What is Multi Factor Authentication (MFA)?


With the amount of sensitive data stored and transmitted online in the 21st century, it is paramount that businesses provide each individual user of a service with safe access to accounts, identity protection, and the highest level of security. Multi-Factor Authentication, sometimes referred to as two-step authentication, is an expanding technology that can meet security needs for remote works, consumers banking online, and much more.

How Does Multi-Factor Authentication (MFA) work?

Multi-Factor Authentication is a security mechanism used in network connectivity or mobile device activity that requires the user to authenticate access to a system through more than one single sign-on security and validation process. Most MFA systems are built to combine physical, logical, and biometric validation techniques for a more robust level of secure access control. In fact, odds are that most Americans have daily interactions with MFA systems whether they realize it or not. For example, access to bank accounts through ATM cards is a basic form of MFA. The consumer must first swipe the physical card and then enter a PIN (logical validation). Another example would be an authenticator app on a mobile phone or desktop sites. Sticking to the banking example, a user would log in with credentials (username and password) and then the authenticator app generates a one-time code that must also be entered.

MFA consists of a variety of authentication factors. These security measures control access to sensitive data in a more robust manner by using various credentials to verify the identity of the individual user attempting to gain access to an account, device, or broader network. As mentioned above, the three most common authentication categories are physical, logical, and biometric. These can more succinctly be described as something you have (physical), something you know (logical), and something you are (biometric). Examples of each include an ATM card or hardware token, a username and password, and a fingerprint. Other authentication solution factors in MFA include:

  • Location factors – this uses the current location of a user for authentication. For example, mobile phones now commonly possess GPS that enables a level of secure access through location verification.
  • Time factors – the current time can also be used for verification. A simple example of this would be ATM card use. It would be impossible to use an ATM card to access a bank account in New York City and do so again in Los Angeles within 15 minutes

Is Multi-Factor Authentication Effective?

Nothing in this world is inherently 100% safe and effective. Even the most robust security measures to control access to sensitive data, identity information, and login credentials cannot be 100% perfect. However, MFA is a relatively simple step that can be taken that drastically reduces the likelihood of an attacker gaining access to a user passcode or other sensitive data. MFA has been adopted on a variety of platforms as a strong authentication solution to prevent security breaches, email breaches, enhance access management, and stop phishing attacks.

Why is Multi-Factor Authentication Important?

Multi-Factor Authentication is important to a variety of businesses and everyday consumers because it helps ensure greater verification for data access, secures sensitive business applications, and grants peace of mind when banking online, for example. With the number of malicious attacks increasing by the year and the public at large increasingly relying on mobile devices or other Internet-connected devices for access control to sensitive data, the simplicity and security of MFA are extremely important.

For businesses, MFA not only offers protection and peace of mind for consumers, but it also protects the business against liability. Countless data breaches in the last several years alone have exposed the sensitive data of millions of Americans. The result for those businesses has been lawsuits filed on behalf of those impacted that result in millions of dollars in payouts. Improving authentication methods with MFA is a simple way to avoid paying millions in restitution to impacted consumers.

Concerned About Your Business’ Cyber Security? Let Our Consultants Help.

Is Username and Password Multi-Factor Authentication?

Simply entering a username and password is not considered Multi-Factor Authentication. In order for a security measure to count as secure access by MFA standards, it must present at least two of the three formats mentioned above: physical, logical, and biometric. In the case of a username and password, all the user is providing is the logical portion (something they know). The problem with username-and-password access is that it requires the management of a database with data on usernames and passwords. If a security breach occurs in that database, it is only a matter of time before a hacker could crack the passwords of every account using brute force attacks.

What Does Multi-Factor Authentication Protect Against?

Multi-Factor Authentication protects against a range of threats. The primary goal of MFA is to ensure secure access to an account, device, or network. Simple login information or a single sign-on SSO are no longer secure enough to protect against the threats from hackers. Passcodes are too easily defeated by brute force attacks when username-and-password databases are breached. With the enhanced authentication methods of MFA, businesses can ensure secure access to applications for the workforce, consumers can bank online with peace of mind, users can access mobile app shopping accounts and checkout safely, and data networks can be secured.

What Companies Use Multi-Factor Authentication?

Companies from a wide variety of industries use Multi-Factor Authentication to protect against security breaches and provide secure account access for users/consumers. There’s really no shortage of companies that use MFA. The following are a handful of examples of companies that use MFA that combines risk-based authentication, knowledge-based authentication, and other forms of strong authentication:

  • Banks: When it comes to online banking, in particular, banks combine username and password access with an additional pin number for access. Users can opt into more stringent MFA methods that would include a verification code sent via SMS.
  • Google: There is a Google authenticator available for all Google-based apps that would ask users to add an additional layer of security to their accounts through MFA. This could include receiving a push notification with an SMS code or using a fingerprint to complete transactions using Google Pay, for example.
  • Microsoft: Like Google, a Microsoft authenticator is available that controls secure access to email accounts in Outlook and other Microsoft services.

