In your home, doors are accessible by unique locks and keys, which allows entrance to anyone with the keys. Despite locks and doors, criminals will still try to break in, prompting many households to go the extra mile and add additional security measures such as installing an alarm system or lining the perimeter with outdoor cameras – especially when trying to secure valuables.
Your digital platforms are much like your house, they also come with doors and keys (password or pin) allowing access to whoever you give them to. That said, nefarious entities like hackers and spammers will often try to force their way in, meaning your digital access points also need an extra layer of security to make breaches less likely and to keep your data safe.
An example of an additional security measure for your digital space is called multi-factor authentication (MFA). It functions to add a much-needed additional layer of security for protecting your data. In this article, we will define and explain how MFA works and why it is necessary.
What is MFA?
Multi-factor authentication (MFA) is a multi-step digital authentication process which requires the user to provide two or more pieces of information – in addition to a password or pin – to gain access to online resources, such as your bank account or work applications as a way to reduce the likelihood of a data breach.
Instead of requiring a username and a password or pin, MFA might request a code sent to your email or phone number, the answer to a pre-set security question, or scan of your face or fingerprint, etc.
How Does MFA Work?
MFA works simply by requesting the additional authentication factors along with your username and password or pin. Many times this is initiated when you are setting up your account. The specific system (such as Google, Facebook, or your banking platform) then stores this information using it to verify you anytime you want to log in.
The common steps are as follows:
~Registration
~Registering on your platform or app is the first step. Here, you create an account with a username and password (or pin). Immediately after, you will be required to link other factors like your phone number, key fob, authenticator app code or email, to name a few, which serve as additional layers of security. Note that not all platforms or applications have transitioned to MFA though many are migrating to this as a standard practice.
~Authentication
~If you log into an MFA-activated account, you will be asked for your username and password or pin as usual. Once the system authenticates the password/pin, it will trigger a demand for an MFA response, which can be a one-time password sent to your email or phone number or some other factor such as answering a security question or logging it to an additional app. As an example of a common one-time-password access MFA, Google sometimes requests a log-in to your YouTube app on an alternate device to confirm your identity.
~Resulting Response
~Once you complete the login process through MFA by verifying the other factors, you’ll gain access to the system and your accounts. If any of the information is incorrect, you’ll remain logged out.
Why Implement MFA?
Every month, tens of millions of records are compromised by spammers, hackers and actors. Should your accounts get hacked, the information can be shared, manipulated, and used to clean out bank accounts, take over company trade secrets, assist in identity fraud, or steal healthcare records.
Because of the increase in digital sophistication and the amount of data now held online, passwords are simply not enough any longer to keep your information protected. Multi-factor authentication reduces the likelihood of this happening by making your data less susceptible to hacks. The Cybersecurity and Infrastructure Security Agency, a branch of the US government known as CISA, has more information on how MFA keeps your data safe and shares a Microsoft report that MFA makes you 99% less likely to get hacked.
MFA is essential for data security also enabling you to:
The Types of MFA Methods
There are three types of MFA methods based on three pieces of information: something you know, something you have, and something you are.
~Knowledge - Something You Know
~This MFA method is based on the things you know, such as a password or PIN. Here, you have to confirm your identity by sharing information no other person should know. It is a secure method only as long as no one else has your password or pin information.
~When it comes to answers to security questions, the more obscure the information, the safer. For example, resist using information someone can easily guess like your birthday or the name of your secondary school.
~~MFA Knowledge examples
~~Examples of MFA based on knowledge may include using a combination of these elements to authenticate:
- Answers to personal security questions (eg. name of your second pet or your childhood nickname).
- Password
- One-time password (OTP) is a blend of both Knowledge and Possession because you know the OTP and because you need to be with your phone or other devices to access it.
~Possession - Something You Have
~This second MFA method is based on the things you have, such as a badge, key fob, or smartphone. If you opt for this method, you would have to prove your identity using something you uniquely possess. The system you are trying to access sends a one-time code to this device in your possession, which you then have to input into the system for authentication.
~You must take great care to safeguard this device because your account might be compromised if it is lost or stolen.
~~Possession MFA examples
~~Examples of MFA based on possession include:
- One-time passwords (OTPs), sent to phone numbers or email addresses
- OTPs generated by smartphone authentication apps, access badges, smart cards, USB devices, key fobs, security keys, etc.
- Software tokens and certificates
~Inherence - Something You Are
~This is the third and last major MFA method and it’s based on the things you are, information that is inherent to you, the user. During registration, the system collects and stores this inherent information together with the username and password or pin.
~~Inherence MFA examples
- Fingerprint scan
- Facial recognition
- Voice recognition
- Retina or iris scan
- Behavioral analysis or biometrics (ex. keystroke dynamics)
~Other types of MFA
~While the above-named MFA methods are the three major ones, authentication methods have come a long way to include other more sophisticated methods, including location-based MFA or adaptive authentication also known as risk-based authentication.
~~Examples of Other MFA Types
~~~Location-based MFA
~~~Location-based MFA is based on your IP address and possibly, your geolocation. If a user is signing in from locations that are not accepted or frequented, their access will be denied and subsequently blocked. You can use location-based MFA as an added security factor to others such as a password or OTP.
~~~Adaptive Authentication, or Risk-based Authentication
~~~Adaptive Authentication, otherwise known as Risk-based Authentication, is also a sub-type of MFA. It works by carefully analyzing additional factors, such as considering behavior and context during authentication, including:
- Where you are trying to login into the system from
- When you are trying to access system information (normal time or odd hours?)
- The device you are using to access the system (Is it different from the one you used yesterday?)
- The network sponsoring your connection (private network or a public network?)
~~~Based on these factors, a risk level is calculated and assigned to the login attempt. From the risk assessment, the system will determine whether to let you in or require additional authentication.
~~~In simple terms, adaptive authentication allows you access if you log in with just your username and password from your bedroom (something normal you do every time), but would deny you access when you do something new like log in from a cafe or while traveling in another state or region.
The Benefits of Multi-Factor Authentication?
More and more people as well as organizations are adopting MFA to secure their data. This is not out of character, given today’s digital landscape and regulations. As time goes on, MFA continues to become more widespread. There are several reasons for this:
~Improves Digital Security
~Having MFA in place can help prevent unauthorized users from accessing your account. Also, it serves to minimize security risks, especially ones that could be a result of human error, forgotten passwords, and misplaced devices. Cybercriminals generally avoid going through the trouble of having to wade through multiple layers of security.
~Encourages Digital Initiatives
~When you know that you have MFA in place, you undertake digital interactions with confidence. With your user data protected, you can safely conduct online interactions and transactions.
~Enhances Prompt Security Response
~MFA allows you to configure your system in such a way that it promptly sends an alert whenever it detects malicious or unrecognized login attempts. It gives you the ability to respond fast to hacks and prevent potential damage.
~Ensures a Seamless User Experience
~Passwords can quickly become a chore to remember. The more you have, the more you have to remember, and the more relaxed your password habit would become. This can lead to weak passwords, and consequently, potential breaches. MFA rules out this possibility.
MFA FAQ’s
~What is the Difference between MFA & 2FA?
~2FA, which means two-factor authentication, is essentially a subset of MFA. While 2FA is limited to just two factors, MFA can be two factors or more.
~What Happens if You Lose Your Device?
~Your account becomes vulnerable. What you must do to prevent a breach is to quickly change your passwords and activate a new MFA.