MULTI-FACTOR AUTHENTICATION: Explained
Multi-factor authentication, or MFA in short, refers to an authentication process where a user is required to provide two or more credentials or verification factors in order to gain access to an application or resource.
Rather than the traditional method of just requesting a username and password, or PIN, MFA requires additional verification factors, and all this is aimed at thwarting cyber-attack attempts.
Benefits of Multi-Factor Authentication
MFA bolsters an organization’s data and information security by requiring users to verify their identities using more than just their usernames and passwords, which are vulnerable to brute force attacks and can easily fall into the hands of unauthorized personnel and third parties.
Additional authentication factors like fingerprints and physical keys, which can only be in the possession of the legitimate user, make it harder for third parties to gain access and infiltrate the organization’s system.
Furthermore, MFA minimizes user error occasioned by carelessness or loss of passwords and devices.
With businesses, organizations, and governmental agencies operating and running critical services online, a breach or infiltration and compromising of such systems and information can have catastrophic consequences. MFA offers a layer of security that makes such occurrences less likely, and organizations and clients that carry out business online can do so with a measure of confidence.
Inherent in MFA authentication processes are real-time alerts where suspicious log-in attempts can be flagged and logged for relevant authorities to review and analyze, which can help thwart cyber-attacks as early as possible.
How Multi Factor Authentication works
At the time of registration, a user is prompted to provide multiple forms of identification, apart from the regular username and password, which are stored. This information is then used to verify the identity of the user during subsequent login sessions.
Advertisement
During registration, hardware such as a mobile phone or key fob can be linked to the account, or the items can be virtual, like an email address or mobile phone number. All these factors can be used to verify the unique identity of a user.
OTPs (one-time passwords) are the most common verification factors that users encounter when trying to access a resource or application with MFA.
OTPs are usually 4, 6, or 8-digit codes that are sent to the user’s phone or email when a log-in attempt is first made. Each time an authentication request is submitted, a new unique code is generated.
Multi-factor authentication methods can use a combination of the following combinations:
- Knowledge factor: things the user knows, such as passwords, PINs, a received OTP, and answers to personal security questions
- Possession factor: things the user possesses, e.g., badges, smartphones (for OTP), fobs and security keys, software tokens, and certificates.
- Biometrics factor i.e. things that are inherent, such as fingerprints voice recognition, iris scanning, and even behavioural analysis.
Since the advent of AI and machine learning, more sophisticated authentication factors have come into use, such as:
- Location-based: In this case, a user’s IP address and possibly geo-location are determined, and this information can be used to block access if the user’s current location is not included in a whitelist database.
- Risk-based authentication, also referred to as adaptive authentication, is a method that analyzes and considers behaviour and context when a user attempts to log in. It uses business rules and information about the user to determine which authentication factors it should employ.
For instance
- location from which the user is trying to access the application.
- number of failed login attempts
- Time, i.e., during work hours or off hours
- type of device used and whether it matches the device that was last used.
- type of network connection, i.e., whether public or private
Answers to these questions will determine whether the user will be prompted to provide more credentials or whether their access request will be outright denied.
With an unusual request like a user logging in from a restaurant late at night or on a weekend, they might be prompted to provide more verification factors, like an OTP sent to their phone, but with a regular action like logging in from the office, which happens every weekday at 9 AM, they’ll only be prompted to input their username and password.
With machine learning and AI, trends can be analyzed and baseline user profiles determined, and in this way, suspicious activities can be easily identified and flagged.
Machine learning algorithms can even assign risk scores to suspicious events and adjust authentication factors in real-time based on business policies.
For instance, a user can sign in with just a regular username and password for behaviour considered low-risk. For medium-risk behaviour, users are prompted to enter an SMS code received on their mobile device in addition to the user name and password. For high-risk behaviour, the user might be denied access outright.
MFA vs. 2FA
MFA can be used interchangeably with 2FA (2-factor authentication). They both refer to multi-factor authentication, though 2FA restricts the number of verification factors to just two, while MFA can be two or more.
With businesses, companies, and organizations moving most of their information and processes to the cloud, MFA is becoming indispensable.
With remote workers, users are no longer required or expected to log into organizations' systems while on the same network, and thus additional security measures need to be put in place to ensure the safety and integrity of the organization’s systems and keep potential attackers at bay.
This can also be employed on company hardware, such as laptops, that remote and travelling workers can take with them. Common authentication methods on such hardware include fingerprint or iris scanners.
With MFA, organizations can ensure that users are who they say they are when attempting to access online resources.
