What is Multi-Factor Authentication (MFA)?
- IAM Glossary
- What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is a security measure that requires users to provide more than one form of authentication to access a service or application.
Multi-factor authentication definition
The idea behind MFA is to provide an additional layer of security beyond a traditional username and password by requiring users to provide additional proof of their identity. This additional proof is called an authentication factor. There are four different types of authentication factors:
Something you know: This could be a password, PIN or answer to a security question.
Something you have: This could be a physical token, such as a smart card or USB security key, or a virtual token generated by an authenticator app on a user's smartphone. These virtual tokens are called One-Time Passwords (OTPs) or Time-Based One-Time Passwords (TOTPs).
Something you are: Biometric information, such as a fingerprint, facial recognition or iris scan.
Somewhere you are: Your geographic location. Some apps and services are only accessible to users located within a specific geographic location. This particular authentication factor is frequently used in zero-trust security environments.
MFA systems require users to provide at least two different factors from two different categories. This is best explained by example:
- A system that requires users to input both a password and a PIN doesn’t qualify as having MFA, because both of these factors are from the “something you know” category.
- ATM machines have used MFA for decades. They require users to insert an ATM card (something they have) and enter a PIN (something they know).
In addition to ATMs, MFA is widely used to secure online accounts, such as email, online banking, and cloud storage, as well as physical access to buildings and other secure areas.
Not all authentication factors are created equal
Some MFA systems use TOTPs sent via phone calls, text messages or email for authentication. While these methods are technically “valid” MFA factors, many security experts discourage their use due to the fact that they can be easily compromised.
Therefore, it’s a best security practice to avoid using email, phone calls or text messages for MFA unless no other methods are available. Stronger options include biometrics, a physical security token or a standalone authentication application.
What is the difference between MFA and 2FA?
2FA stands for two-factor authentication. The only difference between 2FA and MFA is that 2FA refers to an authentication method that requires only two authentication factors, whereas MFA is an umbrella term referring to a system that requires two or more authentication factors.
Therefore, our ATM example from above is an example of 2FA, but calling it MFA is also correct. Conversely, a system that requires the user to insert a card or security key, enter a PIN and scan their fingerprint would be MFA but not 2FA.
What protection does MFA provide?
Compromised passwords are the single biggest cause of data breaches and ransomware attacks. MFA prevents password-related cyber attacks by making it exponentially more difficult for attackers to compromise an account. Even if a threat actor manages to obtain a working password, it’s useless without the additional authentication factor(s). A stat from Microsoft revealed that MFA can block over 99.9 percent of account compromise attacks.
For this reason, MFA plays a big role in IT compliance. Many industry and regulatory compliance frameworks require organizations to implement MFA to secure their internal systems. MFA is also essential for implementing a zero-trust security framework, which requires that users be verified explicitly.
Implementing MFA can also help enhance user trust in a system, as it demonstrates that the organization takes security seriously and is committed to protecting users' information.
How can i implement multi-factor authentication?
For personal users
Individuals should enable 2FA/MFA on all websites and apps that support it to protect their personal accounts from cyber threat actors. Many sites and apps walk users through this process upon account setup. Otherwise, users can consult the help documents for the site or app.
Remember to avoid using email, text messages or phone calls as an authentication factor unless the site or app doesn’t support other methods.
For business users
The steps involved in implementing MFA will vary depending on your organization's specific needs and resources. It's recommended to seek the assistance of a security expert or IT professional if you are unsure about how to proceed. However, here's a general overview of the steps involved:
Determine the types of authentication factors to use: Decide which authentication factors to use based on your security needs and the resources available. Remember to choose at least two factors from two different categories, and avoid using phone calls, email or text messages as an authentication factor.
Choose an MFA solution: There are many commercial and open-source solutions available for implementing MFA. Choose a solution that supports the authentication factors you've selected, and that fits within your budget and technical capabilities.
Integrate the MFA solution into your systems: This may involve integrating the MFA solution into your existing authentication system or replacing your existing authentication system with an MFA-enabled solution. You may need to modify your application code or make changes to your network infrastructure.
Enroll users: Once you've integrated the MFA solution into your systems, enroll users by having them provide the additional authentication factors required by the MFA solution.
Monitor and maintain the MFA solution: Regularly monitor the MFA solution for performance and security, and update it as needed to maintain its effectiveness.