- Multi-factor authentication (MFA) is a security method that requires users to provide two or more verification factors to gain access to a system or application.
- These factors typically include something the user knows (such as a password), something the user has (such as a smartphone or security token), and something the user is (such as a fingerprint or facial recognition).
- MFA adds an extra layer of security to prevent unauthorised access, as even if one factor is compromised, the attacker would still need to bypass additional authentication methods.
Multi-factor authentication (MFA) is an authentication process mandating users to present two or more verification factors to access a resource, like an application or online account. It serves as a fundamental aspect of robust identity and access management (IAM) strategies.
What is multi-factor authentication?
Multi-factor authentication is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. MFA increases security because even if one credential becomes compromised, unauthorised users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.
The authentication factors typically fall into three categories.
The first category is something the user knows. This includes traditional credentials such as passwords, PINs, or security questions. Users are required to input this information to verify their identity.
The second one is something the user has. This involves possession of a physical device or token, such as a smartphone, security token, or smart card. The user must present or authenticate this item to proceed.
The third one is something the user is. This encompasses biometric identifiers like fingerprints, facial recognition, or iris scans. These unique biological traits are used to verify the user’s identity.
Also read: How to protect the ‘internet of things’?
How does multi-factor authentication work?
The authentication process begins when a user attempts to access a system, application, or online service by providing their username or identifier. Once the user has provided their username or identifier, they are prompted to enter the first authentication factor. The first factor typically involves something the user knows, such as a password, PIN, passphrase, or answers to security questions. This initial authentication factor serves as the first layer of security, verifying that the user possesses the correct credentials to access the system.
Following successful verification of the first factor, the user is then prompted to provide a second authentication factor. The second factor adds an extra layer of security by requiring the user to present something they have or something they are. This additional factor can take various forms, including a one-time passcode (OTP), biometric authentication methods, possession of a physical device or token. The user must successfully present or authenticate this second factor to proceed with the login process.
If both authentication factors are successfully validated, access to the system or application is granted. The user is then securely logged into the system, where they can perform authorised actions or access protected resources. However, if either authentication factor fails to verify the user’s identity, access is denied, and additional authentication attempts may be required.
Also read: What is cybersecurity risk management?
Common types of multi-factor authentication
Knowledge-based authentication relies on something the user knows, such as a password, PIN, or security question. Users are prompted to enter their credentials during the login process to verify their identity. Knowledge-based authentication is one of the most traditional methods but is susceptible to vulnerabilities such as password theft and phishing attacks.
Possession-based authentication involves something the user has, such as a smartphone, security token, or smart card. Users are required to possess a physical device or token to authenticate their identity. Common methods include one-time passcodes (OTPs) sent via SMS or generated by authentication apps, as well as hardware tokens that generate unique codes for each login attempt.
Biometric authentication uses unique biological traits of the user, such as fingerprints, facial features, or iris patterns, to verify identity. Users are prompted to provide biometric data through devices like fingerprint scanners, facial recognition systems, or iris scanners.
Location-based authentication verifies the user’s identity based on their physical location. This method utilises geolocation data from the user’s device to confirm their presence in a specific location.
Also read: What is the WSO2 identity server?
Time-based authentication validates the user’s identity based on the time of the authentication attempt. Users are required to provide a time-sensitive code or token that is valid only for a specific period, typically a few minutes. Time-based authentication adds an extra layer of security by ensuring that authentication codes are only valid for a limited time, reducing the risk of interception and unauthorised access.
Behavioral authentication analyses the user’s behavior and patterns to verify their identity. This method assesses factors such as typing speed, mouse movements, and device usage patterns to create a unique behavioral profile for each user. Behavioral authentication offers continuous authentication capabilities, adapting to changes in user behavior over time to detect suspicious activities and unauthorised access attempts.
