Multi-factor authentication (MFA) is an identity verification method that requires users to provide at least one authentication factor in addition to a password, or at least two authentication factors instead of a password, to gain access to a web site, application or network.

Because it takes more work to hack multiple authentication factors than to hack a password alone, and because other types of factors are more difficult than steal or falsify than passwords, MFA better protects an organization from unauthorized access than single-factor (username and password) authentication.

MFA has become a foundational component of many organizations’ identity and access management strategies. It is frequently a mandated or recommended authentication method in many industries and government agencies. Most employees or internet users have encountered a subtype of MFA, called two-factor authentication (2FA), which requires users to supply a password and a second factor,  – typically a passcode sent to a mobile phone or email – to log in to a system or web site. But anyone who has accessed an ATM using a bank card and a personal identification number (PIN) has used a form of MFA.

MFA confounds hackers on two levels. On the most basic level, it's more difficult to hack two or more factors than to hack just one. But ultimately the strength of any MFA scheme depends on the types of authentication factors it requires a user to provide.

Knowledge factors: Something the user knows

Knowledge factors are pieces of information that, theoretically, only the user would know, such as passwords, PINs, and answers to security questions. Knowledge factors are both the most widely used and the most vulnerable type of authentication factor. Hackers can obtain passwords and other knowledge factors through phishing attacks, by installing keystroke recorders or spyware on users' devices, or by running scripts or bots that generate and test potential passwords until one works.

Other knowledge factors don't present much more of a challenge. Answers to some security questions can be cracked by a hacker who knows the user or does some research on social media. Others can be relatively easy to guess. Small wonder, then, that compromised credentials where the most commonly exploited initial attack vector in 2022, according to the IBM Cost of a Data Breach report.

A common misconception is that requiring two knowledge factors, such as a password and the answer to a security question, constitutes MFA. Requiring a second knowledge factor provides some additional security, but true MFA requires the use of two or more types of factors.

Possession factors: Something the user has

Possession factors are physical objects users have with them, such as a fob or ID card granting access to a physical lock, a mobile device with an installed authenticator app, or a smart card containing authentication information.

Many MFA implementations use a method called "phone-as-a-token," in which the user's mobile phone receives or generates the information it needs to become a possession factor. As noted above, MFA commonly sends a one-time password (OTPs) to a person's phone through text message, email message or phone call. But OTPs can also be generated by special mobile apps called authenticator apps. And some authentication systems send push notifications that users can simply tap to confirm their identity.

Other MFA solutions systems use physical tokens, or dedicated hardware security keys. Some physical tokens plug into a computer’s USB port and transmit authentication information to the log-in page. Others generate OTPs for the user to enter.

Possession factors offer several advantages over knowledge factors. Malicious actors need to have the factor in their possession at the time of log in to impersonate a user. Because they operate over a different network (SMS) than the application (IP), a hacker would need to intercept two different communication channels to steal the credentials. Even if a hacker could obtain an OTP, they would need to obtain and use it before it expired and could not use it again.   

But there are risks. Because they are objects (and usually small ones), physical tokens can be stolen, lost or misplaced.  While OTPs are harder to steal than traditional passwords, they are still susceptible to sophisticated phishing or man-in-the-middle attacks – or to SIM cloning, in which malicious actors create a functional duplicate of the victim’s smartphone’s SIM card.

Inherent factors: Something unique to the user as a person

Inherent factors, also called biometrics, are physical characteristics or traits unique to the user.  A person's fingerprints, voice, facial features or iris and retinal patterns are examples of inherent factors. Today many mobile devices can be unlocked using fingerprints or facial recognition; some computers can use fingerprints to enter passwords into web sites or applications.

Inherent factors are the most difficult factors to crack. They can’t be forgotten, lost or misplaced, and they are extraordinarily difficult to replicate.

But that doesn’t mean they’re foolproof. If inherent factors are stored in a database, they can be stolen. For example, in 2019 a biometric database containing 1 million users’ fingerprints was breached. Theoretically, hackers could steal these fingerprints, or link their own fingerprints to another user’s profile in the database.

When biometric data is compromised, it can't be changed quickly or easily, and this can make it difficult for victims to stop attacks in progress.

Behavioral factors: Something the user does

Behavioral factors are digital artifacts that verify a user’s identity based on behavior patterns. An IP address range, or location data from which a user typically logs in to an application, are examples of behavioral factors.

Behavioral authentication solutions use artificial intelligence to determine a baseline for users’ normal behavioral patterns and then flag anomalous activity, such as logging in from a new device, phone number, web browser or location. They are also commonly used in adaptive authentication (also called risk-based authentication) schemes, in which authentication requirements change when risk changes – such as when a user attempts to log in from an untrusted device, attempts to access an application for the first time, or attempts to access particularly sensitive data.

While behavioral factors offer a sophisticated way to authenticate users, they require significant resources and expertise to deploy. Moreover, if a hacker gains access to a trusted device, they can use it as an authentication factor.

Because compromised knowledge factors are the most common initial vector in cybersecurity breaches, many organizations are exploring passwordless authentication. Passwordless authentication relies on possession, and inherent and behavioral factors to verify identities. Passwordless authentication reduces the risk of phishing attacks and credential stuffing, in which hackers use credentials stolen from one system to gain access to another.

While passwordless authentication removes what is widely considered the weakest link in the identity verification chain, it is still susceptible to the vulnerabilities of possession, and inherent and behavioral factors. Organizations can mitigate these vulnerabilities by implementing an approach in which users must provide multiple types of non-knowledge factor authentication credentials. For example, asking a user for a fingerprint and a physical token would constitute passwordless MFA.

In response to the rising tide of cyberattacks, governments and government agencies have begun requiring MFA for systems that handle sensitive data. In 2020, the Internal Revenue Service (IRS) mandated MFA for providers of online tax preparation systems. President Joseph Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity made MFA a requirement for all federal agencies. A follow-up memorandum requires all national security, Department of Defense and intelligence community systems to implement MFA by August 18, 2022.

A handful of industry regulations, including the Payment Card Industry Data Security Standard (PCI-DSS), specifically require MFA for systems that handle credit card and payment card data. Many other regulations, including Sarbanes-Oxley (SOX) and HIPAA, strongly recommend MFA as critical to assuring compliance. Some state-wide regulations have mandated MFA for years. Companies that have failed to comply with the MFA provisions of the New York Department of Financial Services (NYDFS) 2017 cybersecurity regulation 23 NYCRR 500 have faced fines of up to USD 3 million (link resides outside of ibm.com).

Single sign-on (SSO) is an authentication method allowing users to access multiple related applications and services through one set of login credentials. The user logs in once, and an SSO solution authenticates their identity and generates a session authentication token. This token acts as the user's security key for various interconnected applications and databases.

To alleviate the risk of relying on a single set of login credentials for multiple applications, organizations typically require adaptive authentication for SSO. Adaptive SSO applies the functionality of adaptive authentication to SSO schemes. If a user displays abnormal behavior while attempting to login through SSO, or during their SSO-authenticated session, they will be asked to supply additional authentication factors. Examples of abnormal behavior might include connecting through an unrecognized VPN or accessing an application or data not covered by the user's session authentication token.

Zero trust cybersecurity architectures, in which a user’s identity is never trusted and always verified, often use a combination of adaptive SSO and MFA for authentication purposes. By continuously verifying the user's identity throughout the session and asking for additional authentication factors based on risk, adaptive SSO and MFA strengthen access management without impeding user experience.