In general, any company that is storing sensitive data or is in charge of access to that sensitive data through applications is likely to use MFA to prevent security breaches. This includes companies that provide remote access to the workforce. Many online email services even suggest users adopt MFA options to protect against email breaches.

How Sensitive is Your Business Data?

Multi-Factor Authentication is not required for every industry, leaving the decision to turn to MFA for enhanced security and access management optional for many businesses. In most cases, the first thing a business should consider in determining whether or not to use MFA is the sensitivity of its data. It is important consider how damaging it would be to the daily operations of the business, its reputation, and any potential capital losses that could be incurred if there was a security breach resulting from a lack of enhanced authentication through MFA.

There are a handful of industries in which two-factor authentication has become the minimum for acceptable security and verification of login credentials. Sectors such as finance, healthcare, defense, law enforcement, and government require at least two-factor authentication for access. In many cases, businesses in these sectors have deemed their data sensitive enough to require MFA.

Do Your Users Need to Connect from Remote Locations?

Another factor to consider when deciding whether or not to adopt Multi-Factor Authentication is the location of the workforce. Does the business have one or multiple employees connecting from remote locations? MFA can ensure that access to the network from remote locations is secure and controlled with MFA methods that protect not only company data, but the integrity of the network and applications used by the business each day.

What’s the Difference Between MFA and Two-Factor Authentication?

The difference between Multi-Factor Authentication and Two-Factor Authentication is really quite simple. Although the terms are sometimes used interchangeably to define enhanced authentication methods for secure access, the truth is that the two are different. Two-Factor Authentication is always limited to two factors of authentication. Think back to the first example of ATM access. Authentication is limited to physical and knowledge, those being the possession of the ATM card and the knowledge of the PIN that controls access.

MFA simply refers to any authentication system that uses at least two forms of authentication to control access. MFA can be as simple as including just one more authentication step for the user in order to gain access. An example of this would be entering a username and password, then entering a PIN, and using a fingerprint.

What are Some of the Drawbacks of Multi-Factor Authentication?

Although Multi-Factor Authentication is increasingly popular and has proven effective in prevent security breaches and controlling access, there are drawbacks to the implementation of MFA. A good MFA system is one that is simple and easy for the end-user, whether that is a remote employee or a consumer trying to access their bank accounts online.

Smartphones are a source of two potential drawbacks in the use of MFA. Some banks have taken the step of allowing consumers to access ATMs even without a card by retrieving a one-time code via SMS. However, when MFA methods require possession of a smartphone to receive push notifications or SMS codes, consumers who have forgotten their smartphone at home or in the car will their interaction with MFA measures to be annoying, at the very least.

Even more problematic is the potential for smartphones and hardware tokens to be stolen. Although this does not grant immediate access to a secure network, it does eliminate some of the security layers to MFA when a physical token is in the hands of the wrong party. Recently, a growing number of Americans have had their smartphone numbers illegally ported away. This grants hackers access to their number and when combined with username and password information, hackers can reset access controls on accounts and verify that move using push notifications and SMS codes.

From a business perspective, MFA can be costly to set up. Although it provides continuity, MFA’s high level of security can come at a cost that is prohibitive for some companies. The key is to find the right authentication partner to work with.

What are the Benefits of Multi-Factor Authentication?

On the plus side, Multi-Factor Authentication does come with powerful pros that make its implementation worthwhile when weighed against the potential drawbacks. First and foremost, MFA adds an additional layer of security that is more difficult to workaround. With each added authentication factor, there is built-in compensation for the potential weaknesses of other authentication factors. For example, just because a username and password database is breached doesn’t mean that hackers have direct access to accounts and sensitive data.

Additionally, the use of physical tokens in the workplace make life simpler for employees while also providing that added layer of security. Hardware tokens such as a USB stick (think Google’s Titan Key) can be used in the MFA process. A user simply inserts the USB token into a laptop or desktop during login and they are immediately verified as a valid user.

Avatara’s CompleteCloud system offers a superior MFA solution to protect against security risks. Users can connect to the business network from remote locations and not worry about falling victim to cyber theft. Avatara MFA is actually part of a seven-layer cybersecurity program that uses strong authentication solutions to ensure that network access is controlled and limited only to authorized personnel. For example, Avatara MFA uses back-end monitoring functions that can detect when a laptop isn’t in a specific geographic location (such as a building). In this case, an alert via phone call, SMS code, or email is sent to confirm that the individual logging in through that device is authorized to do so.

Remember that MFA is not required outside of certain industries. However, protecting sensitive data is not only a prerogative that is important to the daily operations of a business, but also to its continuity of operations. Security breaches benefit no one, and MFA can help.

Schedule an Appointment