Published: 4 January 2024
Contributors: Matthew Kosinski, Amber Forrest
Multi-factor authentication (MFA) is an identity verification method in which a user must supply at least 2 pieces of evidence, such as their password and a temporary passcode, to prove their identity.
Many internet users are familiar with the most common form of MFA, two-factor authentication (2FA), which asks for exactly two pieces of evidence. For example, to log into an email account, a user might need to enter both their account password and a single-use passcode the email provider sends to their mobile phone via text message.
MFA methods are used outside the internet, too. Using a bank card (the first piece of evidence) and PIN (the second piece of evidence) to withdraw cash from an ATM is a form of MFA.
MFA has become an increasingly important piece of corporate identity and access management (IAM) strategies. Standard single-factor authentication methods, which rely on usernames and passwords, are easy to break. In fact, compromised credentials are one of the most common causes of data breaches, according to IBM's Cost of a Data Breach report.
MFA systems add an extra layer of security by requiring more than one piece of evidence to confirm a user's identity. Even if hackers steal a password, it won't be enough to gain unauthorized access to a system. Furthermore, the additional authentication factors are often things like fingerprint scans and physical security tokens—much harder to crack than a simple password.
Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.
Register for the X-Force Threat Intelligence Index
To access sensitive systems and assets—like a banking app, a confidential database or even a restricted office building—users must often pass some form of authentication process. That is, they have to prove they are an authorized user.
In the most basic authentication systems, a password is all it takes. In an MFA security system, users need at least two pieces of evidence, called "authentication factors," to prove their identities.
Say a user is logging into their employer's corporate network, which is protected by an MFA solution. The system would ask for the first authentication factor, typically a username and password combination.
If the first factor is valid, the system will ask for a second. There is more variation in second factors, which can range from one-time passcodes to biometrics and more. If the user wants to access a particularly sensitive part of the network, they may even need to supply a third factor.
The user can only access the system if every required factor checks out. If anything is wrong, the login attempt will fail.
MFA systems can use multiple types of authentication factors, and true MFA systems use at least two different types of factors. Using different types of factors is considered more secure than using multiple factors of the same type because cybercriminals will need to use separate methods across multiple channels to crack each factor.
For example, hackers could steal a user's password by planting spyware on their computer. Yet that spyware wouldn't pick up any one-time passcodes sent to the user's phone, nor would it copy the user's fingerprint. Attackers would need to intercept the SMS message carrying the passcode and hack the fingerprint scanner to gather all the credentials they need to hijack the user's account.
Knowledge factors are pieces of information that, theoretically, only the user would know, such as passwords, PINs and answers to security questions. Knowledge factors, usually passwords, are the first factor in most MFA implementations.
However, knowledge factors—particularly passwords—are also the most vulnerable authentication factors. Hackers can obtain passwords and other knowledge factors through phishing attacks, installing malware on users' devices or staging brute-force attacks in which they use bots to generate and test potential passwords on an account until one works.
Other types of knowledge factors don't present much more of a challenge. Answers to many security questions—like the classic "What is your mother's maiden name?"—can be cracked through basic social media research or social engineering attacks that trick users into divulging personal information.
The common practice of requiring a password and a security question is not true MFA because it uses two factors of the same type—in this case, two knowledge factors. Rather, this would be an example of a two-step verification process. Two-step verification provides some additional security because it requires more than one factor, but it's not quite as secure as true MFA.
Possession factors are things a person owns that they can use to prove their identity. Possession factors include both digital software tokens and physical hardware tokens.
More common today, software tokens are digital security keys stored on or generated by a device the user owns, typically a smartphone or other mobile device. With software tokens, the user's device acts as the possession factor. The MFA system assumes that only the legitimate user would have access to the device and any information on it.
Software security tokens can take many forms, from digital certificates that automatically authenticate a user to one-time passwords (OTPs) that change every time a user logs on.
Some MFA solutions send OTPs to the user's phone by SMS, email or phone call. Other MFA implementations use authenticator apps, specialized mobile apps that continuously generate time-based one-time passwords (TOTPs). Each TOTP expires in 30-60 seconds, making it difficult to steal and use before time runs out and the password is obsolete.
Some authenticator apps use push notifications rather than TOTPs. When a user tries to log into an account, the app sends a push notification directly to the iOS or Android operating system of the user's device. The user must tap the notification to confirm the login attempt is legitimate.
The most common authenticator apps include Google Authenticator, Authy, Microsoft Authenticator, LastPass Authenticator and Duo.
Other authentication systems use dedicated pieces of hardware that act as physical tokens. Some physical tokens plug into a computer's USB port and transmit authentication information automatically to apps and sites. Other hardware tokens are self-contained devices that generate OTPs on demand.
Hardware tokens can also include more traditional security keys, like a fob that opens a physical lock or a smart card that a user must swipe through a card reader.
The main advantage of possession factors is that malicious actors must have the factor in their possession to impersonate a user. Often, that means stealing a physical smartphone or security key. Furthermore, OTPs expire after a set amount of time. Even if hackers steal one, there is no guarantee it will work.
But possession factors are not foolproof. Physical tokens can be stolen, lost or misplaced. Digital certificates can be copied. OTPs are harder to steal than traditional passwords, but they are still susceptible to certain types of malware, spear phishing scams or man-in-the-middle attacks.
Hackers can also use more sophisticated means. In a SIM cloning scam, attackers create a functional duplicate of the victim's smartphone's SIM card, allowing them to intercept any passcodes sent to the user via SMS. MFA fatigue attacks take advantage of MFA systems that use push notifications. Hackers flood the user's device with fraudulent notifications in the hopes that the victim will accidentally confirm one, letting the hacker into their account.
