Understanding MFA Methods: Security Keys, Tokens, and Beyond

With stolen or compromised credentials accounting for 80% of data breaches in 2024, stopping credentials-based attacks is critical to guarding access to an organization’s data, applications, and other resources. The key to repelling these types of attacks is multi-factor authentication (MFA), which requires multiple factors of verification to gain access to secure resources.

As the name implies, MFA methods of authentication require authentication using two or more factors from different categories: something you know (like a password, PIN, or answer to a security question), something you have (such as a physical or virtual authenticator), and/or something you are (a biometric characteristic unique to you). Two-factor authentication (2FA) is a subset of MFA that requires exactly two factors from different categories. If additional factors are added beyond two, it remains MFA.

While 2FA is more secure than having just a single factor of authentication, MFA methods make the authentication environment even more secure—especially when it comes to stopping increasingly sophisticated phishing campaigns and other types of attacks.

Something you know

Passwords, PINs, security questions: these knowledge-based factors have all been around for as long as secure resources have needed protection. Although they involve information that only a legitimate user should know, it’s often the case that a bad actor has found a path to that information, too—whether by phishing, brute-force attacks, data leaks, or simply taking advantage of poor password hygiene (such as a user employing the same credentials over and over again for everything).

It’s hard to fault users for writing down or re-using credentials for attackers to exploit. With as many business resource-related passwords as they need to keep track of—now averaging 87, according to one study—it’s almost impossible without help of some kind. And that makes humans the weakest link when it comes to cybersecurity.

Given the inherent weaknesses associated with relying on passwords, more organizations are prioritizing passwordless authentication, often using passkeys that rely on biometrics and other non-password mechanisms for authentication. Organizations are also implementing the use of dynamic security questions tied to real-time context.

To the extent that passwords continue to be used today, they are now almost always—particularly in security-sensitive industries—coupled with additional authentication factors. For example, logging into a banking app today is likely to require a user to sign in with a password and also use a biometric mechanism like facial recognition, particularly if unusual activity has been detected.

Something you have

The “something you have” factors, formally known as possession factors, require a user to possess a physical or virtual object that can be used for authentication. Examples include:

• Hardware authenticators that generate one-time passwords (OTPs), especially in high-security environments where mobile devices are not available
• Security keys that are based on the U2F standard and that also support NFC wireless technology, so they can be used in either USB or wireless environments
• Smart cards with authentication credentials stored on them for secure access to resources
• Phishing-resistant FIDO passkeys that enable users to sign in with device biometrics or a PIN instead of using a password
• Device-bound passkeys associated with specific devices (in the interest of maximizing security, these cannot be synced across multiple devices)

Something you are

Whenever you unlock your smartphone using facial recognition, or gain access to a secure app by scanning your fingerprint, you’re using an inherence-based factor, i.e., “something you are.” It’s hard to imagine a better defense, given that this form of authentication relies entirely on your own unique biometric characteristics, which are nearly impossible—or at least extremely difficult—to reproduce. Fingerprint or facial recognition, retinal or iris scans, voice pattern detection, even behavioral biometrics like typing speed—they’re all ways of proving that you’re really you.

While inherence-based factors can raise some privacy concerns, especially with regard to how (and how securely) the biometric data is stored, it’s hard to deny the power and value of security that’s based on what you are instead of what you know or have (and can therefore forget or lose). It’s also an area that invites innovation, including emerging trends like continuous authentication based on environmental factors (a key pillar of Zero Trust), as well as behavioral biometrics that focus on keystroke dynamics and mouse movement patterns.

Push to approve

• Definition: On-device notification asking the user to tap to approve an access request
• Benefit: Quick, convenient way to provide an additional factor for real-time authentication
• Scenario: Access to secure mobile applications

One-time passcode (OTP)

• Definition: Automatically generated code that authenticates a user for one login session
• Benefit: Authentication mechanism that can only be used once, increasing security
• Scenario: Online banking or other security-sensitive transactions

Biometrics

• Definition: Use of a device or application that recognizes a fingerprint or other biometric
• Benefit: Convenient authentication that’s extremely difficult to spoof or imitate
• Scenario: Secure access to a device or application

Device-bound passkey

• Definition: Authentication method based on a biometric or other non-password mechanism
• Benefit: Lower security risk than synced passkeys that are used across multiple devices
• Scenario: Enterprise-level applications

Hardware authenticator

• Definition: A token in the form of a small, portable, OTP-generating authenticator
• Benefit: Physical possession as an added layer of security
• Scenario: Secure environments where mobile devices are not an option for authentication

Software authenticator

• Definition: A token that exists as a software app on a smartphone or other device
• Benefit: Portable and easy to deploy
• Scenario: Wherever company-issued or personal devices can be used for authentication

There are several factors to consider as you think about which MFA methods will work best for your organization, including the risk level and sensitivity of data; user convenience and accessibility; and cost and implementation requirements. The following are specific questions to consider with these factors in mind.

Critical questions and recommendations to consider

• Do you need multiple MFA methods to address the needs of multiple environments—onsite, remote, or a combination of both? Using multiple MFA methods chosen strategically and delivered by one provider will help control costs and streamline implementation.
• Do you have a remote workforce using unmanaged personal devices to authenticate to secure resources? Be sure one of the MFA methods available to you is designed specifically to detect and manage threats on BYOD devices.
• Are you operating primarily in a high-security environment (like a clean room) where mobile phones are not permitted? MFA methods that include hardware token authentication using tokens that can be managed in the cloud will make it possible to meet the need for both secure authentication and ease of management.
• What are your plans for business continuity, specifically around maintaining strong authentication and access, during an outage? Consider a hybrid environment that can failover to on-premises MFA methods when necessary.
• Are you required to comply with specific regulations or directives prescribing phishing resistance or other specific qualities in your MFA methods? Do your due diligence to ensure that the MFA methods you choose are designed specifically to meet regulatory and other requirements.

It’s impossible to overstate the importance of MFA methods in modern cybersecurity, especially given the diversity and complexity of authentication environments and threat environments today. Multiple MFA methods make it possible to take a layered approach to authentication, in which the use of more than one method creates multiple layers of security, making it harder for unauthorized users to gain access. Having multiple methods available can also improve the user experience, by providing a broad range of choices to tailor authentication to different users’ needs and circumstances. Contact RSA to start exploring the range of comprehensive MFA solutions available to you today.