Multi-factor Authentication (MFA)
What is Multi-factor Authentication (MFA)?
Multi-factor authentication is a secure digital login process where users are required to validate their identity in multiple ways before accessing their account.
While most login processes require just a username and password, multi-factor authentication requires users to enter additional information to verify their identity, such as answering security questions, entering a code sent to the user's phone or verified email address, or by scanning their fingerprint.
Multi-factor authentication provides an extra layer of security that blocks digital adversaries from accessing enterprise systems or applications, even when they manage to successfully steal access credentials from a legitimate user.
Why is Multi-factor Authentication Important?
Modern enterprises are continuously expanding their digital external attack surface with a growing number of digital assets, including web domains, web-based applications, 3rd-party apps, social media profiles, email accounts, and cloud deployments. These digital assets help the enterprise do business and connect with customers more efficiently, but they can also be targeted by digital adversaries hoping to steal data or commit fraud by impersonating the business or its executives.
Users within an organization access the organization’s digital assets by logging in to password-protected accounts, but securing a vital asset (e.g. a database containing sensitive data, the organization’s social media accounts, etc.) with just a password makes it far too easy for the asset to be compromised by a successful phishing or credential compromise attack.
Multi-factor authentication prevents digital adversaries from gaining unauthorized access to an account, even after successfully stealing the password, by requiring additional information to validate a user’s identity before allowing access. Multi-factor authentication is used to secure public cloud deployments, web databases, email and social accounts, online banking accounts, web hosting accounts, and other digital assets against unauthorized access by digital adversaries.
4 Types of Multi-factor Authentication You Should Know
The most effective implementations of multi-factor authentication use at least two different authentication factors and two different forms of verification to authenticate the user’s identity before allowing access to the secured system.
Below, we describe four common types of authentication factors and some characteristic forms of verification for each.
Knowledge-Based Authentication
Knowledge factors are elements of information that the user knows, which can be used to authenticate the user’s identity. Users are recommended to memorize this information or record it offline and never share it with others. This ensures that only the authorized user has the knowledge required to access the account.
Examples of knowledge-based authentication factors include:
- Usernames
- Passwords
- Account Numbers
- PIN Numbers
- Image Verification
Possession-based Authentication
Possession factors are physical possessions belonging to the user that can be used to validate their identity. In the most common implementation, an authentication service sends a one-time password to a physical device and/or an online account that is owned by the user. The user must enter the one-time password into the login interface to get access.
Examples of possession-based authentication factors include:
- Physical security tokens (e.g. USB security key, smart card, wireless tag, etc.)
- Email addresses
- Phone numbers
Location-based Authentication
Some authentication services have the ability to validate a user’s identity by detecting their IP address and associating it with a physical location. If a user account is normally accessed from California, an attempt to access the account from Florida could be blocked using location-based authentication.
Inherent/Biometric Authentication
Inherent authentication is sometimes called biometric authentication because it relies on factors that are inherent to the user - often their own physical characteristics - to validate the user’s identity.
Examples of biometric authentication in popular use today include:
- Fingerprint scanning,
- Facial recognition
- Voice recognition,
- Iris/Retina scanning,
How Does Multi-factor Authentication Work?
Multi-factor authentication works by requiring the user to register multiple forms of identification when creating an account. Then the user must validate their identity using those forms of identification when they attempt to access the system. The process of implementing multi-factor authentication can be summarized as:
- Account Creation - A user creates an account for a service with MFA enabled. During the registration process, they link the account to an email address, phone number, physical security key, or fingerprint. The user may be asked to verify their ownership of an email address, phone number, or security device by receiving a code on the device and entering the code into the account creation interface.
- Authentication - When the user accesses the service with their username and password, they will be prompted to validate their identity via the chosen method of authentication. This could involve receiving a 4-digit or 6-digit code and inputting the code into the login interface, answering a security question, or completing a biometric scan.
- Access - If the authentication is completed successfully, the user will be granted access to the system.
3 Common Ways to Implement Multi-factor Authentication
Security Questions
Security questions may be the simplest form of multi-factor authentication. When the user creates an account, they create customized security questions which act as prompts for secret answers that only the user knows. When attempting to login, the user must provide the correct answer to their secret question to gain access.
Because security questions are knowledge-based, digital adversaries can sometimes manipulate targets into revealing the answers to their security questions.
Phone or Email Verification
Phone and email verification are common forms of authentication for email and online banking accounts. When the user creates an account, they verify their ownership of an email address or phone number by receiving a one-time code or registration link. When attempting to login, the user must input a one-time code that will be sent to the same email address or phone number they provided when creating the account.
Fingerprint Scanning
Today’s mobile phones are equipped with fingerprint scanners that can be used to authenticate a user’s identity. Mobile banking applications often allow users to access their accounts by authenticating their identities with the fingerprint scanner.
Safeguard Your Organization's Security Posture with ZeroFox
With digital adversaries combining social engineering attacks with AI technology to bypass multi-factor authentication methods, it’s still important to detect and block phishing attempts against your organization’s employees and executives.
ZeroFox provides digital risk protection, threat intelligence, and adversary disruption capabilities to detect and disrupt cyber threats against your organization’s brands, people, assets and data.
Ready to Learn More?
Read our Quarterly Threat Landscape Q1 2023 Report to learn more about how digital adversaries are trying to bypass MFA and how ZeroFox can help protect your enterprise.