Multi-factor authentication (MFA) is a security measure that requires at least two separate credentials to permit access to an account or a function of an application. A password is generally the first method of verification, which is categorized as knowledge, or something you know.
The other methods of verifying one's identity usually include something you have (possession), such as a mobile phone or keycard, and something you are (inherence), like a fingerprint scan or facial recognition. To be considered multi-factor authentication, the two or more credentials must come from separate categories.
But the definition of MFA alone doesn't tell you much about it, so let's look a little closer.
Why do you need MFA?
One of the most common questions on this subject is "why is an MFA solution necessary?"
The question is probably rooted in the various password rules that are supposed to make your credentials difficult to obtain. Unfortunately, passwords aren't as secure as we think. No matter what you do, using a password-only approach to security today is the least secure option. By putting off or refusing to enable MFA, you open the door to numerous password-based security risks as a string of characters is all that stands between cybercriminals and your valuable information.
There are well-established methods for guessing or obtaining most passwords - email phishing scams, for example. You want to be protected in the event of a password breach, and MFA is 99.9% effective in such cases.
Multi-factor authentication provides an extra layer of security. Stealing your knowledge - a password, or even answers to common security questions - is trivial compared to getting access to your mobile device or fingerprint.
Rather than attempt to crack MFA-enabled accounts, hackers are much more likely to go for the "low-hanging fruit" of a user whose credentials can be easily obtained.
You should utilize MFA as much as possible
True, it can feel like a hassle to add your mobile device into the authentication process when the account you're accessing is on your desktop. But we'd all rather be certain that our data, especially sensitive personal information, is safe.
In short, multi-factor authentication is the best available method of ensuring security, so it's best to enable it at every opportunity.
Multi-factor specifies that more than one credential is required for access, but it does not place limits on how many factors may be required. This means using two factor authentication(2FA) or more.
And while two factor authentication is the most common subset of MFA used, each additional factor used for verification increases security.
In light of this, the Payment Card Industry Data Security Standard (PCI DSS) replaced all references to two-factor authentication with multi-factor authentication. This suggests that using three factors is acceptable, maybe even preferable.
What are the approaches to MFA?
As we mentioned previously, there are three accepted types of credentials - knowledge, possession, and inherence. Because the first one is usually a password, the other factors usually stem from the second, and occasionally third, type. Here are a few of the available authentication methods:
- Time-based One-time Password (TOTP): The app/website asks the user for verification in the form of a second password generated by a third-party app such as Google Authenticator.
- Short Message Service (SMS): After you log in with a password, you are sent a one-time code via SMS text message that you then enter into the appropriate field.
- Email: Similar to SMS, you receive a one-time login code after entering a password, this time via email.
- Push notification: A push notification is sent to you, often on your mobile device. This allows you to certify access to your account.
- Integrated solution: Some applications allow you to open a corresponding app on a device that has already been authenticated in order to permit access. Gmail and other Google apps are examples of this.
Determining which MFA method is right for you
The most secure option is always the best choice.
SMS and email-based MFA methods are better than using a password-only approach. But they also offer the lowest level of security. SMS works well for decades-old technology that was never optimized for security. In a targeted attack, cybercriminals can easily intercept OTPs sent to mobile numbers.
Similarly, email accounts are popular targets for attackers. If your inbox becomes compromised, you could potentially lose the security benefits that using MFA offers.
The other methods we mentioned - Integrated authentication, push notifications, and Time based one password (TOTP) - are far more secure options.
How to implement MFA - FAQ
The best way to implement MFA is to get an expert to help you.
There are dozens of companies that offer MFA as a software solution, such as Google and Auth0. This is good for all of us because these are part of a suite of security and authentication technologies.
1. What is device activation, and how is it related to MFA?
Device activation is commonly mistaken for MFA. They involve similar processes, but for different outcomes.
Both require a secondary credential to access an application. Both also use factors such as SMS messaging, authenticator apps, and push notifications.
The difference is that device activation only occurs when you attempt to use an unfamiliar device or browser, or if you are outside of the normal range of a trusted IP address. By contrast, MFA requires additional credentials every time you log in to a particular account.
2. What are the most secure MFA methods, and how much do they cost?
There are several MFA methods available. The most secure and well-known are TOTP and push notifications.
This is great news because some platforms - Google Auth, for example - offer free and open-source applications that are easy to use and integrate.
3. How long does it take to implement MFA?
The time it takes to implement MFA will depend on which solution you choose. It's generally a very straightforward process.
Documentation on MFA solutions tends to be very clear, and if there's something you don't understand, experts are standing by to help.