The Language of Cybersecurity

What is multi-factor authentication (MFA) and how does it work?

As the name suggests, multi-factor authentication (MFA) is the use of multiple factors to confirm the identity of someone who is requesting access to an application, website or other resource. Multi-factor authentication is the difference between, for example, entering a password to gain access and entering a password plus a one-time password (OTP), or a password plus the answer to a security question.

By requiring people to confirm identity in more than one way, multi-factor authentication provides greater assurance that they really are who they claim to be—which reduces the risk of unauthorized access to sensitive data. After all, it’s one thing to enter a stolen password to gain access; it’s quite another to enter a stolen password and then also be required to enter an OTP that was texted to the legitimate user’s smartphone.

Any combination of two or more factors qualifies as multi-factor authentication. The use of only two factors may also be referred to as two-factor authentication.

Multi-Factor Authentication: How It Works

Multi-factor authentication

The three categories of multi-factor authentication methods

A multi-factor authentication method is typically categorized in one of three ways:

  1. Something you know—PIN, password or answer to a security question
  2. Something you have—OTP, token, trusted device, smart card or badge
  3. Something you are—face, fingerprint, retinal scan or other biometric

Examples of multi-factor authentication methods

Any of the following methods can be used in addition to a password to achieve multi-factor authentication.

Biometrics—a form of authentication that relies on a device or application recognizing a biometric, such as a person’s fingerprint, facial features or the retina or iris of the eye

Push to approve—a notification on someone’s device that asks the user to approve a request for access by tapping their device screen

One-time password (OTP)—an automatically generated set of characters that authenticates a user for one login session or transaction only

SMS text—a means of delivering an OTP to a user’s smartphone or other device

Hardware token or hard token—a small, portable OTP-generating device, sometimes referred to as a key fob

Software token or soft token—a token that exists as a software app on a smartphone or other device rather than as a physical token

The benefits of multi-factor authentication

  • Improving security: Multi-factor authentication improves security. After all, when there’s just one mechanism guarding a point of access, such as a password, the only thing a bad actor has to do to gain entry is find a way to guess or steal that password. But if entry also requires a second (or even a second and a third) factor of authentication, that makes it that much more difficult to get in, especially if the requirement is for something harder to guess or steal, like a biometric feature.
  • Enabling digital initiatives: With more organizations eager to deploy a remote workforce today, more consumers opting to shop online instead of in stores, and more organizations moving apps and other resources to the cloud, multi-factor authentication is a powerful enabler. Securing organizational and e-commerce resources is challenging in the digital era, and multi-factor authentication can be invaluable for helping to keep online interactions and transactions secure.
Are there drawbacks to multi-factor authentication?

In the process of creating a more secure access environment, it’s possible to create a less convenient one—and that can be a drawback. (This is especially true as zero trust, which treats everything as a potential threat, including the network and any applications or services running on the network, continues to gain traction as a foundation for secure access.) No employee wants to spend extra time every day dealing with multiple obstacles to logging on and accessing resources, and no consumer in a hurry to get some shopping or banking done wants to be waylaid by multiple authentication requirements. The key is to balance security and convenience so that access is secure, but the requirements for access are not so onerous as to create undue inconvenience for those who legitimately need it.

The role of risk-based authentication in multi-factor authentication

One way to strike a balance between achieving security and ensuring convenience is to step up or dial down authentication requirements based on what’s at stake—i.e., the risk associated with an access request. This is what’s meant by risk-based authentication. The risk can lie with what’s being accessed, who’s requesting access or both.

  • Risk posed by what’s being accessed: For example, if someone requests  digital access to a bank account, is it to initiate a funds transfer, or just to check the status of a transfer that’s already been initiated? Or if someone interacts with an online shopping website or app, is it to order something, or just to check the delivery status of an existing order?  A username and password may suffice for the latter, but multi-factor authentication makes sense when there’s a high-value asset at risk.
  • Risk posed by who’s requesting access: When a remote employee or contractor requests access to the corporate network from the same city day after day, using the same laptop every time, there’s little reason to suspect it’s not that person. But what happens when a request from Mary in Minneapolis suddenly comes from Moscow one morning? The potential risk (is it really her?) warrants a request for additional authentication.
The future of multi-factor authentication: AI, ML and more

Multi-factor authentication is continually evolving to provide access that’s both more secure for organizations and less inconvenient for users. Biometrics is a great example of this idea. It’s both more secure, because it’s tough to steal a fingerprint or face, and more convenient, because the user doesn’t have to remember anything (like a password) or make any other major effort. The following are some of the advances shaping multi-factor authentication today.

  • Artificial intelligence (AI) and machine learning (ML)—AI and ML can be used to recognize behaviors that indicate whether a given access request is “normal” and therefore does not require additional authentication (or, conversely, to recognize anomalous behavior that does warrant it).
  • Fast Identity Online (FIDO)—FIDO authentication is based on a set of free and open standards from the FIDO Alliance. It enables password logins to be replaced with secure and fast login experiences across websites and apps.
  • Passwordless authentication—Rather than using a password as the main method of verifying identity and supplementing it with other non-password methods, passwordless authentication eliminates passwords as a form of authentication.

Be assured that multi-factor authentication will continue to change and improve in the quest for ways people can prove they are who they say they are—reliably and without jumping through hoops.

Related resources