What is Multi-Factor Authentication?


Multi-factor authentication (MFA) is an authentication process that requires users to provide at least two independent factors to prove their identity, usually a password plus another factor.  There’s been much debate about the efficacy of MFA in today’s current attack landscape, but any informed conversation should start with the basics, namely what is multi-factor authentication and what problems does it attempt to solve?

What Is Multi-Factor Authentication?

Authentication is the process of verifying a user’s identity in order for them to gain access to a system or resource, such as a device, application or online account. In multi-factor authentication, users must present more than one authentication factor from independent categories. The standard factors of authentication are: 

  • Knowledge: This is something you know. The most common examples are passwords, PINs or secret questions. 
  • Possession: This is something you have. The most common examples are a software or hardware token, your cell phone or a security key.
  • Inherence: This is a biometric identifier that is unique to you. The most common examples are face or retina scans, fingerprints or voice recognition.

Although other identification factors have been suggested, particularly location, it has seen limited use thus far, and the above three factors remain the most common.

The factors must be verified through the authentication process. While most discussions on “what is multi-factor authentication” focus on the factors themselves, it’s critical to pay attention to the backend processes including credential storage, transmission and methods used by the authenticating server. 

Attacks on Authentication 

Stolen or compromised credentials play a central role in the majority of cyberattacks. Per Verizon’s authoritative Data Breach Investigation Report, 82% of data breaches exploit the human element, which often involves inducing people to hand over passwords or using lost or stolen credentials. This creates an entire ecosystem of cyberthreats that target authentication, mainly the concept of a username and password pair, including: 

  • Phishing: An attacker sends the victim an email asking them to log in to an account. The email seems legitimate, but the link brings them to a false login page, and all details entered are sent directly to the attacker.
  • Brute force: Armed with a victim’s username, the attacker tries multiple passwords in the hope of one being correct. Since it’s an automated attack, thousands of passwords can be tried in a short space of time.
  • Credential stuffing: Here, attackers take a username and password pairs harvested from other attacks and try them across many accounts. Considering that 65% of people reuse passwords, you can see how this can be successful.
  • Man-in-the-Middle (MitM) Attack: An attacker positions themself in a conversation between two parties — two users, or a user and an application or server — so they can intercept all  communications.
  • Malware: If attackers manage to install malware, such as keyloggers, on a victim’s computer, they can track and exfiltrate all credentials entered during logins.

Broken authentication allows attackers to escalate attacks into data theft, business email compromise or ransomware attacks. This creates significant potential costs for organizations in terms of user compensation, regulatory fines, attack clean-up costs and reduced customer confidence.

What multi-factor authentication does is add an extra layer of authentication security. Theoretically, this  decreases the likelihood of successful cyberattacks and subsequent breaches. 

What Is Multi-Factor Authentication vs. Two-Factor Authentication

The terms multi-factor authentication and two-factor authentication (2FA) are often used interchangeably but there are some notable differences. In one sense, 2FA can be thought of as a subset of MFA as it specifically requires a user to provide two authentication factors to verify identity (whereas MFA is at least two). The most common form of 2FA is a password plus a one-time password (OTP) sent by SMS or email but it could also be a security question, PIN or even an additional password. Unlike MFA, the second factor does not need to be from a different authentication category.

Multi-Factor Authentication Benefits

So, what is multi-factor authentication delivering that standard username and password login can’t? The added layer of verification required by MFA reduces an organization’s risk from several aspects.

More secure than just passwords

Multi-factor authentication means attackers must be able to come up with more than one factor to access an account, which creates an additional obstacle to overcome. While the exact risk reduction figure is highly dependent on the methods used,  the fact remains that relying on passwords alone for authentication puts organizations at enormous risk. 

Can’t be guessed or brute-forced

A critical vulnerability of passwords is that an attacker can literally just guess what the secret is, which is why “knowledge” is the least secure factor. With high computing power, lists of leaked passwords easily available, and a finite outcome of possibilities, it is only a matter of time before the knowledge factor gets cracked. Requiring possession or inherence means that an attacker must specifically target a user through phishing, SIM-swapping or other methods, or happen to come into possession of the login device or their biometric identifier.

Regulatory compliance

Regulatory requirements around multi-factor authentication have strengthened in recent years, with the US government and various industry-specific regulations specifically calling for phishing-resistant MFA as the standard for all authentication processes. Cyber insurers have also jumped on the bandwagon, with many mandating multi-factor authentication to obtain coverage. By using strong MFA that complies with these regulations, organizations can avoid any potential fines and penalties. 

Improve the authentication experience

A common perception of multi-factor authentication is that it adds friction and degrades the user experience. While this may be true for traditional MFA methods, newer passwordless MFA technologies can actually make the login process easier. For example, leveraging biometric identifiers on a user’s device eliminates the need for users to remember or write down their passwords. It also removes one of the biggest costs to IT helpdesks: password reset requests

What Is Multi-Factor Authentication's Problem?

Given the above, you’d think that every organization would deploy MFA, yet Microsoft reported that only 22% of its enterprise customers use it to secure their accounts. What is multi-factor authentication lacking to account for this reluctance in adoption? It essentially comes down to that age-old balance of any security program, security vs. convenience. 

While multi-factor authentication does add a layer of security, traditional MFA can add significant friction that can affect employee productivity and add to the burden on IT teams. On the consumer side, it can lead to increased customer support costs and cart abandonment.

Moreover, the added security has proven to be limited, with many of the most common MFA methods breachable by any somewhat determined hacker. Phishing attacks no longer target only passwords but use automated tools to harvest OTP codes. Another popular MFA method, push authentication, can be bypassed by MFA prompt attacks, which leverage the growing problem of push fatigue.

 Fortunately, newer technologies have emerged that tackle both sides of the equation, namely passwordless MFA.

What is Passwordless Multi-Factor Authentication

The effectiveness of multi-factor authentication as a protection mechanism fully depends on the strength of the verification factors used. Passwordless MFA removes passwords, or any shared knowledge-based factor, from the authentication process altogether. Instead it relies on “possession” and “inherence” factors to verify identity. While different solutions accomplish this through various mechanisms, passwordless MFA based on FIDO specifications is considered the gold standard for phishing-resistant passwordless MFA by CISA, the OMB and other regulatory and industry bodies.

As the leading provider of True Passwordless™ MFA, HYPR ensures authentication security while making the login experience easier and faster for users. A fully FIDO Certified solution, HYPR provides seamless desktop-to-cloud MFA with a single authentication gesture. To learn how HYPR’s passwordless MFA solution can help your organization secure authentication and access, read more here or contact our team.

New call-to-action