Multi-factor authentication (MFA) is an authentication process that requires users to provide at least two independent factors to prove their identity, usually a password plus another factor. There’s been much debate about the efficacy of MFA in today’s current attack landscape, but any informed conversation should start with the basics, namely what is multi-factor authentication and what problems does it attempt to solve?
Authentication is the process of verifying a user’s identity in order for them to gain access to a system or resource, such as a device, application or online account. In multi-factor authentication, users must present more than one authentication factor from independent categories. The standard factors of authentication are:
Although other identification factors have been suggested, particularly location, it has seen limited use thus far, and the above three factors remain the most common.
The factors must be verified through the authentication process. While most discussions on “what is multi-factor authentication” focus on the factors themselves, it’s critical to pay attention to the backend processes including credential storage, transmission and methods used by the authenticating server.
Stolen or compromised credentials play a central role in the majority of cyberattacks. Per Verizon’s authoritative Data Breach Investigation Report, 82% of data breaches exploit the human element, which often involves inducing people to hand over passwords or using lost or stolen credentials. This creates an entire ecosystem of cyberthreats that target authentication, mainly the concept of a username and password pair, including:
Broken authentication allows attackers to escalate attacks into data theft, business email compromise or ransomware attacks. This creates significant potential costs for organizations in terms of user compensation, regulatory fines, attack clean-up costs and reduced customer confidence.
What multi-factor authentication does is add an extra layer of authentication security. Theoretically, this decreases the likelihood of successful cyberattacks and subsequent breaches.
The terms multi-factor authentication and two-factor authentication (2FA) are often used interchangeably but there are some notable differences. In one sense, 2FA can be thought of as a subset of MFA as it specifically requires a user to provide two authentication factors to verify identity (whereas MFA is at least two). The most common form of 2FA is a password plus a one-time password (OTP) sent by SMS or email but it could also be a security question, PIN or even an additional password. Unlike MFA, the second factor does not need to be from a different authentication category.
So, what is multi-factor authentication delivering that standard username and password login can’t? The added layer of verification required by MFA reduces an organization’s risk from several aspects.
Multi-factor authentication means attackers must be able to come up with more than one factor to access an account, which creates an additional obstacle to overcome. While the exact risk reduction figure is highly dependent on the methods used, the fact remains that relying on passwords alone for authentication puts organizations at enormous risk.
A critical vulnerability of passwords is that an attacker can literally just guess what the secret is, which is why “knowledge” is the least secure factor. With high computing power, lists of leaked passwords easily available, and a finite outcome of possibilities, it is only a matter of time before the knowledge factor gets cracked. Requiring possession or inherence means that an attacker must specifically target a user through phishing, SIM-swapping or other methods, or happen to come into possession of the login device or their biometric identifier.
Regulatory requirements around multi-factor authentication have strengthened in recent years, with the US government and various industry-specific regulations specifically calling for phishing-resistant MFA as the standard for all authentication processes. Cyber insurers have also jumped on the bandwagon, with many mandating multi-factor authentication to obtain coverage. By using strong MFA that complies with these regulations, organizations can avoid any potential fines and penalties.
A common perception of multi-factor authentication is that it adds friction and degrades the user experience. While this may be true for traditional MFA methods, newer passwordless MFA technologies can actually make the login process easier. For example, leveraging biometric identifiers on a user’s device eliminates the need for users to remember or write down their passwords. It also removes one of the biggest costs to IT helpdesks: password reset requests.
Given the above, you’d think that every organization would deploy MFA, yet Microsoft reported that only 22% of its enterprise customers use it to secure their accounts. What is multi-factor authentication lacking to account for this reluctance in adoption? It essentially comes down to that age-old balance of any security program, security vs. convenience.
While multi-factor authentication does add a layer of security, traditional MFA can add significant friction that can affect employee productivity and add to the burden on IT teams. On the consumer side, it can lead to increased customer support costs and cart abandonment.
Moreover, the added security has proven to be limited, with many of the most common MFA methods breachable by any somewhat determined hacker. Phishing attacks no longer target only passwords but use automated tools to harvest OTP codes. Another popular MFA method, push authentication, can be bypassed by MFA prompt attacks, which leverage the growing problem of push fatigue.
Fortunately, newer technologies have emerged that tackle both sides of the equation, namely passwordless MFA.
The effectiveness of multi-factor authentication as a protection mechanism fully depends on the strength of the verification factors used. Passwordless MFA removes passwords, or any shared knowledge-based factor, from the authentication process altogether. Instead it relies on “possession” and “inherence” factors to verify identity. While different solutions accomplish this through various mechanisms, passwordless MFA based on FIDO specifications is considered the gold standard for phishing-resistant passwordless MFA by CISA, the OMB and other regulatory and industry bodies.
As the leading provider of True Passwordless™ MFA, HYPR ensures authentication security while making the login experience easier and faster for users. A fully FIDO Certified solution, HYPR provides seamless desktop-to-cloud MFA with a single authentication gesture. Contact our team to learn how HYPR’s passwordless MFA solution can help your organization secure authentication and access.