What Is Multi-Factor Authentication (MFA)?
MFA stands for multi-factor authentication, an identity verification method. MFA adds an extra layer of security on top of credentials like usernames and passwords. By doing so, it provides greater certainty that a user is who they claim to be before granting them access to an application, online account, or corporate network.
MFA is a critical component of identity and access management (IAM). It helps minimize risks such as account takeover attacks, compromised personal data, and subsequent credential stuffing attacks. In this post, we’ll describe how modern MFA does this, discuss the various types of multi-factor authentication that are available, and look at what’s next for MFA technology.
How does multi-factor authentication work?
Multi-factor authentication verifies identities by asking users to provide different types of information or “factors” to gain access to an account or application. Factors typically fall into three categories—knowledge (something you know), possession (something you have), and inherence (something you are). Since factors offer varying levels of security, you can use an adaptive MFA solution to set policies that determine what context to deploy each factor in.
Let’s use the hybrid workforce (in person and remote workers) to showcase how this works. When employees log in to apps while at the office, they may receive a push notification on their mobile device that asks them to approve or deny the access request.
When users log in from different locations, however, they may need to provide a different, more secure factor such as a fingerprint scan. In some instances, inherence factors may also be used to confirm the identities of users with higher access privileges (e.g., senior executives) to ensure an organization’s most sensitive data is protected.
Types of multi-factor authentication
Here are a few examples of each MFA factor type and a brief overview of their effectiveness:
- Knowledge-based factors include PINs, passwords, or the answers to security questions. Since this information is easy to lose or guess, and often stolen by hackers through phishing and social engineering attacks, they offer the lowest level of assurance.
- Possession-based factors include key fobs, mobile phones, and credit cards, among other physical tokens. Since these objects store or receive login credentials, they are more secure than knowledge-based factors. For example, SMS authentication sends an MFA code or one-time password (OTP) to a user’s mobile device. However, because devices can also be lost or stolen, and are vulnerable to threats like man-in-the-middle attacks, they only offer medium assurance.
- Inherence (or biometric) factors offer the highest level of assurance because they’re unique to each user: think fingerprints, facial features, voice characteristics, and behaviors. Users don’t have to remember or store these factors, which makes it the most secure option for multi-factor authentication.
Single-factor authentication vs. two-factor authentication vs. multi-factor authentication
With a modern MFA solution, organizations can choose to request any number of factors from their users, meaning they can deploy one-factor (or single-factor) authentication, two-factor authentication (2FA), or other types of multi-factor authentication.
These various MFA options demonstrate how authentication has been steadily evolving for several years. Single-factor authentication, for example, used to be the standard. But when relying on usernames and passwords alone proved too risky, 2FA was introduced.
Since then, authentication has continued to progress, and organizations now have the option to compare 2FA vs. MFA. This progression is why we have so many factors—and additional methods of identity verification—to choose from today.
Let’s take a quick look at the different ways identities can be verified online.
Multi-factor authentication methods
Each of the below methods make multi-factor authentication even stronger, adding a greater layer of security to networks, systems, and applications.
- Location-based authentication uses a device’s internet protocol (IP) address and geo-location to allow or block access to an application or system. This location information can be assessed as part of the MFA process (i.e., in addition to entering a PIN or OTP) to confirm a user’s identity.
- Risk-based authentication, also known as adaptive authentication or adaptive MFA, determines which authentication factors to request based on contextual information, such as a user’s location, device, and network. This approach is ideal for balancing security requirements with a seamless user experience.
- Passwordless authentication takes things a step further. The vast majority of security breaches are caused by credentials issues, such as using weak passwords or recycling login information across accounts. Passwordless authentication removes this risk by pairing high assurance factors such as FIDO2.0/WebAuthn with login contexts such as location, risk, behavior, and device posture.
Why use multi-factor authentication?
Multi-factor authentication benefits both organizations and end users because it makes it more difficult for hackers to steal data. Even if bad actors manage to steal login credentials, MFA can stop them from gaining unauthorized access to accounts.
Benefits of multi-factor authentication for organizations
- Organizations can keep confidential data secure by requiring their users to protect their accounts with MFA. For example, hackers that manage to steal a user’s login credentials using social engineering tactics could compromise corporate resources. But enforcing stricter verification methods, such as multi-factor authentication, offers increased confidence that attackers can’t gain access to sensitive information.
- MFA also helps organizations meet increasingly stringent data privacy regulations, such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and the National Institute of Standards and Technology (NIST). In addition, when combined with other security layers like single sign-on (SSO) and API access management, MFA sets organizations up to adopt a Zero Trust security model.
Benefits of multi-factor authentication for individuals
When used effectively, MFA makes things easier for IT and security teams, employees, and customers.
- MFA not only secures a business’ entire network regardless of when and where people are accessing corporate systems, but it also makes the authentication process seamless for users (without adding to the security team’s plate). For example, MFA minimizes the instances of locked accounts and cumbersome password resets. This means fewer frustrated users who are unable to access their accounts, along with fewer helpdesk tickets and overwhelmed IT teams.
- As workforces become increasingly remote, and customers expect seamless digital experiences, it’s important to introduce advanced multi-factor authentication solutions that can handle more complex access requests. Adaptive MFA, for example, evaluates the risk of each login request and requires users to provide the most appropriate authentication factor given the situation. This ensures that in “safe” contexts, users can log in seamlessly without adding any friction to their user experience.
What’s next for multi-factor authentication?
With the future of multi-factor authentication, we're expecting MFA methods to constantly evolve. The goal is to make identity verification easier for users and more secure for organizations. That’s why biometric factors and passwordless practices are becoming more prevalent, in addition to the following advances:
- AI and machine learning: Organizations can recognize access requests and behaviors that are considered “normal” by using AI and machine learning. This verification ensures no further authentication factors are required unless anomalous behavior is recognized.
- The Fast Identity Online (FIDO) Alliance: The FIDO Alliance was established as an industry consortium that develops free and open authentication standards. Most recently, the FIDO 2.0 standard introduced the capability for online services and web browsers to implement passwordless MFA options. The alliance aims to make passwordless MFA methods available to everyone and reduce reliance on passwords and knowledge-based authentication factors. This is a step forward for authentication as it replaces user credentials with fast, secure access experiences on apps and websites.
What to look for in an MFA provider
There are many things to consider when it comes to choosing an MFA solution. Most importantly, it needs to meet the current requirements of your organization and users, and enable your business to grow in the future.
The best MFA providers can help you meet security requirements while delivering a frictionless, enjoyable experience to internal and external users. At the same time, an MFA solution should be easy to incorporate into various projects launched by the teams across your organization. Ultimately, it should help them prioritize speed-to-market and minimize the burden on developers.
Cloud-based MFA solutions are often preferred over legacy MFA solutions because they offer the following benefits:
Create a simple and flexible experience for end users
Make it easy for admins to deploy multiple factor types
Provide seamless access to employees, partners, contractors, and customers
Can be implemented across various resources (not just critical apps)
Check out the following resources to learn more about MFA and discover how Okta can help you deploy the solution at your organization: