What Is Multi-Factor Authentication (MFA) & How Does It Work?

Mike Engle

What Is Multi-Factor Authentication?

Multi-factor authentication requires users to provide multiple credentials to access a system, which could include a username and password combination, a PIN, or even biometric data, like a fingerprint or facial scan.

How MFA Works

MFA enhances this approach to security by requiring two or more pieces of evidence to authenticate the user. The most common form of MFA, Two-Factor Authentication (2FA), only requires two distinct elements, but more secure systems may call for additional evidence.

An important thing to remember is that MFA systems call for multiple distinct forms of evidence that cover different areas of verification. The three primary types of evidence cover what the user knows, has, and is:

  1. What You Know (Knowledge): This form of evidence includes some sort of secret that only the user should (theoretically) know. Items like passwords or PINs fall under this category and function as one of the primary ways that most of us access user accounts.
  2. What You Have (Possession): In terms of verification, “what you have” refers specifically to things you have or to which you have access. Ownership in this context includes physical objects like USB keys or badges, or accounts and devices like a secure email or SMS sent to your tablet or smartphone.
  3. What You Are (Inherence): Identity information that uses physical features like fingerprints, facial scans, iris scans, or other biometrics.

While these are the most common forms of evidence accepted in multi-factor authentication, there are others that some authentication systems use depending on the level or type of security needed. These include the following:

  • Location-Based Authentication: These systems can look at information like geolocation coordinates or IP addresses to determine if a user attempts to access system resources from restricted locales.
  • Adaptive Authentication: Also known as Risk-Based Authentication, this approach draws from different aspects of a session to create a risk profile of a given login attempt. Some of the pieces of information an adaptive system might use are time of access, device used, type of network used, or even changes in behavior (are you using the same device or accessing from different locations in a short period of time?).

Depending on how your risk is assessed, the system can then funnel you into different paths, whether a clear sign-on (low risk), a more complex multi-factor approach (moderate risk), or just outright denying access (high risk).

Multi-Factor Authentication vs. Two-Factor Authentication (2FA)

By far, 2FA is the most common form of MFA in consumer-grade applications, and the use of biometric scanning, mobile applications, or SMS text authentication has increased exponentially.

While this approach has increased security for such applications, it doesn’t mean that authentication security is a settled matter.

Costs and Benefits of Multi-Factor Authentication

The advantages of multi-factor authentication over traditional authentication are clear. With multiple forms of identification required and an enforced provision overlap of different and (ideally) difficult-to-obtain pieces of evidence, multi-factor authentication is more secure than a single-factor system.

The Importance of Multi-Factor Authentication

As with any technological setup, MFA has several costs and benefits associated with it. Some of the benefits include the following:

  • More Effective Than Single-Factor Authentication: MFA provides more effective security at the end of login than a simple password or PIN. This isn’t simply because the system requires multiple forms of evidence; it also mitigates some of the more glaring weaknesses of knowledge-based verification like database hacking or phishing attacks.
  • Meets Most Regulatory Requirements: Private sector and governmental compliance frameworks usually include some requirements as part of broader Identity and Access Management (IAM) strategies.
  • Provides Flexibility for Different Devices: Modern computers, tablets, and mobile phones come equipped with some sort of biometric scanning, whether fingerprint scanning, facial recognition, or iris scanning. Multi-factor authentication can be used to protect access to the device and accounts tied to software on that device.
  • Streamlines Access on Several Devices: Many portable devices include linking biometrics with passwords or automatically filling secondary SMS codes into authentication forms to make multi-factor authentication that much easier. This is why mobile phone users can often log in to their applications through fingerprint or face scans in seconds without compromising security.
  • Allows Adaptation of Authentication Through Multiple Forms: A true 2FA or multi-factor authentication solution can include any configuration of types: passwords and fingerprints, passwords and SMS texts, USB software keys and iris scans, and so on. The possible configurations for a robust schema are only limited by the technology available.

The Challenges of Multi-Factor Authentication

Some challenges with implementation include the following:

  • User Experience: While there are many examples of great UX designs for MFA systems, these are often the exception. Regardless, UX takes careful thought and consideration to make it work, and a complex system that requires physical objects and long passwords can deter users from using it properly.
  • Theft and Fraud: MFA is a more secure authentication method, but not enough to prevent hacking completely. Passwords can still be stolen, biometric templates taken and copied, and physical objects like phones or USB drives compromised. This fact is bad enough, but perhaps more problematic is that multi-factor authentication often gives us a false sense of security, which leads to complacency—probably the worst security posture you can have.
  • Some Configurations Are More Secure Than Others: Biometrics are likely the most secure aspect of any MFA, but many multi-factor systems don’t use them. Instead, many will use knowledge-based credentials alongside possession-based credentials (SMS or emailed PINs are incredibly popular). However, if one of the user’s accounts are hacked—whether their email account, or one tied to their phone or SMS messaging—then hackers can easily intercept these codes and access the user’s account at any time.

How Secure Is Modern MFA?

The challenges of Multi-Factor Authentication solutions are tied to one primary challenge in proving a user’s identity. Passwords, SMS messages, and even modern biometrics don’t include one of the most important, and perhaps even necessary, aspects of authentication: demonstrating that the person actually accessing an account is who they say they are.

When you provide a password or a PIN, or even a code sent to you via SMS, the system assumes that you are who you are because only you should have access to those resources. We all know, however, that security is imperfect. Even modern biometrics, as far as they’ve come, can be spoofed or faked. There are solutions that attempt to mitigate bypassing multi-factor authentication like FIDO2, but not every authentication solution follows this standard and, following that, opens the possibility of account breach even with MFA enabled.

While MFA is more secure than older forms of authentication, we must take our security even further with critical identity proofing measures. Identity proofing includes using authorized agents to perform document and physical identity proofing in-person or virtually. With this additional level of security, your system can know that whoever is accessing a system is who they say they are.

Modern Authentication with 1Kosmos BlockID

1Kosmos BlockID is the only standards-based and passwordless authentication identity platform that uses advanced biometrics with mobile applications and identity proofing to provide compliant and continuous authentication.

How do we do it? With several interoperable and innovative technologies that take us beyond traditional multi-factor authentication. These include the following:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Integration with Secure MFA: BlockID readily integrates with standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, providing protection against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
  • Privacy by Design: 1Kosmos protects PII in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.

Sign up for our email newsletter to learn more about 1Kosmos products and events. Or, if you want to learn more about our technologies, read our whitepapers of our MFA and 2FA Capabilities.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Mike Engle

Co-Founder and CSO

Mike is a proven information technology executive, company builder, and entrepreneur. He is an expert in information security, business development, authentication, biometric authentication, and product design/development. His career includes the head of information security at Lehman Brothers and co-founder of Bastille Networks.