Multi-factor authentication (MFA) is an authentication method that uses two or more different mechanisms to verify a user's identity, rather than relying solely on a simple username and password combination. MFA helps prevent unauthorized access to applications and sensitive data, helping organizations defend against identity theft, cyberattacks, and data breaches.
Enterprises use MFA to control access to internal IT systems and solutions as well as customer-facing applications. In the consumer space, financial services firms, healthcare providers, insurance companies, cloud solution providers, and many others use MFA to prevent data breaches, fraud, and abuse. MFA helps improve the security of traditional on-premises IT infrastructure and also helps strengthen cloud security.
Basic username/password authentication schemes are vulnerable
Simple authentication methods that require only a username and password combination are themselves vulnerable. Savvy attackers can guess or steal credentials and use a variety of techniques to gain access to sensitive information and IT systems, including:
- Brute force methods - use programmatically generated random username/password combinations or exploit common weak passwords like 123456
- Credential stuffing - using stolen or compromised credentials from one account to gain access to other accounts (people often use the same username/password combination for multiple accounts)
- Phishing - using fake emails or text messages to trick victims into replying with their credentials
- Keylogging - installs malware on a computer to capture username/password keystrokes
- Man-in-the-middle attacks - intercepting traffic (e.g. over public Wi-Fi) and replaying credentials
Multi-Factor Authentication provides an extra layer of security for additional protection
MFA helps defend against these common attacks by requiring two or more different forms of authentication (also known as authentication factors) beyond a simple username and password combination.
Authentication factors include
- Knowledge factor - something the user knows, such as a password or the answer to a security question
- Possession factor - something the user owns, such as a mobile device or a proximity badge
- Intrinsic factors – something biologically unique to a user, such as fingerprints or facial features
- Location factor – the geographic location of the user
With MFA, users must present two different forms of proof—for example, what they know and what they have—to confirm their identity. So even if cybercriminals have a username and password (information the user knows), they still cannot access the account without other forms of evidence, such as a security code sent to the user's mobile device (information the user owns).
Different examples of multifactorial evidence include:
- user name and password
- Code sent by email or SMS
- Proximity badge, physical token or USB device
- software token or certificate
- Answers to Personal Safety Questions
- Fingerprint, voice or facial recognition, or retinal scan
Adaptive MFA improves user experience and aligns authentication factors with risks
The latest MFA solutions support adaptive authentication methods, using contextual information (location, time, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a specific user in a specific situation. For example, a customer accessing an online banking site from a trusted home computer might be able to log in using only a username and password. But to access the bank's website from abroad, users may also have to enter a one-time, short-lived code that is sent to their mobile phone via text message.