What is Multi-Factor Authentication?

what-is-mfa
Yiğit Çallı
Yiğit Çallı
26 February 2024

Multi-Factor Authentication (MFA), alongside its 2-layer cousin, 2-Factor Authentication (2FA), is one of the most used tools today in the cybersecurity arsenal of companies and software-as-a-service (SaaS) vendors alike. In this blog, we will dive right into the various benefits of using an MFA to authenticate users, the different types for it, and also the challenges in making MFA ubiquitous.


Understanding the Basics of Multi-Factor Authentication

One of the key cybersecurity measures available today to protect online accounts, MFA is used to add extra layers of authentication before granting access to someone, instead of just authenticating him or her via user credentials, typically involving a username/email and password. With MFA, even if an attacker manages to guess or steal a user's password, they would still need to provide additional authentication factors to gain access.

MFA relies on more than a single proof to authenticate the identity of a person and  makes it more difficult for unauthorized individuals to access a user's account or a company's network and resources. Even if one of the factors to authenticate an identity  is compromised, there are more layers that can still protect the user/organization from getting breached.

The authentication process in MFA involves verifying a user's identity through multiple “proof points”, categorized into three main types, using various tools such as email, SMS, or various authenticator apps that are available in the app stores.

  1. Knowledge Factors: These are pieces of information that the user knows, such as a password, PIN, or answers to security questions.

  2. Possession Factors: These are things that the user possesses, like a smartphone, a token generator, or a smart card.

  3. Inherent Factors: These are personal attributes of the user, like biometric data (fingerprints, facial recognition, voice patterns, etc.).

Different Types of Multi-Factor Authentication

There are various methods of MFA, each with its unique features and security levels. Below, we go over the commonly used types of authenticating users via layers, including through adaptive authentication.  

Passwords and Security Questions

The most common form of MFA  is the combination of a password and a security question. The user first enters their password, and then they are prompted to answer a security question which they had filled out the answer for before during the account sign-up.

Biometric Authentication

Biometric authentication involves using the user's unique physical characteristics for verification. This may include fingerprint scanning, facial recognition, voice recognition, or retina scanning. This form of MFA is considered highly secure because these attributes are unique to each individual. Nowadays, a lot of mobile devices enable facial recognition as an added step to authentication.

Hardware Tokens

Hardware tokens or key fobs are physical devices that generate a one-time password (OTP) for user authentication. Once the user enters their username and password, they input the OTP generated by the token to gain access.

Software Tokens

Software tokens function similarly to hardware tokens but are digital. OTPs are generated on a software application, which can be installed on a user's mobile device or computer as part of the MFA process. For example, some banks utilize software tokens, generated through their mobile bank apps, before they allow access to the account on their website.

SMS or Email-Based Verification

In this MFA method, after entering the username and password, the user receives an MFA OTP through an SMS or an email. Only after they enter the OTP, are they allowed access to the account.

Authenticator Apps:

Authenticator apps are security applications available in app stores that can be used for MFA purposes. Here's how they generally work:

  • Generation of Time-Based Codes: Authenticator apps generate time-sensitive, one-time use codes. These codes change every 30 seconds or so, providing an extra layer of security.

  • Setup with Online Accounts: To use an authenticator app, you typically scan a QR code or enter a setup key provided by the online service (like an email provider, bank, or social network) during the MFA setup process. This links your account to the authenticator app.

  • Login Process: When you log in to the linked account, in addition to your username and password, you'll be asked to enter the code displayed on the authenticator app. Since this code changes frequently and is only accessible on your device, it's difficult for hackers to gain unauthorized access even if they know your password.

Authenticator apps do not rely on SMS or voice calls, which are vulnerable to interception and SIM swapping attacks. Instead, they use a time-based one-time password (TOTP) algorithm, making them a more secure method of MFA.

Some examples of authenticator apps today include Google Authenticator, Microsoft Authenticator, Duo, and various others.

Pros and Cons of Multi-Factor Authentication

MFA is a great tool to protect online accounts against unauthorized access. Having said that, it does have some drawbacks. Let's explore them:

Pros

  1. Increased Security: MFA significantly enhances the security of a user's account and sensitive data or a  company's network by adding an extra layer of protection. Even if one authentication factor is compromised, an attacker would still have to breach the other factors. This significantly reduces the risk of unauthorized access.

  2. Regulatory Compliance: MFA helps organizations comply with stringent privacy regulations like GDPR and PCI DSS that require implementing strong authentication protocols.

  3. Ability to get Cyber Insurance: A lot of insurance companies mandate MFA for companies before allowing them to enroll for insurance. If companies cannot prove that they were using MFA diligently, in the case of a breach, they run the risk of their insurance claims being denied. 

Cons

  1. Implementation Costs: Implementing MFA can be costly, especially for large organizations. Costs include purchasing and replacing tokens, acquiring software, and ongoing maintenance.

  2. User Experience: MFA fatigue is a serious problem against getting MFA used regularly. It becomes cumbersome fast if the user has to authenticate themselves via MFA for each access request many times a day.

  3. Potential for Loss or Theft: In the case of hardware or mobile-based MFA, there's always a risk that the device used for verification may be lost or stolen.

  4. SIM-Swapping: Attackers know that MFA often relies on mobile phones as the “thing you possess” to complete an authentication process. A SIM swap attack is where bad actors  trick service providers into switching services to a SIM card (on a different mobile device) they control, effectively hijacking the victim's cell service and phone number. Every year, tens of thousands of people in the US have their cell phones SIM-swapped. By the time the victims realize their devices no longer work, hackers may have already changed the passwords to their bank accounts, trading accounts, 401(k)s, and more, potentially leading to catastrophic consequences.

Timus Zero Trust Network Access (ZTNA) and Adaptive MFA

Before granting access to a SaaS app, or a company network, the Timus ZTNA solution will thoroughly verify a user’s identity not only via user credentials, but also through a rich set of contextual behavioral checklists. The checklist includes such things as looking at a user’s device, current location, comparing the current location to the previous one to see if there’s an impossible travel that’s been made, the IP address, the country the user is trying to connect from, if their email is breached on the dark web, and so on. If, based on the checklist, Timus ZTNA decides that there’s a risk that this person is not who they say they are, only then an MFA is pushed to the user as an additional form of authentication. Using MFA in this manner adaptively helps tremendously with the user experience and mitigates the MFA fatigue. 


Conclusion

Multi-Factor Authentication is a potent tool in the cybersecurity arsenal. It offers significantly higher security than the traditional method of checking only the user credentials, making it more challenging for attackers to gain unauthorized access. MFA not only helps with security, but is also an important part of being compliant for various regulations, and to be able to get cyber insurance as a company. While it may come with its challenges, the benefits of implementing an MFA far outweigh them. Modern network security solutions such as Timus utilize MFA in a dynamic and adaptive manner to minimize user MFA fatigue.