What is Multifactor Authentication?

Why are more login attempts requiring a code from your phone? Why are you asked for your face ID or fingerprint on your mobile device? These are examples of the highly effective security technology, multifactor authentication.

In this article, we will help you to understand what multifactor authentication (MFA) is, how MFA works from both the IT admin’s and users’ perspectives, and the benefits of multiple authentication factors in technology.

MFA vs Two-Factor Authentication

Multifactor authentication (MFA) is sometimes referred to as two-factor authentication (2FA). Technically, two-factor authentication is a subset of MFA, which uses two or more factors. In practice, though, they often refer to the same thing.

Multi-factor authentication can include more than two authentication methods.

What is MFA?

Multifactor authentication is a security technology that uses two or more authentication factors to verify a user’s identity when logging into a secure service.

MFA methods can include:

Something you know, like your password, passphrase or personal identification number (PIN)
Something you have, like your smartphone, smart card, or security token
Something you are, also known as a biometric, like your fingerprint, face, voice, or retina

MFA is an important tool for preventing unauthorized access to your accounts, ensuring only those you choose can gain access. Microsoft reports that the chances of an account been compromised is reduced by 99.9% by using multifactor user authentication (MFA).

Now that we have a better understanding of the factors involved in MFA, let’s learn how it works.

How Multifactor Authentication Works

In a traditional login experience, a user enters their username and password. This gets verified by the system, and if correct, the system grants the user secure access.

The risk with this, however, is that if hackers obtain the user ID and password, they can easily access your machine or network. Passwords are notoriously unsecure. People use the same passwords across multiple accounts, they develop easily cracked patterns, and many use variations of common password logins.

MFA, on the other hand, goes beyond the username and password with additional factor(s) to prevent common password hacks.

Typical MFA Sign-in Process

This not the only method of MFA, but it is the most common.

1. The user logs in by typing in user ID and password
2. Then the system will verify the credentials
3. If successful, the system will prompt the user for a secondary factor
  - Most commonly, this is a One Time Passcode (OTP) or push notification sent to the user’s phone
  - This may be delivered by SMS text message or via an authenticator app
4. Once the OTP is entered, or the push notification is accepted, the system will then grant access
5. If the OTP is entered incorrectly, or the push notification is denied, the system will deny access

MFA from the perspective of the IT admin

In a business environment, it’s the IT admin’s responsibility to enable multifactor authentication for sensitive applications and/or accounts. Most services allow admins to enable MFA from an admin control panel. Because MFA is so effective, we recommend enabling it wherever possible in your organization.

Before instituting MFA across the organization, though, it’s important to educate users on what to expect. MFA adds one additional step to your user’s workflow. Without proper education, users may find it to be an annoying roadblock to their workday.

Managing MFA across systems and across the organization can become difficult. We recommend adopting a centralized MFA App like Duo Mobile. This provides all users with a one-stop MFA app that can be used across every program that requires MFA.

MFA from the Perspective of the User’s Identity

From the user’s perspective, they’ll see one additional prompt after entering their username and password. The prompt will ask for the One Time Passcode or approval of the push notification.

If your organization uses an MFA app, that app on the user’s smartphone will provide the code or push notification. If your organization does not a single MFA app, the MFA method will depend on what is being accessed.

Without a centralized MFA app, users often end up with multiple apps. This can make it hard to remember which app to use for each account.

Now that we know how multifactor authentication works, let’s look at the benefits of MFA.

The Benefits of Authentication Factors

1. Multifactor authentication protects your data even if your password has been compromised

Let’s say a hacker gets your password. Normally, that would be game over. But if a hacker steals your password, and you have MFA enabled, it is no use to them. They need physical access to your phone, smart card, or biometric data (such as fingerprint or facial recognition).

2. No more changing passwords

In the past, we were told that we must change our passwords frequently. While that is still good practice in some situations, it’s no longer the most up-to-date recommendation.

The latest NIST standards recommend enabling multifactor authentication and no longer requiring periodic password resets.

In theory, password resets limit the amount of time a hacker can use a compromised password. In reality, password resets cause users to use develop simple patterns to change password. Hackers can guess these patterns, so required resets can reduce security.

MFA offers an additional layer of protection, so you can say goodbye to annoying password changes.

3. Added Security in a Streamlined Fashion

MFA is a simple technological tool to help keep you and your data safe from malicious hackers. Yes, it does take a couple more seconds to log in, but it is worth it to protect your organization’s accounts.

4. Compliance

MFA technology can be used to meet compliance standards, including the requirements of:

HIPAA – Protect patient healthcare information from compromised credentials
PCI – Enforce password and access policies to protect credit card data
Sarbanes-Oxley (SOX) – Protect financial institution credentials to prevent fraud
Cyber Insurance Requirements – Lower premiums and increase the likelihood of policy approvals

5. It Provides Next-Level Security, Even Remotely.

Very often, cybercriminals make attempts to illegally access the system when a user is operating remotely. Their efforts becomes frustrated if the system has MFA enabled with Single Sign-On(SSO) solution.

Multifactor Authentication can help to block such malicious user and possibly flag a potential threat.

6. It is a Super-Effective Cybersecurity Solution.

Cracking 2FA or MFA is a nightmare for hackers. Hackers must trick users into giving up their MFA codes in addition to stealing usernames and passwords. This additional step is enough to keep nearly all accounts from being compromised.

7. Implementation Is Easy And Simple

MFA is non-invasive by nature. It doesn’t affect the rest of the virtual space of your business. Also, it presents an intuitive user experience, which makes it attractive to an average consumer without much effort.

Adaptive MFA

MFA integrates with other authentication technologies that provide location and behavior data. When combined, this results in adaptive MFA. This simplifies MFA for users by only requiring additional authentication when riskier behavior is detected.

Location-sensitive

Location-based MFA can consider a user’s IP address and/or geolocation. For example, when a user is accessing their account from the office network, MFA can be disabled. But when the user is trying to access the same account from a hotel business center, MFA is required.

These details can also be used to simply block a user’s access if their location is not whitelisted. For example, if you only do business in North America, you can block all access attempts from outside the continent.

Risk-based Authentication

Risk-based authentication analyzes additional factors by considering behavior when authenticating. Risk values are assigned to these behaviors with each login attempt.

For example:

When is the user trying to access company information? Is it during “off hours”?
What is the kind of device used? Is the device the same with the one used yesterday?
Is the network connection public or private

The risk level is calculated with these factors. Depending on the result, adaptive authentication may:

Allow access without requiring MFA
Require MFA before allowing access
Deny access

Adaptive MFA simplifies the login experience for users by only requiring MFA when some unusual factor is detected. MFA is not required for typical logins on regularly used devices.

Conclusion

Multifactor authentication is a critical tool for securing business accounts. Enabling wherever possible makes hackers work much harder to access your company’s data. As cybersecurity experts, LeeShanok can help you implement MFA in the most effective and efficient ways possible. Contact us today for a complimentary security consultation!

What is Multi-Factor Authentication?