Multi-factor authentication (MFA): What it is and how it worksLink to this section
Authentication is a foundational part of accessing the platforms, software and apps you use every day. From social media to emails, entering login credentials is the key that unlocks access to secure software and networks.
You’re likely familiar with entering a username and password: it’s a simple, familiar way to confirm your identity and keep your accounts secure. But with data breaches at an all-time high, additional layers of security are proving more important than ever.
Multi-factor authentication (or MFA, for short) uses a combination of authentication factors to keep intruders out and only allow authenticated users in. There’s a reason why banks and financial institutions swear by it: adding additional authentication factors means it’s almost impossible to guess credentials or gain access through brute-force attacks.
Implementing MFA into your systems needs to be a non-negotiable to boost your platform’s security, win customer trust and lower the likelihood of cyberattacks and data breaches. Knowing how MFA works, what types of MFA exist and the benefits of MFA can help you decide which solution is right for your situation.
Multi-factor authentication (MFA) definedLink to this section
Authentication is the process of confirming that someone is who they claim to be. In its most basic form, one-factor authentication uses a single set of login credentials (typically a username and password) to confirm a person is a verified user.
This approach comes with plenty of vulnerabilities. If a user has set the same password for multiple sites, it can be easy for hackers to gain access to a stack of private accounts. Plus, setting easy-to-remember (but weak) passwords is really common, heightening the chance of a cyberattack even further.
With multi-factor authentication, users can harness additional layers of security to keep their personal information and data safe and secure.
MFA uses a combination of two or more authentication factors to unlock access to anything from online banking platforms to social media apps. Today, MFA is a critical part of a strong identity and access management (IAM).
Typically, MFA requires users to share a username and password along with one or more additional verification factors (such as entering a time-sensitive passcode, scanning their fingerprint or clicking a magic link).
Authentication factors can be broken down into these key categories:
- Something you know (knowledge factor): this is a set of credentials that you can remember, such as a username, email address, and password.
- Something you have (possession factor): something tangible that only you own, such as a smartphone that can receive time-sensitive passcodes (OTPs) or a physical security device that generates real-time codes.
- Something you are (inherence factor): this is something unique to you, whether that’s scanning your face, your fingerprint or even a retina scan.
There are also complimentary or secondary authentication factors that can be used alongside these core elements. The first is time factors which determine when someone is trying to authenticate access, and how long this has been since the previous login attempt. This is often used alongside location factors, which use GPS tracking or network routes to figure out where someone is attempting to log in from.
Take this example: if a user is attempting to gain access from an unregistered device in Sydney, and their previous login attempt was an hour ago in London, you might assume this is an unauthorized user.
This is also known as adaptive authentication or as risk-based authentication. Rather than seeing authentication factors in isolation, this approach considers context and behavior and assigns levels of risk with each login attempt.
Usually, a series of questions are used to figure out whether this is a low or high-risk login attempt. These questions can include:
- Where is the user located during this login attempt?
- Is the user logging in during or outside of ‘normal company hours’?
- What device is being used? Is it the same device as the user’s last attempt?
- Is the user logging in on a private or public network?
How MFA worksLink to this section
Getting started with MFA involves selecting the types of authentication factors at play. Typically that starts with a user’s login credentials (a username and password).
Then, additional verification factors are layered on. The important piece here is to ensure you’re using different types of authentication factors from possession factors to knowledge factors and beyond. The act of combining factors is what helps MFA retains its top-notch security status.
A common MFA factor is one-time passwords (OTPs), which as multi-digit codes sent in real-time to your phone, app, or inbox. These codes are time-sensitive and will refresh every 30 to 60 seconds in many cases.
These codes use a seed value that is assigned to you (the user) when your first sign up. Over time this code is refreshed or changed, either by a time value or by the counter increasingly incrementally.
The importance and benefits of multi-factor authenticationLink to this section
Passwords aren’t something that can be eliminated overnight. In isolation, passwords can be weak and vulnerable to attacks from outsiders. But, when paired with additional authentication factors, these credentials can be strengthened to meet modern-day security standards.
MFA’s main goal is to stop attackers in their tracks. To do so, MFA uses roadblocks (a.k.a. Additional authentication factors) that trip up unauthorized users and make it almost impossible to gain access.
Even if an attacker manages to guess or steal a password, additional layers of security (such as OTPs) are needed to grant access. Without meeting all the requirements of MFA, the user will remain locked out. This is particularly important for platforms handling sensitive data, such as banking apps or software that stores a user’s personal or professional information.
The biggest benefits of MFA include:
- Enhancing security: with multiple factors at play, MFA is one of the strongest forms of authentication available. Even if one credential is compromised, the additional layers of security needed to unlock an account will keep the user’s platforms safe and secure.
- Lowering cyberattack risk: research shows that 61% of data breaches in 2020 were linked to unauthorized users gaining access to a person’s login credentials. Using OTPs, face ID and fingerprint scans tightens a platform’s security and lowers the likelihood of accounts being accessed by attackers, too.
- Removing password reliance: passwords are vulnerable to attacks from a range of outside sources. While passwords are often used in MFA, these credentials are bolstered by stronger forms of authentication. As cyberattacks increase in sophistication, moving away from password-only verification needs to be a priority for apps, platforms, and companies of all sizes.
