What Is Multifactor Authentication (MFA)?
This zero-trust strategy goes beyond the humble password.
Multifactor authentication (MFA) is a “zero trust” method of always verifying the identity of every computer user on a network, rather than trusting that those logging in automatically have the right to be there. It requires users to provide two or more forms of identification—each of which is called a “factor.” In most multifactor authentication environments, a traditional password serves as one factor, while any number of additional elements, ranging from fingerprints to one-time codes, can serve as additional factors.
Multifactor authentication (MFA) is essential to smart cyber hygiene at any enterprise because using multiple login or authentication methods is less vulnerable to attack and abuse than using a single login like a traditional password. Millions of passwords have been compromised—and not just easy-to-guess ones like “123456”—so these practices have become essential for ensuring a base level of enterprise security. With MFA, even if a password is compromised or cracked, the attacker will not be able to break into the system because of the additional layers of security that lie in the way.
MFA evolved from two-factor authentication (2FA), which was designed to ask for a second authentication factor in addition to a password—commonly a PIN sent via text message. In recent years, even 2FA has been deemed insufficient for ensuring security because of hacker workarounds and sustained attacks that have bypassed these measures.
Compare and prescriptively improve your IT risk metrics against your industry peers.
This article explores the factors currently in use for MFA, the advantages of MFA strategies, and some of the challenges involved with implementing MFA throughout the enterprise.
What are the various factors used in multifactor authentication?
Many elements can be used as factors in a multifactor authentication strategy. They fall into several basic categories:
- Things that you know. This is the most classic factor used in authentication and includes passwords of all types, which only the user is supposed to know. Knowledge factors also include PIN codes, uncommon personal information, such as your Social Security number or your mother’s maiden name, or any other piece of personal knowledge. Many financial and government systems ask about information drawn from your credit report—such as the monthly cost of your mortgage payment—to ensure you are who you claim to be.
- Things that you possess. These factors are based on some item in your possession. SMS-based authentication is the most common possession factor, as it requires users to have a phone in their possession to receive a one-time code that can be used to authenticate themselves. The other major type of factor in this category is the security token, a device that generates a one-time password every few minutes, which must be input as a secondary form of authentication. Behind the scenes, an algorithm verifies that a password is correct. Tokens can also be software-generated, such as through a mobile app. (Duo Mobile is a well-known example.) Other types of physical tokens can be used to gain access, such as a USB token that users must insert in a computer, or a magnetic card users swipe to gain access. In some instances, a traditional metal key can also be a type of possession factor.
- Things that you are. This category of factors includes personal characteristics that can’t easily be changed. Biometrics are the primary type of factor in this category: Fingerprints and facial recognition scans are now commonly used by mobile phones in addition to or in lieu of passwords. Other types of biometrics, ranging from iris scans to voice analysis, can serve as a so-called “inherent” factor.
- Where you are. This final category is based on location and is usually associated with a GPS or another location service on a mobile phone or computer. Systems often use location factors as a fail-safe feature rather than a primary factor to authenticate a user. When you receive an alert that your computer or phone was used to access a system from a different city than normal—“Are you attempting to log in from Moscow?”—this is an example of a location factor in action.
What are the key principles of multifactor authentication?
Single login factors, namely passwords, are no longer sufficient to keep attackers out of an organization’s network. Obtaining and using a stolen password is generally considered the easiest and fastest way to break into a computer network, and some of the most common and successful attack techniques include using lists of known passwords in an attempt to brute-force a way into a network.
Using a stolen password is generally considered the easiest and fastest way to break into a computer network, and some of the most common and successful attack techniques include using lists of known passwords in an attempt to brute-force a way into a network.
Password databases are commonly available online, such as this list of the 500 worst passwords in use. While many systems now require “strong” passwords when a new account gets created, these measures are likely insufficient to stop a determined attacker—and they do nothing to protect accounts that might have been created in the past with weaker passwords.
With MFA, the addition of extra factors minimizes the problems associated with weak, reused, or compromised passwords and boosts the level of network security.
The first principle behind the selection of additional factors is the need for variety. Two different passwords would not be an effective multifactor authentication strategy because both passwords would be subject to the same risk of compromise. Instead, MFA is generally designed to ask for a different type of factor: a password (something you know), a one-time code generated by a token generating device (something you have), a biometric factor (things that you are), or location information (where you are).
[Read also: Guessing at passwords is not the only way into your network—hackers are increasingly relying on a tactic called business email compromise to trick workers]
Ultimately, no matter which factors people use in a multifactor authentication strategy, the goal is to add enough complexity to deter attackers from accessing your system while ensuring that users are not so inconvenienced or frustrated by the additional security requirements that they attempt to bypass them.
What are the benefits of multifactor authentication?
MFA offers myriad benefits to users, including the following:
- Greatly improved security levels. Passwords are increasingly under attack and represent an inherently insecure means of preventing unauthorized access to a network. In enterprises with thousands or tens of thousands of users, a single weak password can be catastrophic. MFA alleviates some of the pressure of having to constantly audit passwords for strength and check them against published password lists.
- A wide variety of available factors. MFA is a flexible technology that allows security professionals to determine which combination of factors is appropriate for their specific situation. One business may have a compelling use case for fingerprints as a second factor, while another may issue token devices to all users. This flexibility allows MFA to adapt to the needs of the organization.
- Usability among employees, customers, and partners. MFA does not need to be an “employee only” technology. Most multifactor authentication solutions can be rolled out enterprise-wide, so employees, customers, and partner organizations are all subject to the same authentication requirements. This streamlines security management while improving security across the board.
