How New Nacha Rules Reshape the Fight Against APP Fraud
In the digital-oriented world, convenience often comes at a cost. While Automated Clearing House (ACH) payments offer a fast and easy way to transfer funds, they’ve also become a...
Our modern identity services are exposed through developer-friendly APIs, SDKs and Low-Code services to deliver the scale and performance required for any and all customer use cases.
Featured Blog Post:
In the digital-oriented world, convenience often comes at a cost. While Automated Clearing House (ACH) payments offer a fast and easy way to transfer funds, they’ve also become a...
by Alex Brown
Traditional, password-based authentication is insecure. People commonly choose weak passwords or reuse the same password across multiple different accounts. This makes it easy for cybercriminals to guess or steal passwords, providing access to legitimate user accounts.
Multi-factor authentication (MFA) is designed to improve authentication security by requiring more than a password for authentication. If a password is weak or leaked, this isn’t enough for an account takeover attack. In this article, we answer what is MFA?
Two-factor authentication (2FA) and multi-factor authentication (MFA) get their names from the fact that they require multiple different “factors” for a user to authenticate. 2FA requires two factors, while MFA requires two or more factors.
The factors used in MFA fall into three categories:
A combination of knowledge-based and possession-based factors is the most common form of MFA. For example, a user may authenticate by entering a password (“something you know”) and a one-time passcode texted to their smartphone (“something you have”). To authenticate, a user needs to both know the password and have the phone, making this MFA.
However, other combinations are possible. For example, passwordless MFA combines possession-based and inherence-based factors. This could include using fingerprint recognition (“something you are”) to authenticate a user and reading an authentication token from a device (“something you have”).
No, different types of MFA factors offer different levels of security:
The primary benefit of MFA is improved account security. If an authentication system relies on a single factor, then an attacker only needs to learn or steal that factor. The use of multiple factors makes it more difficult for an attacker to successfully take over a user account.
However, the security benefits that an MFA solution provides depend on its implementation, the factors used, and whether or not it truly uses two distinct types of factors. For example, some websites use an emailed one-time code as a possession-based factor alongside a password. However, if the user authenticates to the email account using a password and if this password is the same as the other account, then both factors are actually knowledge-based and MFA provides no additional security.
MFA provides additional security, but this can come at the cost of convenience in some cases. For example, a possession-based factor requires a user to have and use a physical device as part of the authentication process.
While the security benefits of MFA may be necessary in some cases, this may not always be the case. A company may decide that MFA is unnecessary in low-risk situations, but that the protection provided by multiple factors may be required in other scenarios. For example, password-based authentication may be acceptable when working from the office, but a remote worker may need the security provided by MFA.
Adaptive MFA makes this possible by allowing an organization to define rules for the authentication process. The user’s computer can provide contextual information (such as location and time of day) that can be used to determine risk levels. Based on the level of risk, an application could choose to forgo MFA or even require additional factors for extremely high-risk scenarios.
Single sign-on (SSO) and the Security Assertion Markup Language (SAML) are other technologies designed to improve the security and usability of authentication systems. Instead of requiring a user to use different credentials to authenticate to different accounts, SSO and SAML allow a single authentication that provides access to multiple applications.
SSO and SAML can help to limit weak passwords and the burden of authentication, but an attacker that compromises a user’s SSO or SAML account has full access to linked accounts. By combining MFA with SSO or SAML, an organization can more strongly verify a user’s identity before providing them with access to multiple accounts.
MFA improves account security by bolstering a weak password with another authentication factor. However, this provides limited protection if both factors are insecure.
Passwordless authentication addresses the problem of insecure passwords by replacing a password with a non-password factor, such as “something you have” or “something you are”. Passwordless MFA combines the two concepts, using multiple non-password factors for user authentication.
A self-professed technology geek, content writer Alex Brown is the kind of person who actually reads the manual that comes with his smartphone from cover to cover. His experience evangelizing for the latest and greatest tech solutions gives him an energized perspective on the latest trends in the authentication industry. Alex most recently led the content team at Boston-based tech company Form.com.