Multi Factor Authentication (MFA) is a security technology that is used to validate that users who authenticate with credentials are indeed who they claim to be. MFA achieves this by requiring users to provide, on top of their credentials, an additional genuine evidence of their identity – something they know, something they have or something they are.
The need for MFA arises from the fact that credentials alone no longer suffice as a trusted identifier of legitimate users. In recent years we’ve witnessed a sharp increase in the volume of attacks that use compromised user credentials to access target resources. According to Microsoft, MFA is 99.9% effective in preventing such identity-based attacks. This is because even if a user’s credentials get compromised, MFA makes it incredibly difficult for attackers to pass the authentication requirements.
MFA adds additional steps to the authentication process. The number of these steps varies per configuration and context. These are the three basic MFA categories:
The most basic sample of this category is of course a password or any variation of memorable pieces of data that is configured by/for the user. This category also includes personal background questions which presumably only you would know to answer.
Generally speaking, this category is considered the least secure since both passwords and private information can be compromised or guessed by attackers.
This category is much harder to compromise and includes various physical entities only you possess – like mobile phones, physical tokens, key fobs and smart cards.
The physical entity can serve as either a carrier of the verification step – for example, a mobile phone that shows a one-time-password – or as the verifier itself such as physical token. The latter is considered more secure since it entails less data exchange in the authentication process, making it harder for an attacker to intercept.
This is considered the most secure factor category and includes your physical identifiers – most commonly a fingerprint on your mobile phone or hardware token, but also voice, facial recognition and any other unique biometrics.
Any combination of these three authentication-factor categories materially increases account security and reduces the likelihood of its compromise.
Multi-Factor Authentication (MFA) is a security technology that validates users’ identities. It achieves this by asking users to provide additional evidence of their identity on top of their credentials, usually in the form of a numerical code sent via SMS, email, or an authenticator app.
In terms of security, MFA is generally considered to be more secure than 2FA, since it provides an additional layer of protection. MFA is particularly effective at preventing attacks that rely on stolen or compromised passwords, as the additional factors of authentication make it much more difficult for attackers to gain access to accounts. Additionally, MFA can provide more flexibility in terms of the authentication factors that can be used, allowing users to choose the combination of factors that works best for them.
One way that hackers may attempt to bypass MFA is by using social engineering tactics to trick users into disclosing their authentication factors. For example, an attacker may pose as a legitimate source and ask the user to provide their authentication factors, such as a one-time code generated by a mobile app or sent via SMS. This type of attack is known as a phishing attack, and it can be difficult for users to detect, particularly if the attacker is skilled at mimicking legitimate sources.
In addition, some authentication factors may be more vulnerable to attack than others. For example, SMS-based authentication has been shown to be vulnerable to a type of attack known as SIM swapping, where an attacker is able to take control of a victim’s phone number and intercept SMS messages. This can allow the attacker to bypass MFA and gain unauthorized access to accounts.
To reduce the risk of attack, it is important for users to be vigilant and aware of the risks, and to implement advanced security measures such as anomaly detection and user behavior analytics to detect and prevent attacks in real time.
