What Is Multi-Factor Authentication?
Multi-factor authentication (MFA) is an authentication method that combines multiple credentials – the factors. You know the MFA from your online banking when you verify transactions and from login procedures secured by additional factors.
Last year we explained two-factor authentication (2FA) — the variant of multi-factor authentication that uses a second factor to authenticate or verify. The basic principles that we described in the post linked above are the same as those of multi-factor authentication. The following possible authentication types are possible with 2FA and MFA:
- Knowledge: A secret that users know, such as passwords, PINs or passphrases.
- Possession: Something possessed by users, such as keys or tokens.
- Feature: Features that can be assigned to users, such as iris recognition, fingerprints or other biometric data.
If, for example, knowledge (password) and feature (fingerprint) are used, it is 2FA. Other factors such as tokens can supplement multi-factor authentication.
Multi-factor Authentication: Pros And Cons
The most significant advantage of multi-factor authentication is obvious: with each additional factor, the threat scenario of identity theft recedes further. Because even if the password has been compromised, access is protected by at least one other proof of entitlement.
Disadvantages often arise in usability: the more factors users have to use when registering, the more complex the registration process becomes. If one of the factors is also lost, the system cannot be accessed first. They are replacing the lost factor results in enormous additional work.
Nevertheless: the more factors are used, the more secure are authentication methods. A recent report by the US magazine The Record shows that there are now around 1,200 phishing toolkits that can be used to attack two-factor authentication. According to the report, the most common variant is the theft of authentication tokens from the computer. These are not impractical: users do not have to log in every time they visit a page but can remain logged in for a certain period—attackers who have such a token bypass the authentication.
The second most common variant is man-in-the-middle attacks: Attackers move between service providers and users to steal data – for the identity thefts described in the report, codes for login procedures are harvested. Criminals can do this using malware on smartphones: If users log into online services and wait for 2FA codes to be sent via SMS, the attackers can intercept them. It makes sense to use other devices for the second factor to avoid such a scenario.
The right combination is required when using multi-factor authentication: the registration process must not overwhelm users, but it must not underwhelm cybercriminals either.
Multi-Factor Authentication: Possible Factors
To address the right combination of different factors, here are a few possible factors:
- OTP/ TAN: With one-time passwords (OTP) or transaction numbers (TAN), one-time passwords are a factor. This OTP/ TAN can reach users by phone call, SMS, software (e.g., authenticator apps), or hardware (TAN generators).
- Tokens store cryptographic keys, which are used as an additional factor.
- Location: Authentication methods can gain extra security through geographic or network-based restrictions. For example, location requirements that users must meet to authenticate can be configured only to allow users access if they are on the corporate network or in certain countries.
eID/ electronic identity card: The electronic identity card (“eID”) can be used to authenticate various online services. Authorization certificates make it possible to access stored data – also on the part of the citizens to recognize who has accessed which data and for what purpose.
Multi-Factor Authentication: Authenticate Securely
As a process of account security, multi-factor authentication represents a tried and tested means against identity theft: With two or more authentication steps to be carried out separately with different factors – ideally on other devices – users can securely prove their identity. It is difficult for cybercriminals to harvest authentication credentials – and even if one aspect succeeds, one or more others will protect against identity theft.