What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is an advanced method for confirming a user identity requiring multiple steps in addition to basic login credentials.

The goal of MFA is to prevent unauthorized access even if an attacker has stolen or guessed the user’s password. Multi-factor authentication adds extra layers of security to your account by presenting a series of login challenges to the user in addition to a username and password.

How Does MFA Work?

A typical multi-factor authentication scheme requires one of each of the following:

  • Something you know (such as a password)
  • Something you have (a mobile device, USB dongle, etc.)
  • Something you are (your fingerprint or other biometric identifiers)

If you had an MFA at work, for example, you’d first enter your username and password on the login page. 

Then the system would ask for a shorter OTP passcode generated by your phone app, followed by a fingerprint scan. The reason for all these extra layers is to make it harder for threat actors to access your account while minimizing friction for everyday use. 

If the hackers don’t know your OTP secret, for example, they cannot generate the required code. 

Even if they could generate the secondary code, or trick you into providing it, they would still need that third factor such as a fingerprint or face scan to gain access.

MFA vs. 2FA: What’s the Difference?

2FA is a subset of MFA and is the most common strategy. As its name implies, two-factor authentication (2FA) requires a second factor of authentication after a username and password. So, you start by logging in with your credentials and then enter a second factor, often a one-time password from an authenticator app like:

  • Authy
  • Google Authenticator. 

While 2FA only requires a second factor after the username and password, MFA can require two additional authentication factors or more. 

With MFA the user must verify each one before gaining access to the resource.

The Most Common Examples of MFA Methods

Passwords are often used in conjunction with one or more of the following MFA methods:

  • A USB dongle such as a YubiKey or RSA SecurID Token
  • A smartphone app with a simple “Yes it’s me/No it’s not” challenge
  • A smartphone app that generates one-time passcodes such as Authy or Google Authenticator
  • An SMS-based or call-based OTP (least secure option prone to SIM hijacking)
  • Fingerprint or facial recognition scans
  • Voice recognition

One-Time Password (OTP)

A One-Time Password is a short passcode that is only valid for a limited time. 

They are typically generated by a smartphone app or a keychain dongle, and they are based on a shared key (also called a secret) between the device and the service you’re logging into. 

OTPs can also be sent to your smartphone through an SMS or an automated voice call. 

These methods are the least secure, however, as they’re prone to SIM hijacking, which is a form of social engineering where hackers gain control of a victim’s mobile phone number.

Biometric Identifiers

Biometric identifiers are based on a person’s physical characteristics such as fingerprints, eye retinas and irises, and facial patterns. These identifiers are much harder to obtain, but it’s not impossible. Someone in physical proximity to the target or items they’ve touched could obtain fingerprints, for example. 

Items like below have also been used to fool facial recognition cameras.:

  • Photographs
  • Masks
  • 3D models

Hardware Token

The hardware token is one of the most secure ways to access your online accounts. These are physical devices such as a YubiKey that connect to your computer or mobile phone. 

Often called dongles, hardware tokens are similar to USB flash drives with a small amount of storage holding a certificate or unique identifier. They can sometimes be used in place of a username and password, but are more often seen as part of an MFA strategy.

Software Token

This method includes software tokens such as apps that confirm logins with a push notification. Users can verify their identity when requesting access to a:

  • Computer
  • Network
  • Device 

Many online services now realize that passwords alone are insufficient to authenticate users. 

Supercharge Your Business Security

Benefits of Multi-Factor Authentication

Having weak passwords can be detrimental to your organization’s security. 

  • Weak Passwords: 80% of data breaches are caused by compromised credentials or weak passwords, making organizations vulnerable to attacks.
  • Advanced Threats: Hackers often steal login credentials to infiltrate corporate networks and gain access to sensitive information. This can lead to data theft, malware infections, or even supply-chain attacks.

A multi-factor authentication method solves this problem by utilizing multiple factors to log in. So, even if your passwords get compromised, hackers won’t be able to access your account.

Aside from that, here are the biggest benefits of multifactor authentication.

Additional Security

Multi-factor authentication is the best way to protect your users and your organization from credential theft. 

It protects you against account takeover by preventing unauthorized access even if the password is compromised. It also improves the user experience (UX) as people feel more confident their account is protected. 

Regulatory Compliance

Privacy regulations like GDPR require businesses to implement strong authentication protocols like multi-factor authentication (MFA). Many companies also use it to comply with Payment Card Industry Data Security Standard (PCI DSS).

With more than one method to prove their identity, people are less likely to fall victim to phishing attacks or other forms of fraud.

Prevent Compromised Passwords

If someone obtains your password, they can potentially access your account, which can lead to a chain reaction of compromised accounts. 

With MFA, however, hackers would need both your password and a physical device (like a smartphone or smartwatch) to get into your account. This makes the task much harder since they would have to attack the phone directly or trick you via social engineering into providing an OTP passcode.

MFA & Single Sign-On (SSO) Compatibility

Single Sign-On (SSO) allows users to log into multiple applications using a single login, without having to remember multiple passwords. 

In the corporate world, there are a large number of SSO providers such as:

  • JumpCloud
  • Okta

Some consumer services also use a sort of SSO when, for instance, you use your Google account to sign in to a non-Google service. 

MFA can be integrated with SSO to add an extra layer of security. 

For instance, after a user logs in with SSO, they may be prompted to provide a fingerprint or enter a one-time password (OTP) generated by their phone. This ensures that even if an attacker steals the user’s SSO credentials, they still cannot access the user’s accounts without the additional MFA challenges.

Keep Your Credentials Safe with Perimeter 81’s Built-in MFA Capabilities

Perimeter 81 is the ideal solution for organizations looking to enable enterprise mobility while empowering employees to work from anywhere without the hassle of an on-premises VPN. Perimeter 81 integrates with major identity providers (IdPs) such as Azure AD and offers built-in SSO support for simple user access login.

Enforce safer network access and avoid compromised credentials with Perimeter 81’s Identity Management platform.

FAQs

What is the difference between a security key and a smart card for MFA?
Both are hardware-based authentication methods, but a security key (like a YubiKey) typically plugs into a device’s USB port, while a smart card is a credit card-sized device that requires a special reader. Both offer strong protection against unauthorized access.
How does adaptive authentication or risk-based authentication work with MFA?
These systems analyze various factors like location, device, and user behavior to determine the risk level of a login attempt. Based on this risk assessment, they can require additional authentication factors, providing a more secure but flexible login process.
Can I use a password manager to store my MFA codes?
While password managers can store complex passwords securely, it’s generally not recommended to store MFA codes in them. MFA codes are meant to be temporary and unique for each login attempt, so storing them would defeat their purpose.
What happens during an authentication attempt if one of my MFA factors isn’t available?
Most MFA systems offer backup options for such situations. For example, if your authentication app isn’t working, you might be able to receive a temporary authentication code via SMS or email.
How does MFA protect against phishing attacks and compromised credentials?
Even if an attacker obtains your password through phishing, they would still need the additional MFA factor(s) to gain access to your account. This significantly reduces the effectiveness of phishing attacks and stolen passwords.

Looking to secure your remote workforce?

Simplify your network security today with Perimeter 81