How does multifactor authentication work?
08 May 2022
Factor in authentication refers to how an identity is confirmed by a user / profile in order to gain access to a resource such as a computer, online account, application etc. Multifactor authentication (also called two-factor authentication (2FA) or 2-step verification (2SV)) is a method of authentication that requires users / profiles to confirm their identity using two or more verification factors. The application of multifactor authentication (MFA) reduces the risk of unauthorised access to an account, as the chances of an unauthorised user compromising more than one factor is low. Consequently, multifactor authentication is a core component of access management, and adds an extra layer of protection on top of the primary factor (usually username and password).
The most commonly used MFA factors fall into one of three categories:
Something you know (knowledge) – e.g., a password, memorized PIN, security question etc.
Something you have (possession) – e.g., SMS, authentication apps, token, a physical key etc.
Something you are (inheritance) – e.g., a fingerprint, retina scan, facial recognition etc.
Other less popular factors include:
Somewhere you are (location) – e.g., GPS location, IP address, time of day, Device ID etc.
Something you do (behaviour) – e.g., keystroke patterns, mouse movements, reading speed, device orientation etc.
When a user logs into their account using their primary factor, with MFA enabled, the user is prompted to verify their identity based on a couple of secondary factors available before access is granted.
The importance of MFA cannot be overemphasised especially since the various factors have their cons. For example:
Knowledge-based factors can be subjected to brute force or social engineering attacks. Furthermore, users may adopt overly simplistic passwords as a result of password fatigue
Possession-based factors can be stolen
Inheritance-based factors require reliable, secure software
Location-based factors can be blocked by technologies that make it difficult to accurately authenticate the origin of network traffic
Behaviour-based factors can be observed and replicated
There are concerns around the inconvenience of multifactor authentication. As a result, when implementing multifactor authentication, it is worth taking user experience into consideration. Single sign-on (SSO) solutions and device registration (trusted device) can be adopted to provide the best user experience.