2FA vs. MFA: An Explanation
Lani Leuthvilay, HYPR
6 Min. Read | January 6, 2022
User authentication and its security remains one of the most critical defenses against cyberattacks. Once an attacker breaks an authentication check, they get complete access to an account and the data and functionality that come with it.
The known weakness of passwords as an authentication method prompted the evolution to two-factor authentication (2FA) and multi-factor authentication (MFA) approaches. MFA and 2FA are often used interchangeably but differ considerably, especially when you add newer passwordless MFA approaches to the discussion. Understanding the distinctions between 2FA vs. MFA and Passwordless MFA is essential to decide which one is right for your organization.
Terminology Relating to 2FA vs. MFA (and Passwordless MFA)
To understand multi-factor authentication (MFA) vs. two-factor authentication (2FA), it helps to understand some key terms:
- Factors of authentication: There are three forms of authentication that can be used to prove user identity:
- knowledge (something users knows, e.g., a password, PIN or security question)
- possession (something they have, e.g., a device, token, email or SMS)
- inherence (something they are, e.g., a fingerprint or other biometric marker)
- 2FA: Two-factor authentication, or simply 2FA, means a user must provide two authentication factors to verify identity. In practice, 2FA generally means a password plus one other form of authentication, such as a security question or one-time password (OTP) sent by SMS or email.
- MFA: Multi-factor authentication uses a combination of two or more independent authentication factors. They must be from different authentication categories so, for example, a password plus a PIN does not meet the definition while an OTP token plus facial recognition does.
- Passwordless MFA: The definition of MFA allows one of the authentication factors to be a password. In broad terms, passwordless authentication does not use any type of knowledge-based factor. Passwordless MFA takes this a step further and uses two or more independent, non-knowledge factors. In addition, passwordless MFA generally uses asymmetric cryptography within its backend authentication mechanism.
Differentiators Between 2FA vs. MFA
People frequently confuse 2FA vs. MFA. While 2FA and MFA share the common principle of using more than one factor to prove identity, there are key differences. The premise of 2FA is that you are adding a factor to the standard username plus password login flow — there are no set restrictions on the nature of that second factor. It might be something easily compromised, like a security question, or a more secure method, such as on-device biometrics. Often, however, 2FA as an approach prioritizes convenience, with SMS messages perhaps the most common second factor.
MFA, on the other hand, starts from the premise of multiple authentication factors, although in practice MFA also frequently uses only two factors. Unlike 2FA, however, MFA factors must be independent — a password plus security question do not constitute MFA. People often refer to 2FA as a subset of MFA but this ignores the nuances; a better description is intersecting sets. As with 2FA, some multi-factor authentication methods are more secure than others.
Key Considerations for 2FA vs. MFA or Passwordless MFA
When choosing among multi-factor authentication, two-factor authentication, or passwordless MFA, you need to determine your organization’s risk factors, risk tolerance, any external security requirements and the priority you place on ease of use. Keep your organization’s specific needs in mind as you consider the differences between 2FA vs. MFA vs. Passwordless in the following key areas.
Reliance on Passwords
Passwords have been, and still are, one of the weakest links in any security system. The Verizon Data Breach Investigation Report found that 61% of all breaches exploited credential data via brute force attacks, credential stuffing attacks or credential data leaked and used later. A recent study found that over 15 billion stolen credentials are circulating on the dark web. In essence, any authentication that uses a password as one of two factors is really only single-factor security. As discussed, 2FA almost always uses a password as a factor and traditional MFA usually uses one. In their 2020 Market Guide to User Authentication, Gartner suggests that, “Most legacy ‘MFA’ tools are really only ‘+1FA’ tools, adding a single extra factor to a legacy password.”
By definition, Passwordless MFA should not use a password at any point in the authentication process. Be aware, however, that some solutions that label themselves passwordless still use a password on the backend.
Some identity verification methods are more secure than others. Knowledge-based factors, in general, can be easily intercepted or discovered through social engineering, man-in-the-middle and other attacks. OTP codes and links sent by email or SMS, while better, can also be compromised by any somewhat skilled attacker. That’s why industry experts and governing bodies increasingly call for phishing-resistant MFA that does not rely on these insecure verifiers. Hardware security keys and PKI-based authenticator apps offer the strongest authentication protection.
Regulatory and Standards Compliance
National and international regulations, including the Executive Order on Cybersecurity and SCA under PSD2, have recognized the inherent flaws in 2FA and some forms of MFA, issuing guidance on removing vulnerable practices. They are joined by private industry, with the MFA mandates by cyber insurers and companies such as Microsoft declaring that OTPs and SMS should not be used for proving user identity. This means that organizations tendering for public contracts, doing business with Europe or taking out cyber insurance must implement stronger MFA to bolster their access management security.
Moreover, some passwordless technologies are based on FIDO (Fast IDentity Online) standards. These open authentication protocols are designed to ensure user privacy and security, ease of use and interoperability.
User experience is key to getting buy-in from staff and customers around security initiatives. The ability to quickly access systems and information affects everything from productivity to user satisfaction to customer abandonment. Generally with conventional 2FA and MFA, the stronger the security method, the more intrusive and disruptive the user experience. More verifiers means more steps, more time, more opportunities to have forgotten the password or PIN or be unable to find their security key or that emailed OTP code. HYPR’s passwordless MFA avoids this security-friction trade-off by combining multiple strong factors into a single, seamless, secure login flow.
Take it Further with True Passwordless MFA
In the 2FA vs. MFA debate, MFA based on secure verification factors wins hands down. But this presents a dilemma for many companies. Greater deployment complexity, user resistance and, depending on the method, additional hardware costs, deter many companies from going the MFA route. Moreover, if passwords are used at any point in the process, a potential entry point for attackers still exists.
Passwordless MFA, on the other hand, removes passwords altogether. HYPR’s True Passwordless solution has already been adopted as an MFA methodology by large and small enterprises alike. It delivers an easy-to-use, easy-to-integrate authentication system without the security flaws of 2FA or traditional MFA.
To find out how HYPR can integrate with your current systems, including SSO providers, and create a more secure and compliant authentication process for your organization, read more here or talk to our team.