re prone to SIM hijacking, which is a form of social engineering where hackers gain control of a victim’s mobile phone number.

Biometric Identifiers

Biometric identifiers are based on a person’s physical characteristics such as fingerprints, eye retinas and irises, and facial patterns. These identifiers are much harder to obtain, but it’s not impossible. Someone in physical proximity to the target or items they’ve touched could obtain fingerprints, for example. Items such as photographs, masks, and even 3D models have also been used to fool facial recognition cameras.

Hardware Token

The hardware token is one of the most secure ways to access your online accounts. These are physical devices such as a YubiKey that connect to your computer or mobile phone. Often called dongles, hardware tokens are similar to USB flash drives with a small amount of storage holding a certificate or unique identifier. They can sometimes be used in place of a username and password, but are more often seen as part of an MFA strategy.

Software Token (30 words)

Two-factor authentication systems often use software tokens such as apps that confirm logins with a pop-up notification. Users can verify their identity when requesting access to a computer, network, or device. Many consumer services now realize that passwords alone are insufficient to authenticate users. 

Keep Your Credentials Safe with Perimeter 81’s Built-in MFA Capabilities

Perimeter 81 is the ideal solution for organizations looking to enable enterprise mobility while empowering employees to work from anywhere without the hassle of an on-premises VPN. Perimeter 81 integrates with major identity providers (IdPs) such as Azure AD and offers built-in SSO support for simple user access login. Enforce safer network access and avoid compromised credentials with Perimeter 81’s Identity Management platform.

Multi-Factor Authentication (MFA) FAQ