Two-Factor Authentication vs. Multi-Factor Authentication: What Are the Risks?
Being authentic is a high term of praise—if we think people are authentic, we believe them to be trustworthy, loyal, and dependable. There's a similar concept in computer security. Business networks are crucial to protect, so firms want only authorized people accessing them.
In cybersecurity, authentication means verifying that a person or device is who they claim to be. It usually involves checking the identity claim against what's called a factor. This could be a password, a biometric identifier (a fingerprint, an iris scan), or the ability to control a trusted piece of equipment such as an electronic ID card or a cell phone.
There are several options available today: single factor, two-factor, multi-factor (this can go up to three-, four-, or five-factor), and adaptive multi-factor authentication. Each choice has benefits and risks—let’s explore them.
Authenticating identity claims against a single factor is the main way computer security has worked in the past. A user has a password and types it in. An analogy in the physical world might be a person using a key or code to unlock a safe.
The benefits: first, pretty much everyone is familiar with the method. Second, it's simple and straightforward: no password, no access.
However, there are plenty of disadvantages. IT teams become overwhelmed with teaching individuals to use strong passwords and are stuck having to reset passwords when users forget them. When people get passwords wrong, systems sometimes fall back on “security questions” such as “What's your mother's maiden name?”—information that's easy for research-savvy hackers to get ahold of. Many users reuse passwords across multiple websites. If just one of these sites is breached, a user's security on the other sites is now at risk. That could include business networks.
The bottom line: although single-factor authentication is simple and familiar, it’s too risky for today's companies to trust.
Many popular services—including Twitter, LinkedIn, and Steam (a gaming platform)—have implemented two-factor authentication, known as 2FA for short. It's the simplest type of multi-factor authentication.
With 2FA, users have to supply two distinct proofs of identity to gain access to the network. Usually, this includes a password and control over a trusted cell phone. For instance, with Twitter, users employing 2FA first enter their passwords and next, receive an SMS authentication message from Twitter with a six-digit code to input. Only after both factors are completed is the user authenticated.
In nearly every case, two-factor authentication is an improvement over single-factor. The compromise of one factor is no longer enough for an attacker to gain access. On the other hand, two-factor authentication might not be flexible enough for today's companies. What happens, for example, if an executive's cell phone is lost or stolen during a business trip? Or if a customer/user doesn’t use SMS?
The term multi-factor authentication (MFA) means there are more than two factors involved. This offers the most security. It's no longer about either flatly granting or denying access based on a factor or two; it's about granting a degree of access from a spectrum of possibilities, based on multiple data points and factors derived from the login attempt, such as third-party hardware tokens, biometrics, and SMS.
The downside of most MFA systems is that they can disrupt end users, who may need to re-authenticate throughout their workday or coordinate both hard and soft tokens to verify access. For every factor of authentication you add, you boost security, but at the cost of making your user experience worse. MFA systems can also be cumbersome for IT teams, who have to manage integrations with multiple applications or systems.
Adaptive Multi-Factor Authentication
The real innovation is when multi-factor authentication is adaptive. Adaptive authentication means the system is flexible depending on how much risk a user presents. Okta’s MFA service integrates with your company’s applications and resources to add a layer of authentication. Every time a user logs in using Okta Adaptive MFA, the system analyzes the request through backend analytics to determine how much access to grant.
For example, if an employee is working on the company premises and uses a badge to get through security to her office, Okta will recognize that she is in a trusted location, and that she has permissions to proceed. If that same employee is working from a coffee shop, the system may prompt her for an additional security factor when she goes to log in remotely, since she’s not in a trusted location. Or, it could present an additional MFA challenge if the user was working from a personal laptop instead of a company device.
Adaptive multi-factor authentication allows you to have a complete spectrum of access possibilities, and these possibilities are all based on context—they take different users and situations into account. As additional factors and user risk profiles change, so do their levels of access.
In a world where more companies operate in the cloud, and breaches and hacks have become commonplace, the need for more complex authentication is increasing. Okta's solutions make it simple to secure your environment by addressing common points of vulnerability. Learn more about the difference between in 2FA, MFA, and AMFA in this eGuide.