Multi-factor authentication, also known as MFA, is a digital technology that provides multiple authentication methods for websites, on-premise software, web apps, and mobile applications. Unlike a typical single-step authentication process when users enter their credentials to access an account, multi-factor authentication adds two or more cybersecurity layers to the standard user verification procedure.
What Is MFA?
The correct definition for a digital technology related to user verification.
Which Is the Most Popular Authentication Factor?
In other words, the difference between single-step authentication and MFA lays in a number of steps required to pass validation. With a standard single-factor verification, you should type in your username and password to sign in. Even though the system asks you for entering another sensitive data you may know, for example, a favorite mobile device vendor or most recently used software, this process refers to a single-factor authentication with multiple steps or multi-step authentication because it involves a single factor – information you know.
MFA is often confused with two-factor authentication (2FA). Like 2FA, multi-factor authentication relies on three different factors that can be used to verify a user whereas a single step verification uses only one factor for authorization. While two-factor authorization involves only two factors, MFA includes two or more factors at the time (typically three). It’s important to distinguish steps and factors. Like 2FA, multi-factor authentication can include more than three steps involving the use of different identifiers referring to the same authorization factor. That’s why the MFA process can include four factors and four or more steps.
The knowledge factor, also known as something users know, refers to sensitive data a user keeps in his memory and then enters it to get access to an account. This data can include a password, username, date of birth, last name, secret phrase, personal identification number (PIN), etc. Knowledge is a typical factor used in a standard single-step verification.
The possession authentication factor (something users have) refers to an object or device, for example, a smartphone or hard security token, belonged only to the user who wants to access his account. This item usually contains personal data to be entered during the authentication procedure. This data can include a one-time password (OTP) sent to a user’s mobile device via a push notification or SMS, CVV2 code on a credit card, radio frequency identification (RFID) tag stored on a smart card, etc.
The inherence factor, also known as something users are born with or something a user is, relies on psychological and behavioral biometric identifiers. Examples of biometrics are fingerprints, palm veins, retina scent, face recognition, iris recognition, etc. Today’s smartphones mostly use fingerprints and face recognition as a means of the inherence authentication factor.
The location factor, also known as somewhere users are, uses the user location to provide access to a personal account. In case where this location differs from the set one, the system blocks the unauthorized access attempt or even lockouts the account. This factor shouldn’t be used without an additional authentication factor for user verification.
The lack of cybersecurity awareness among Internet users makes multi-tier authorization less popular than it should be. According to the 2019 State of Password and Authentication Security Behaviors Report published by Yubico, 67% of respondents don’t use MFA for their personal accounts whereas 55% don’t use it even at work. Thus, they put their sensitive data at serious risk taking into account that 2 out of 3 users share their passwords with colleagues. The advantages of MFA allow users to securely manage their personal and business accounts rather than protect passwords from hackers.
One of the main benefits of multi-factor authentication is that it ensures reliable protection from such hacking attempts as keylogger and brute force attacks. If an attacker manages to compromise credentials, this information won’t be enough to access an account anyway. With MFA enabled, it becomes nearly impossible for hackers to bypass all authorization steps. Once they enter correct login details, they also have to compromise biometrics or intercept an OTP which requires more cost and effort to conduct a successful attack.
In their recent study, researchers from Google showed how adding an extra factor to a standard one-step authorization can increase cybersecurity. During their experiment, a one-time password sent to a recovery phone number blocked 100% of brute force attacks, 99% of bulk phishing attacks, and 66% of targeted attacks. This proves that multi-factor authentication can’t guarantee 100% protection, but it greatly reduces the risk of getting hacked.
In addition, MFA keeps hackers away from the initiation of hacking attempts. Microsoft states that hacking attacks focused on corporate accounts protected with MFA are that rare that the company does not even record them. However, Alex Weinert from Microsoft calls the low popularity of multi-factor authentication a restraining factor for hackers to develop methods capable of bypassing it. He added that only 10% of their employees were using MFA for restricting access to enterprise accounts. Therefore, raising awareness of the advantages of multi-factor authentication will greatly impact the overall Internet security while encouraging hackers to create new bypassing tricks.
Various industry standards require involved parties to be compliant with the rules mentioned in such documents as the Payment Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act. For example, HIPAA obliges both healthcare providers and covered entities to create and implement effective “policies regarding password management. Otherwise, a massive PHI disclosure can lead to tremendous fines that’s why “access to hardware and software must be limited to properly authorized individuals”.
