Multifactor authentication (MFA) is an account login process that requires multiple methods of authentication from independent categories of credentials to verify a user’s identity for a login or other transaction. Multifactor authentication combines two or more independent credentials — what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.
The goal of MFA is to create a layered defense that makes it more difficult for an unauthorized person to access a target, such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.
In the past, MFA systems typically relied on two-factor authentication (2FA). Increasingly, vendors are using the label multifactor to describe any authentication scheme that requires two or more identity credentials to decrease the possibility of a cyber attack. Multifactor authentication is a core component of an identity and access management framework.
One of the biggest shortcomings of traditional user ID and password logins is that passwords can be easily compromised, potentially costing organizations millions of dollars. Brute-force attacks are also a real threat, as bad actors can use automated tools to guess various combinations of usernames and passwords until they find the right sequence.
This article is part of
Download this entire guide for FREE now!
Although locking an account after a certain number of incorrect login attempts can help protect an organization, hackers have numerous other methods for system access and carrying out cyber attacks. This is why a multifactor authentication process is so important, as it can help reduce security risks.
An authentication factor is a category of credential used for identity verification. For MFA, each additional factor is intended to increase the assurance that an entity involved in some kind of communication or requesting access to a system is who — or what — it says it is. The use of multiple forms of authentication can help make a hacker’s job more difficult.
The three most common categories, or authentication factors, are often described as something you know, or the knowledge factor; something you have, or the possession factor; and something you are, or the inherence factor. MFA works by combining two or more factors from these categories.
Knowledge-based authentication typically requires the user to answer a personal security question. Knowledge factor technologies generally include passwords, four-digit personal identification numbers (PINs) and one-time passwords (OTPs). Typical user scenarios include the following:
Users must have something specific in their possession to log in, such as a badge, token, key fob or a mobile phone subscriber identity module (SIM) card. For mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app.
Possession factor technologies include the following:
Typical possession factor user scenarios include the following:
Any biological traits the user has that are confirmed for login. Inherence factor technologies include the following biometric verification methods:
Biometric device components include a reader, a database and software to convert the scanned biometric data into a standardized digital format and to compare match points of the observed data with stored data.
Typical inherence factor scenarios include the following:
User location is often suggested as a fourth factor for authentication. Again, the ubiquity of smartphones can help ease the authentication burden: Users typically carry their phones, and all basic smartphones have Global Positioning System tracking, providing credible confirmation of the login location.
Time-based authentication is also used to prove a person’s identity by detecting presence at a specific time of day and granting access to a certain system or location. For example, bank customers cannot physically use their ATM card in the U.S. and then in Russia 15 minutes later. These types of logical locks can be used to help prevent many cases of online bank fraud.
Multifactor authentication was introduced to harden security access to systems and applications through hardware and software. The goal was to authenticate the identity of users and to assure the integrity of their digital transactions. The downside to MFA is that users often forget the answers to the personal questions that verify their identity, and some users share personal ID tokens and passwords. MFA has other benefits and disadvantages.
When authentication strategies were first introduced, the intent was to enforce security but to also keep it as simple as possible. Users were asked to supply only two forms of security keys that would inform a system that they were authentic and authorized users. Common forms of 2FA were user ID and password or automated teller machine (ATM) bank card and PIN.
Unfortunately, hackers quickly discovered ways to buy or break passwords or skim debit cards at ATMs. This prompted companies and cybersecurity vendors to look for more hardened forms of user authentication that used additional security factors for verification.
While MFA requires at least two authentication factors, if not more, 2FA only requires two. Therefore, all 2FA is MFA, but not the other way around.
Adaptive multifactor authentication is a security approach that chooses which authentication factors to apply to a user’s login attempt based on business rules and contextual information. It’s also referred to as adaptive MFA or risk-based authentication.
Traditional MFA uses set credentials and a second factor, but adaptive MFA is a bit more advanced, as it automatically adapts authentication by considering several variables such as user location, device being used, number of failed login attempts, user behavior and environment. This strategy makes it harder for hackers to gain unauthorized access, since authentication is coordinated with the degree of risk.
Users might be reluctant to adopt MFA, since it presents certain usability challenges such as remembering several passwords to log in. Along with user resistance, there could be other obstacles with MFA, including integration problems. Consequently, the goal of MFA is to simplify authentication for users.
The following four approaches are being used to simplify MFA:
While multifactor authentication enhances the security of usernames and passwords, its level of protection can vary depending on the chosen method. Discover five strategies to mitigate vulnerabilities in MFA.
A DDI platform simplifies IP network management in the cloud networking era. But collaboration among networking and other IT …
Network scalability, throughput and orchestration are some of the key elements that enterprises need to consider as they build …
Performance, security concerns and high costs are factors that prompt organizations to migrate workloads from cloud to data …
Google is going through an antitrust trial in which a guilty verdict could result in remedies to fix the illegal behavior. But …
Digital transformation, done right, is the key to business survival. Build a roadmap to digital business model success by …
Organizations tend to face the same hurdles when they try to implement blockchain. Knowing what they are could be the first big …
The Intune management extension provides new capabilities for Windows admins, including the ability to track and analyze logs …
DEX technologies focus on ensuring users have the tools and high-performing technology they need. But is it a good idea to rely …
Intune and PowerShell have a lot of unique management actions they can take, but with the help of the Intune management extension…
Amazon SageMaker Canvas is a useful machine learning tool for both technical and nontechnical professionals. This tutorial shows …
AI and ML tools support several use cases in cloud operations, such as security, fault correlation and latency. These best …
AI and machine learning are more than buzzwords, they can have serious impact to your business when applied correctly. Learn how …
Computer Weekly has revealed who is on the 2023 list of the 50 Most Influential Women in UK Tech, including this year’s winner, …
From crime dramas to intelligence, this year’s Most Influential Woman in UK Tech, Suki Fuller, talks about her path into the tech…
Each year, Computer Weekly selects a number of Rising Stars in the women in tech sector who are making waves in the women, …
All Rights Reserved, Copyright 2000 – 2023, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information