Multi Factor Authentication (MFA) is a security technology that is used to validate that users who authenticate with credentials are indeed who they claim to be. MFA achieves this by requiring users to provide, on top of their credentials, an additional genuine evidence of their identity – something they know, something they have or something they are.
The need for MFA arises from the fact that credentials alone no longer suffice as a trusted identifier of legitimate users. In recent years we’ve witnessed a sharp increase in the volume of attacks that use compromised user credentials to access target resources. According to Microsoft, MFA is 99.9% effective in preventing such identity-based attacks. This is because even if a user’s credentials get compromised, MFA makes it incredibly difficult for attackers to pass the authentication requirements.
MFA adds additional steps to the authentication process. The number of these steps varies per configuration and context. These are the three basic MFA categories:
The most basic sample of this category is of course a password or any variation of memorable pieces of data that is configured by/for the user. This category also includes personal background questions which presumably only you would know to answer.
Generally speaking, this category is considered the least secure since both passwords and private information can be compromised or guessed by attackers.
This category is much harder to compromise and includes various physical entities only you possess – like mobile phones, physical tokens, key fobs and smart cards.
The physical entity can serve as either a carrier of the verification step – for example, a mobile phone that shows a one-time-password – or as the verifier itself such as physical token. The latter is considered more secure since it entails less data exchange in the authentication process, making it harder for an attacker to intercept.
This is considered the most secure factor category and includes your physical identifiers – most commonly a fingerprint on your mobile phone or hardware token, but also voice, facial recognition and any other unique biometrics.
Any combination of these three authentication-factor categories materially increases account security and reduces the likelihood of its compromise.