Multi-Factor Authentication (MFA) is the process by which multiple technologies are used to authenticate a user’s identity. This means that more than one credential is required to log into systems, applications and/or other digital assets.
It is a fundamental part of the Zero Trust security approach that an organisation can adopt, as incidents of stolen credentials are increasingly frequent and it is essential to combat these situations with all possible tools and technologies available in the market.
The MFA authentication methodology is based on at least 3 main types of additional information, namely:
- Things that the user knows (knowledge) like a password or a pin code;
- Things that the user owns (possession) such as a mobile phone;
- Things that the user is (inherence), such as fingerprints, biometrics or voice recognition.
The History of the MFA
To understand why Multi-Factor Authentication increases security, let’s first take a step back and look at some changes in the world of technology that have happened since its initial level of authentication through passwords.
A major change in the IT world was the introduction of WEB-based applications. Suddenly, users found that they needed multiple passwords to log into their various applications. Convenience is often preferred over security and, as a result, reusing passwords for these resources became a popular habit. The problem is that if that password is compromised, all accounts that use the same password will also be compromised.
Another major change was the introduction of social media. Social media has made it much easier to find the answers to security questions that usually accompany a password reset. For example, how often is your password your pet’s name? If you have ever mentioned your pet on social media, that password is one step closer to being discovered.
Just knowing credentials alone is no longer a secure login procedure, and modern directories, such as the cloud, make it easy and simple to start implementing Multi-Factor Authentication in your organisation.
Examples of MFA
Examples of Multi-Factor Authentication include the usage of a combination of the following elements to authenticate:
Knowledge
- Answers to personal security questions;
- Password;
- One Time Password (OTP) – can be knowledge and possession – the user may know the OTP and needs to have something in their possession to obtain it, such as their phone.
Possession
- OTPs generated by mobile phone applications;
- OTPs sent by text or email;
- Access badges, USB devices, smart cards, key fobs or security keys;
- Tokens and Software certificates.
Inherence
- Fingerprints, facial recognition, voiceprint, retina or iris scan or other biometrics;
- Behavioural Analysis.
Other types of MFA elements
As technologies evolve, integrating artificial intelligence (AI), authentication methods are also becoming more sophisticated:
Geolocation
Geolocation-based MFA generally analyses the user’s IP address and, if possible, their geographic location. This information can be used to simply block a user’s access if their location information does not match with what is specified in a whitelist, or it can be used as an additional form of authentication in addition to other factors such as a password or OTP to confirm the user’s identity.
Adaptive Authentication or Risk-based Authentication
Another subset of MFA is Adaptive Authentication, also known as risk-based authentication. Adaptive authentication analyses additional factors considering the context and behaviour when authenticating, and generally uses these values to assign a level of risk associated with the login attempt.
For example:
- From where is the user trying to access the information?
- When are they accessing company information? During normal hours or out of hours?
- What type of device is being used? Is it the same as the one used yesterday?
- Is the connection via a private or public network?
The level of risk is calculated based on how these questions are answered and can be used to determine whether a user will be asked to provide an additional authentication factor or whether or not they will be allowed to log in. Therefore, another term used to describe this type of authentication is risk-based authentication.
With Adaptive Authentication in place, a user logging in from a coffee shop at the end of the day, an activity they don’t normally do, might be required to enter a code sent by text message to their phone, in addition to having to provide their username and password. On the other hand, when they log in from the office every day at 9 am, they will be simply asked to provide their username and password.
What is the difference between MFA and two-factor authentication (2FA)?
MFA is often used interchangeably with two-factor authentication (2FA). 2FA is basically a subset of MFA since 2FA restricts the number of factors required to only two factors, while MFA can be two or more.
Conclusion
Hackers are constantly trying to steal information and an MFA strategy is the first line of defence against them. An effective data security plan will save your organisation time and money in the future.
There is a wide range of authentication solutions that allow us to respond to the current challenges of user identification, which may or may not apply, depending on the actual environment of each company.
Being experts in this area, with experience in implementing the best cybersecurity solutions in the market, we are available to:
- Schedule additional informative sessions;
- Demos of solutions, tailored to specific needs;
- Availability to conceive technology projects suited to the context of each corporate environment.