- Compatibility with single sign-on (SSO): setting unique credentials for every site and app you use is no longer needed thanks to SSO. This method of authentication reduces friction in the user journey by allowing you to sign in to platforms using your existing login details. The best bit? SSO and MFA are compatible, meaning you can strengthen the security of your accounts without needing to register for a new account time and time again.
- Meets regulatory requirements: a range of industries and sectors come with strict requirements for cybersecurity and password management. In many cases, MFA is a baseline expectation. From banks to healthcare providers, tapping into MFA delivers more secure systems for users while allowing companies to remain compliant.
- Suitable for multiple scenarios and use cases: from high-value transactions to sharing sensitive medical information, MFA is a versatile authentication method that works across almost every industry. Its design and high level of security make it perfect for a range of applications and scenarios, with built-in features that flag suspicious activity.
- Boosts user trust: most importantly, MFA provides valuable peace of mind to end users. Building MFA into your sign-up processes alleviates privacy concerns from the beginning and gives users confidence in the security of your platform, helping to boost sign-ups.
Seven methods of multi-factor authenticationLink to this section
Each app and platform will require a unique set of authentication factors. For some, OTPs and fingerprint scans will make sense, while others might find security keys more useful.
To pick the right methods of MFA you need to understand your options, which can be broken down into seven key methods of MFA.
U2F security keysLink to this section
If you’ve ever been sent a token or physical token from your bank, you’ll be familiar with universal 2nd factor (U2F) security keys. These devices (either tokens or cards) fall under the possession factor of MFA and produce time-sensitive codes that can be used to verify your identity.
There are two main ways of using U2F security keys: you’ll either be prompted to press a button on your device or tap it using Near Field Communication (NFC).
These devices use public key cryptography to verify your identity. By entering the right code, the web browser or app grants you access to the secure platform.
Physical one-time PIN (OTP) tokensLink to this section
Another type of MFA that uses a possession factor is physical one-time PIN tokens. These devices display a time-sensitive one-time PIN that can be used as an additional layer of security.
Here’s how it works: both the physical token and authentication service are synchronized. When a user attempts to log in, they will need to enter the right one-time PIN to be granted access.
If the wrong digits are entered or the PIN is refreshed, the user won’t be able to successfully access their account. This is a powerful method of security as authentication is dependent on a unique, time-sensitive code that can’t be guessed or accessed by outside intruders.
BiometricsLink to this section
More companies are embracing the benefits of biometric authentication. Falling under the category of inherence factor, biometrics refers to any kind of biometric data that is used for authentication.
Most commonly, this includes fingerprint scans, facial recognition tech as well as retina scans. As each person has a unique fingerprint, this makes biometrics such a secure method of authentication. This can significantly lower the chance of identity theft and give users added confidence that their data remains secure and protected.
SmartcardsLink to this section
As the name suggests, this authentication method uses a private key stored within a smart card. When a user attempts to log into an account, they’ll be prompted to unlock their smart card by entering a unique PIN or password.
Once unlocked, the device verifies the user’s identity by submitting an authentication request with the user’s private key. Then, the request is verified by ensuring the correct private key has been used. This is what will successfully unlock access to a particular platform or app.
Mobile appsLink to this section
One-time passwords (OTPs) can be generated in a number of ways. One of the most common is through mobile apps, such as Google Authenticator.
After entering your username and password into a site, you’ll be prompted to open your mobile app with these authentication codes. These time-sensitive passwords will need to be entered into the authentication service to ensure you’re granted access.
Only one unique code will confirm your identity, which makes this method of MFA strong, secure, and incredibly difficult to guess.
SMS, emails and voice callLink to this section
Another way to receive these OTPs is via a text message, email or voice call to your mobile device. Again, this is a secure approach as these codes are only sent to your device and cannot be guessed or stolen by outside intruders.
Software certificatesLink to this section
The final method of authentication uses what’s called a software certificate, stored on a user’s device. When attempting to log in, the system access this software certificate (stored as a file) to verify that this user is who they say they are.
The role of MFA in security and identity managementLink to this section
MFA is one of the core processes involved in identity and access management (IAM). By using multiple authentication factors to confirm a user’s identity, MFA is one of the more secure ways to grant access to secure platforms and systems.
The aim of IAM is to keep platforms running smoothly, balancing user experience with platform security. Moving away from a reliance on passwords enables systems to increase their security protocols without adding too many layers of friction in the user journey.
As cyberattacks become more complex and sophisticated, it’s also important to rethink how you approach IAM. MFA acts as a powerful first line of defense that stops intruders before they’re entered your platform while ensuring individuals can access resources across multiple apps and devices with ease.
How we approach MFA at KindeLink to this section
If you want to give your users access to advanced authentication options and protect them from reused or breached passwords, multi-factor authentication needs to be a priority.
At Kinde, we leverage MFA as an added layer of protection, requiring your users to verify their identity using a one-time password. We offer support for authenticator apps (TOTP), and one-time codes via email or SMS.
We know moving fast is important, with is why getting MFA set up with Kinde is speedy and simple. Use an SDK or API to quickly integrate Kinde into your product.