- Existing familiarity with MFA. In its early days, multifactor authentication created a significant amount of friction between organizations and customers, who would often balk at MFA requirements. Now users largely seem to understand the need for MFA and are much more willing to engage with its requirements without complaint.
- Adherence to requirements and regulations. Single-factor authentication (such as a standard password) features virtually no safeguards once a password is compromised. With access to the password, an attacker has carte blanche access to the affected user’s account until the password is changed. The attacker can even change the password, making it possible to inflict even more damage for a longer period of time.
Why is multifactor authentication safer than standard authentication methods?
Single-factor authentication is even more problematic because many users reuse passwords across multiple sites. Many attacks (particularly identity theft attacks) are especially damaging because once attackers steal a password for one service, they will attempt to reuse it on other services. In this way, an attacker can crack a web-based email account, then use that same password to access a bank account, an online shopping account, work credentials, and so on. A cascading series of accounts fall prey to the attacker, compounding the damage and creating a complex cleanup problem.
An attacker can crack a web-based email account, then use that same password to access a bank account, an online shopping account, work credentials, and so on. A cascading series of accounts fall prey to the attacker, compounding the damage and creating a complex cleanup problem.
Multifactor authentication alleviates this risk in many ways. If a password is successfully compromised, the attacker will still need a way to bypass the second factor. Because the second factor is based on a completely different type of information—such as a fingerprint or a code sent via text message—the password ultimately does the attacker no good. Attackers will typically be given a limited number of tries and a small window of time to guess a PIN code, which virtually ensures they will be unable to bypass the additional layer of security. Adding a third factor to the mix further increases the difficulty for an attacker.
But let’s presume that attackers have a means of bypassing a second layer of authentication. Perhaps they stealthily eavesdropped on a user’s phone to view a text message with a one-time PIN code, which the attacker uses to access the user’s account. One of the less frequently discussed benefits of MFA is that even when attackers are successful once, subsequent attacks will be just as difficult as the original attack. In other words, the attacker will need both the password and the additional factors in hand in order to continue to access the account. In this way, a stolen factor is of limited value the next time around.
Why is multifactor authentication easier than standard authentication?
While MFA is inherently a more secure authentication system, it offers additional benefits to the enterprise that may be less obvious. For example, MFA allows for easier password resets and changes when users forget their login information. Rather than having to rely on questions such as “What is your mother’s maiden name?” and “What is the name of the street you grew up on?”—questions that are even less secure than passwords themselves—multifactor authentication methods allow users to rely on a trusted device or secondary login to update their access information. As a side benefit, MFA also reduces the cost of IT operations, particularly in larger organizations, which are frequently bogged down with manual password resets.
[Read also: If hackers can’t sneak into your network via passwords, they may just try to talk their way in—here’s how CISOs can defend against ‘vishing’]
From a user standpoint, MFA is also easier to use than other password reset systems, such as security questions, many of which turn out to be quite forgettable. (When you set up your security answers a decade ago, did you say the house you grew up in was “brown” or “beige”?) MFA also has built-in ease-of-use features to ensure that additional factors aren’t needed every time a user logs in. For example, you’ve probably seen “remember this computer” options on websites that use MFA. These features allow users to bypass multifactor security on a periodic basis, such as requiring that additional factors be input only once a month. In this way, the user and the enterprise experience most of the enhanced security of multifactor authentication without the hassle of constantly having to check for text messages or tokens.
What is the difference between two-factor authentication and multifactor authentication?
Two-factor authentication predates multifactor authentication. It was the first step toward MFA, and, as the name suggests, it required a second step (and only a second step) to authenticate users in addition to their password. Most 2FA systems were designed to work with one-time passwords delivered via SMS.
Multifactor authentication can—and often does—only require a second factor, but by definition can work with more. (In other words, all 2FA systems are also MFA systems, but the reverse is not true.) Because MFA allows for more robust and varied authentication factors, it provides more versatility, and better security, to the enterprise.
What are the challenges associated with multifactor authentication?
Multifactor authentication comes with its share of issues, however. Some of the obstacles that organizations commonly face when implementing MFA include the following:
- Multifactor authentication is complex. By definition, MFA involves managing more than one form of user identification, which introduces technical challenges, a need for new software and hardware, and changes to work practices. Organizations must hire people to install and manage the system and to train users. All of these issues are critical to get right from the start, as a poorly functioning MFA system is ostensibly less secure than single-factor authentication.
- Users may resist MFA. Users who have spent years logging in to systems using only a password are very likely to resist. They may even resent having to learn new methods of authentication. Building user awareness and support is a big part of an MFA rollout. Organizations that ensure successful MFA adoption explain to users why passwords are inherently insecure and why MFA is important for security.
- MFA isn’t foolproof. What happens when users lose their phone or hardware token? Will they report the loss to IT in a timely fashion, or will it go unreported for days or weeks? As with a mismanaged MFA installation, lost factor-generating devices can be problematic for the enterprise, requiring their own set of safeguards.
- MFA implementation is expensive. Implementing multifactor authentication means contracting with a security vendor, with significant up-front and ongoing costs. It is the job of most CIOs or CISOs to convince accounting and finance that the business stands to lose far more from cyberattacks than it will spend on an MFA solution to head them off. That said, as with any security initiative, the costs can be tough for budget-minded executives to stomach.
- No single security system is sufficient. Even with MFA, users are still susceptible to attacks like phishing, malware, and other exploits that can separate them from their tokens the same way their passwords can be stolen. Tenacious attackers engage victims on the phone or through a chat window and use other social engineering tactics to persuade them to provide personal information. That’s why MFA requires diligence to ensure it’s used correctly and that employees understand the essentials of good cyber hygiene.