Also called "biometrics," inherent factors are physical traits unique to the user, like fingerprints, facial features and retina scans. Many smartphones and laptops come with face scanners and fingerprint readers, and many apps and websites can use this biometric data as an authentication factor.
While inherent factors are among the most difficult to crack, it can be done. For example, security researchers recently found a way to hack the Windows Hello fingerprint scanners on certain laptops.1 The researchers could break into the fingerprint databases and replace registered users' fingerprints with their own, effectively granting them control of the devices.
Advances in AI image generation also have cybersecurity experts concerned, as hackers could use these tools to fool facial recognition software.
When biometric data is compromised, it can't be changed quickly or easily, making it hard to stop attacks in progress and regain control of accounts.
Behavioral factors are digital artifacts that verify a user's identity based on behavior patterns, such as the user's typical IP address range, location and average typing speed.
For example, when logging into an app from the corporate virtual private network (VPN), a user may only need to supply one authentication factor. Their presence on the trusted VPN counts as the second factor.
Similarly, some systems allow users to register trusted devices as authentication factors. Then, whenever the user accesses the system from the trusted device, the use of the device will automatically function as the second factor.
While behavioral factors offer a sophisticated way to authenticate users, hackers can still impersonate users by copying their behavior.
For example, if a hacker gains access to a trusted device, they can use it as an authentication factor. Likewise, attackers could spoof their IP addresses to make it look like they are connected to the corporate VPN, fooling the authentication system.
One challenge of MFA is that end users may find it less convenient than a simple password and, therefore, decline to use it. From the organization's perspective, different assets and parts of the corporate system may call for different levels of security. Requiring MFA for every app and activity could be overkill.
In response to these challenges, some organizations have deployed adaptive authentication systems, also called risk-based authentication systems.
In adaptive authentication, the authentication requirements change as risk changes. The system uses artificial intelligence to evaluate user activity and adjust authentication challenges accordingly.
For example, if a user tries to log into a low-level app from a known device on a trusted network, they may only need to enter a password. If that same user tries to log into that same app from an unsecured public wifi connection, they may need to supply a second factor. If the user tries to access especially sensitive information or alter critical account information, they may need to provide a third or even fourth factor.
Adaptive authentication systems allow organizations to define more granular access management processes based on the users, activities and resources involved. This can help encourage broader MFA adoption by improving the user experience.
That said, adaptive systems may require significantly more resources and expertise to maintain than a standard MFA solution.
Because knowledge factors are so easy to compromise, many organizations are exploring passwordless authentication systems that only accept possession, inherent and behavioral factors. For example, asking a user for a fingerprint and a physical token would constitute a passwordless MFA configuration.
While most current MFA methods use passwords, industry experts anticipate an increasingly passwordless future. Organizations like Google, Apple, IBM and Microsoft have begun rolling out passwordless authentication options.2
According to IBM's Cost of a Data Breach report, phishing and compromised credentials are among the most common cyberattack vectors. Together, they account for 31 percent of data breaches. Both vectors often work by stealing passwords, which hackers can use to hijack legitimate accounts and devices to wreak havoc.
Hackers typically target passwords because they're easy to crack through brute force or deception. Furthermore, because people reuse passwords, hackers can often use a single stolen password to break into multiple accounts. The consequences of a stolen password can be significant for users and organizations, leading to identity theft, monetary theft, system sabotage and more.
According to researchers at Microsoft, accounts that use MFA are 99.9% less likely to be compromised.3 MFA helps thwart unauthorized access by putting more obstacles between attackers and their targets. Even if hackers can steal a password, they need at least one more factor to get in.
Moreover, these additional factors are usually harder to steal than a knowledge factor. Hackers would have to falsify biometrics, mimic behaviors, pilfer physical devices or intercept multiple communication channels.
MFA can also help organizations meet compliance requirements. For example, the Payment Card Industry Data Security Standard (PCI-DSS) explicitly requires MFA for systems that handle payment card data.4 Other regulations, like the Sarbanes-Oxley (SOX) Act and the General Data Protection Regulation (GDPR), don't explicitly require MFA, but MFA systems can help organizations meet the strict security standards these laws set.
In some instances, organizations have been compelled to adopt MFA in the wake of data breaches. For example, in 2023, the Federal Trade Commission ordered the online alcohol seller Drizly to implement MFA following a breach that affected 2.5 million customers.5
Add deep context, intelligence and security to decisions about which users should have access to your organization’s data and applications, on premises or in the cloud.
Centralize access control for cloud and on-premises applications.
Go beyond basic authentication with options for passwordless or multifactor authentication.
Cost of a Data Breach report aids in preparedness for breaches by understanding their causes and the factors that increase or reduce their costs.
IAM is a cybersecurity discipline focused on managing user identities and access permissions on a computer network.
2FA, or two-factor authentication, is an identity verification method in which users must supply two pieces of evidence to prove their identity.
Footnotes
All links reside outside ibm.com
1 Windows Hello Fingerprint Scanners Were Hacked: Should You Still Use Them?, MSN, 28 November 2023
2 You no longer need a password to sign in to your Google account, The Verge, 3 May 2023
3 Your Pa$$word doesn't matter, Microsoft, 9 July 2019
4 PCI DSS: v4.0, Security Standards Council, March 2022
5 In the Matter of Drizly, LLC, Federal Trade Commission, 10 January 2023