Although HIPAA doesn’t directly require using multi-factor authentication for avoiding unauthorized access to personal patient data, this cybersecurity measure can help healthcare providers and covered entities comply with the act. With MFA implemented, HIPAA involved parties can significantly reduce the risk of the PHI disclosure as well as protect their databases from cyber threats and avoid financial penalties from regulators.
Leveraging different roles
Corporate software often requires different levels of access to business accounts. Higher levels usually refer to more important or confidential data that requires stronger protection while typical one-step verification based on the knowledge factor can be enough for accessing common business information. The above-mentioned HIPAA requires providing access to PHI only for those employees who need this data to accomplish their direct duties.
“Procedures should clearly identify employees or classes of employees who have access to electronic protected health information (EPHI). Access to EPHI must be restricted to only those employees who have a need for it to complete their job function”.
This requirement reveals the other benefits of MFA. This technology can enable healthcare providers or any other companies to leverage different roles to control the level of access. Enhanced with MFA, effective role-based access management allows businesses to set necessary permissions for team members in accordance with their responsibilities while optimizing the authorization process for different roles. Thus, employees will spend less time on the user verification process if they need no access to confidential data while a high access level will require passing more steps for more reliable account protection.
Billions of people suffer hacking attempts every day, In 2018, 765 million users were affected by cyber threats including ransomware and malware within only three months. Despite MFA can mitigate these risks, many people still resist using this technology for application account protection. The reasons lay in the disadvantages of multi-factor authentication that mostly refer to efforts required to implement it and the need for passing additional steps every time you need to access your account.
One of the main disadvantages of MFA is the cost of implementation, especially for corporate use. While such B2C services and applications as Facebook or Google Gmail offer the advanced authorization technology for free of charge, software-as-a-service (SAAS) vendors often charge their clients for ensuring reliable protection from hackers. Focused on corporate customers, dedicated solutions cost a few thousands of dollars. Using smart cards, biometric scanners, or hardware tokens as one of the authentication factors requires additional investments.
For example, the report by WatchGuard reveals the average MFA price: to implement multi-factor authentication for 100 employees, companies have to annually spend about $2,700 whereas Google Authenticator mobile application, which sends push notifications with an OTP, is free. On the other hand, WordPress website owners can get MFA for $200-$500 per year by purchasing and installing the Sucuri Security plugin or iThemes Security.
Unfortunately, there exist no solutions that can guarantee 100% protection from hacking attacks. That’s why one of the most important drawbacks of MFA is its vulnerabilities. A mobile device or hardware token can be stolen, voice can be replicated, and iris scanners can be hacked. Moreover, hackers can apply man-in-the-middle attacks to intercept SMS to get access to an OTP.
When it comes to the disadvantages of 2FA based on the possession factor, this technology offers less security. A hacking tool called Modlishka created by a Polish Internet security specialist can intercept any data entered by a user. The solution is a reverse proxy that places its own server between a target website and user. It displays a copy of this website while intercepting any sensitive data the user types. This data includes one-time passwords sent via SMS, push notification, secondary email, or any other way.
That’s why you should use multi-factor authentication based on more than two different factors. Altogether these factors form a tough barrier for cybercriminals but unovercomable though. The more secure the system is, the more challenges it brings to attackers and the more chances of blocking hacking attempts it provides.
Login and recovery
Unfortunately, additional steps also lead to a number of inconveniences. While ensuring more reliable security, users have to spend more time on each authorization procedure. When logging on another device or from a new location, users may experience more fuss than usually. Furthermore, the possession authentication factor requires sharing a personal phone number with an MFA system that can be compromised or used for sending spam messages.
One of the biggest drawbacks of multi-factor authentication is an account recovery. If the MFA solution relies on a secondary identity provider, then users should memorize additional login details. If they forget those credentials, the inability to access a secondary email address can lead to an account lockout because a user won’t be able to open a message with a restoration code. On the other hand, it makes no sense implementing MFA when using the same username and password for a secondary email.
Is MFA worth it?
Let’s assume that multi-factor authorization implies the use of three authentication factors rather than at least two of them. In this case, it makes sense to sum up the benefits and drawbacks of MFA over 2FA. Indeed, multi-factor verification causes some inconveniences because of additional steps in the overall authorization process. In addition, this technology can’t ensure 100% protection from any kind of cyber threats and its implementation can turn out to be too expensive for some companies and users. However, extra minutes and costs are a fair price for much more reliable cybersecurity.