Best Practices For Multi-Factor Authentication (MFA)

Mike Engle

Using MFA is a great starting point, but you’ll want to know multi-factor authentication best practices to get the most out of your MFA solution.

What are the four factors of multi-factor authentication?

  • knowledge: things a user must know (PIN)
  • possession: things a user must have (password token)
  • inherence: things a user is (fingerprint scan)
  • location: where a user is (login location)

What Is Multi-Factor Authentication?

Multi-Factor Authentication is the practice of using two or more authentication messages in unison to verify a user’s identity and permissions to access system accounts and resources.

Authentication is a critical part of cybersecurity and compliance. Access to data and resources often serves as a chokepoint for security concerns and functional systems-—users must have access to their accounts and applications for the system to function properly. Still, that access must have restraints placed upon it to protect that system and other users’ information.

In the earliest days of networked system access and multi-user infrastructure, many authentication and authorization services used a single form of identity verification: usernames and passwords. The problem with this approach is that hackers can steal passwords either through poor identity management or hacks against password management systems. Once stolen, a compromised identity will compromise everything tied to that user account.

The solution for many platforms has been to introduce MFA capabilities into their identity management and authentication systems. Multi-factor authentication requires that users seeking access to system resources provide multiple forms of identification and that those forms be distinct from one another. This way, the system can place trust in user identification beyond a single set of credentials.

Authentication requires the user to provide two or more verification forms across four different factors. These factors are as follows:

  • Knowledge: These are credentials that the user knows, and includes items like username/password combinations or PINs.
  • Possession: These are credentials provided through a channel or device that the user has in their possession, and include items like password tokens, USB sticks, email accounts, texts to mobile devices, or authentication apps.
  • Inherence: These credentials come from the user and primarily refer to biometric attributes like fingerprint scans, iris scans, and facial scans.
  • Location: These are credentials that come from the user and draw from geolocation information tied to user devices.

The last of these, location, isn’t as common as the first three, but it is increasingly becoming so for region-specific or high-security applications. For example, some offices handling sensitive data may require access only from authorized devices within a geofence perimeter.

Does MFA Solve Authentication and Security Problems?

Some organizations consider multi-factor authentication a silver bullet in terms of providing secure authentication to apps and resources. This isn’t the case at all.

MFA provides significantly more security against cyberattacks than the single-factor version. Even two-factor authentication (2FA) can provide more defense against hackers seeking to steal user credentials. With the explosion of mobile devices using fingerprint or facial scanning, it has become somewhat common for enterprises to use some form of MFA that includes fingerprint scanning or facial recognition. Likewise, the almost universal use of either email and/or SMS texting has led to the expansion of authentication that uses some combination of passwords, biometrics, and verification through emails, texts, or mobile authentication apps.

While multi-factor authentication solutions are more secure, they are not foolproof. Biometrics have been proven to be spoofable, and stolen email accounts can open up user accounts usually protected by MFA to theft.

For consumer usage, many MFA approaches are sufficient for low-stakes computing. Additionally, most compliance frameworks like HIPAA or SOC 2, either suggest or require MFA. For secure enterprise use, however, MFA not only doesn’t solve authentication issues but it also must be appropriately configured to ensure that each component is secure against a breach.

One of the biggest challenges to MFA is the fact that a security system cannot, on its own, verify that the physical user attempting to access the infrastructure is the user connected to the credentials. For example, if a hacker has someone’s password to their email account, there is no way to check that they are the proper owner of that email simply. Biometrics can provide a false sense of security in that many users think that these mostly-immutable features can serve the purpose of verifying identity. But biometrics can also be spoofed or stolen.

Enterprise users will often find that their security and compliance needs will call for more than just an out-of-the-box MFA solution. They’ll need something specifically tailored to their infrastructure and their business goals.

What Are Best Practices for Selecting an MFA Service?

Not all MFA solutions are created equal, and your business will inevitably make decisions about what features they will need for secure authentication. However, there are still critical features that they should look for in their solution and best practices they can put into place.

These best practices include the following:

  • Understand the Factors Needed for Your Business: The level of security and the type of technology you use will help determine what factors to implement. If your employees rely on mobile devices, then biometrics could be a major part of your system. If you’re looking for added physical security, you may issue physical tags or USB tokens for local machines. Even at the level of biometrics, the types of security you need will determine what type you use, from fingerprint scans to iris scans.
  • Utilize Solutions That Work for Your Infrastructure: If your teams are working remotely, using mobile devices or collections of different software and cloud tools, then your MFA should be able to work across those resources.
  • Focus on User Experience: One of the most significant threats to authentication and security is user error. Employees that have to juggle multiple passwords or remember complex passwords are often willing to sacrifice security to make their lives easier. That means weak passwords and poor cyber hygiene. With a solid user experience across all relevant devices, those kinds of problems are less of an issue.
  • Combine Your MFA with Single Sign-On Technology: SSO can streamline user experience. Combining SSO with MFA can bring together the security of MFA with the user experience of SSO to heighten usability and security across your user base.
  • Go Passwordless: MFA is often tied to passwords, but modern authentication solutions are capable of leveraging user information and biometrics to eliminate passwords. No passwords means no complex information for users to remember and one less attack vector for hackers.
  • Leverage Location and Context Information: While location authentication is not as widely used as other factors, you can use it to exert another level of control for system access. With location authentication, an MFA solution can use the user’s device to determine if they are within a specific place (a home office or a specific neighborhood, for example) and grant access based on that, essentially blacklisting devices outside that scope.
  • Use Advanced Verification: Advanced verification can include capabilities like liveness testing, audit trails and advanced biometrics ground MFA in the user as present at the moment of authentication. These capabilities will mitigate more advanced forms of fraud and create more confidence in the security of the system.

Passwordless Authentication and MFA with 1Kosmos BlockID

While MFA itself isn’t foolproof, it can serve as the foundation for enterprise-grade authentication technologies. Combined with advanced biometrics, decentralized identity management, identity proofing, and streamlined user experiences, MFA can provide the highest level of security for entire organizations without sacrificing usability.

1Kosmos provides this kind of authentication and Identity management with BlockID, which includes features like the following:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains that provide a secure and immutable audit trail.
  • Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.
  • LiveID: 1Kosmos uses true user biometric technology and liveness testing to verify that the user is physically present at the point of authentication. This feature is frictionless with mobile devices, making for easy onboarding and spoof protection.

To learn more about multi-factor authentication, identity proofing, and enterprise identity management, read about 1Kosmos 2FA and MFA Capabilities.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Mike Engle

Co-Founder and CSO

Mike is a proven information technology executive, company builder, and entrepreneur. He is an expert in information security, business development, authentication, biometric authentication, and product design/development. His career includes the head of information security at Lehman Brothers and co-founder of Bastille Networks.