Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a widely discussed and rapidly implemented technology in Identity and Access Management (IAM) and cybersecurity today. To help foster more understanding around MFA, here are a few basics we would like to cover on the topic.

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication is the process of verifying a user’s identity based on two or more independent factors to provide secure access to an application or account. The user is granted access after validating this information.

MFA is an integral element of Identity and Access Management (IAM). Instead of relying solely on user credentials (usernames and passwords) for authentication, MFA requires two or more verification factors, which provides an additional layer of security for organizations and helps decrease the risk of a cyberattack.

Some examples of the additional verification factors used in MFA include one-time passwords (OTPs), biometrics like thumbprints, PKI certificates, and more.

Why is it essential to enable Multi-Factor Authentication?

Traditionally, user authentication has been performed using usernames and passwords. Unfortunately, passwords are highly susceptible to theft and cyberattacks, mainly due to poor password hygiene. Relying solely on vulnerable passwords for authentication dramatically increases the attack surface and puts enterprise security at risk of a data breach.

This is where MFA plays a critical role. By requiring users to identify themselves with more than just their usernames and passwords, MFA ensures users are indeed who they claim they are – genuine and legitimate.

Enforcing MFA is especially critical to secure multi-cloud and hybrid-cloud environments. When it comes to cloud applications, users access them from anywhere and anytime. MFA provides a reliable and safe way to authenticate these remote users and ensure secure cloud application access.

How does Multi-Factor Authentication work?

Let’s say you try to log in to your bank account with your username and password. You are then prompted to enter a unique code (a 4-8 digit number) that is sent to your smartphone (in other words, to your registered phone number) via a text message. Only after you enter this code will you be granted access to your bank account. That’s MFA in action.

The key advantage of using MFA is that even if a bad actor tries to log in to your bank account using your username and password. They will still be unsuccessful because they will need to enter the unique numerical code for additional verification, and unless they have your smartphone, they won’t be able to, which means they will be denied access to your bank account.

MFA essentially involves using more than one piece of information or evidence for verifying users. These pieces of information are grouped into three categories, out of which at least two must be independently used to confirm the user’s identity.

• Knowledge (something that the user knows, such as a password or answers to personal security questions)
• Possession (something that the user has, such as mobile phones, access badges, security keys, and PKI or digital certificates)
• Inherence (something that the user is, such as their fingerprint, voice, retina, and other biometrics).

The simple reason behind using multiple pieces of information is that even if threat actors can impersonate a user with one piece of information, such as their password, they likely won’t have the other pieces needed to authenticate.

A recommended practice for multi-factor authentication is to use factors from at least two different categories. Using two from the same category negates the very purpose of MFA. Although passwords and security questions are a popular MFA combination, both factors belong to the knowledge category and don’t meet MFA requirements. On the other hand, a password and an OTP are considered MFA best practice as the OTP belongs to the possession category.

What are the benefits of Multi-Factor Authentication?

• Mitigates third-party security risks: Large organizations often have third-party vendors and partners accessing their systems and applications for various business purposes. MFA helps protect the corporate network by authenticating these users using two or more verification factors, making it harder for cybercriminals to gain access to confidential information.

• Increases customer trust: As cyberattacks continue to rise, customers are becoming cybersecurity-aware more than ever. Although MFA requires users to verify themselves multiple times, customers appreciate the higher level of security it provides and trust organizations implementing MFA.

• Helps meet compliance requirements: Many global regulations today mandate the use of MFA to prevent threat actors from accessing confidential information. Health Insurance Portability and Accountability (HIPAA) requires healthcare providers to restrict access to personal medical information to authorized staff only. PCI-DSS, security standards for card payments, requires MFA to prevent unauthorized users from accessing payment processing systems for financial fraud. MFA is also mandated by PSD2, a payments regulation in the EU for securing online payments and protecting consumers’ financial data from theft. Implementing MFA helps comply with these industry regulations while fortifying security.

• Alleviates password risks: Although passwords are the most widely used means of authentication, they are also the most hacked. As people tend to reuse or share passwords, they are easy to steal or crack. MFA addresses this problem by taking authentication beyond passwords and ensuring the users are verified in multiple distinct ways for secure access. Even if a hacker does steal a password, it is still highly unlikely that they will gain account access, as they will have more checkpoints to clear with MFA.

• Better remote security: With hybrid work becoming the norm, an unprecedented number of remote employees are accessing enterprise applications and resources over unsecured home and public WiFi networks. Personal devices are also used for work. Enforcing Single sign-on (SSO) alone is not enough to prevent unauthorized access. MFA offers an effective solution by adding additional layers of authentication to SSO. This makes it harder for malicious actors who masquerade as legitimate employees to circumvent multiple authentication processes and gain access to enterprise applications.

What’s the difference between MFA and Two-Factor Authentication (2FA)?

2FA is a subset of MFA that restricts authentication to only two factors, such as a password and OTP, while MFA can be two or more factors.

How is MFA different from Single Sign-on (SSO)?

Single Sign-on (SSO) is a technology that allows users to access multiple applications using a single set of credentials. By integrating applications and unifying login credentials, SSO removes the need for users to re-enter their passwords every time they switch from one application to another. The primary objective of SSO is to create a seamless login experience for users by eliminating the hassle of multiple logins.

A popular example of SSO is the Google application services. With a single set of credentials , users can access their email, calendar, storage drive, documents, photos, and videos as well as other third party applications that accept Google for SSO.

On the other hand, MFA mitigates the security risks of using passwords by providing additional means of verifying a user, therefore, provides an extra layer of protection for corporate access. The objective of MFA is to authenticate users in more than one way to ensure secure access.

While SSO focuses on improving user experience, MFA focuses on improving security. When used together, these two technologies can help provide convenient and secure application access for users. SSO is primarily used for cloud applications, as opposed to MFA, which is used for a wider variety of applications, VPNs, web servers, and devices.

What is Adaptive Authentication or Adaptive MFA?

Adaptive authentication, also known as risk-based authentication, is another subset of MFA. It is a process of authenticating users based on the level of risk posed by a login attempt. The risk level is determined after analyzing a combination of contextual and behavioral factors, such as user location, role, device type, login time, etc.

Based on the risk level, the user is either allowed to log in or prompted for additional authentication. Both the contextual and behavioral factors are continuously assessed throughout the session to maintain trust.

For example, when an employee tries to log in to a corporate web application over an airport WiFi network, late at night, on their personal mobile phone, they may be prompted to enter a code sent to their email in addition to their login credentials. But when the same employee logs in from the office premises every morning, they are provided access to the application with just their username and password.

In the above two scenarios, logging in from the airport is treated as high risk requiring additional verification, and logging in from the office premises is treated as low risk and hence requires only SSO.

While traditional MFA requires all users to enter additional verification factors, such as a name, password, and a code or answers to security questions, adaptive authentication requests less information from recognized users with consistent behavioral patterns and instead assesses the risk a user presents whenever they request access. Only when there is a higher risk level are users presented with other MFA options. Adaptive authentication is more dynamic in nature, where security policies vary according to context and user behavior. Therefore, it creates a more friction-free experience for users.