What is multi-factor authentication and how does it benefit my organization?
Author: Christopher Tozzi
Protecting applications and devices using passwords is common practice. What's even better is securing them with multiple passwords or other login requirements, a practice known as multi-factor authentication (MFA).
The reason why is simple: The more log in steps—or "factors"—you require, the harder it becomes for malicious actors to access sensitive resources or disrupt critical services. With multi-factor authentication, your apps and infrastructure remain safe even if the bad guys manage to compromise a password or circumvent access control.
That said, multi-factor authentication can be taken too far and has known shortfalls. Before adding MFA security to every system in your business, it's important to consider the potential drawbacks of this approach and understand its limitations.
To help you decide when and how to use multi-factor authentication, this article explains what MFA means, how MFA security works, and when it does and doesn't make sense to take advantage of MFA security.
What is multi-factor authentication?
Multi-factor authentication is a security strategy that requires users to provide multiple authentication factors—such as passwords or access keys—in order to log into a system.
MFA is distinct from conventional security techniques because traditionally, applications and devices only required one authentication factor—usually, a password. With MFA, users have to enter multiple factors before a system grants them access.
How does multi-factor authentication work?
In most cases, the MFA process starts by having users initiate a log in process by submitting the first authentication factor, such as a password. If that's successful, they are then prompted for a second authentication factor, such as a code sent to them by text message, or biometric authentication, which means the user is authenticated based on physical characteristics rather than a digital one (like a password). They must enter the second factor successfully in order to continue the process.
The multi-factor authentication process continues until the user has entered all required login factors. The number of required factors is determined by IT staff or security admins.
How many authentication factors do I need?
You may sometimes see the term "2FA." 2FA stands for "two-factor authentication." This means there are only two authentication factors required to log in. 2FA is one form of MFA as MFA implementations can require more than two factors to authenticate. For example, you could require a user to enter a password, then enter a login code sent to the user by SMS message, then scan a fingerprint. In this case, you'd have three authentication factors.
Why might you choose to require more than two login factors? The simple answer is security. The more factors users have to enter successfully, the more secure your applications or devices will be, as each additional factor creates a barrier attackers would need to circumvent.
That said, requiring too many authentication factors can be problematic because it may lead to log in processes that are overly complex or time-consuming for users. It’s important to assess your devices and applications to achieve the right balance between usability and security when implementing MFA. The more sensitive a resource is, the more authentication factors it makes sense to require. But for resources that are lower-stakes from a security perspective, numerous authentication factors may be overkill.
Benefits of multi-factor authentication
At a high level, the main benefit of multi-factor authentication is it can reduce the risk of access to sensitive applications or data by parties who should not be authorized to view or use them.
To be more specific, the advantages of multi-factor authentication include:
Defense against external hackers
The Verizon 2023 Data Breach Investigations Report found that 74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering.
Hackers can obtain access to login credentials, like passwords in various ways, for example, through phishing attacks or by purchasing stolen password databases on the Dark Web. With MFA, however, a single stolen credential isn't enough for hackers to log in. Having to buy or steal multiple credentials can make attacks substantially more difficult.
Protection against malicious insiders
MFA security also helps protect against insider threats and deter malicious insiders who might seek to harm a company from within. For example, a disgruntled IT employee might be able to look up other employees' passwords, then try to log into sensitive applications under their accounts. With MFA in place, however, a single password wouldn't be enough for the malicious insider to access those systems.
Sometimes, an application as a whole isn't sensitive enough to require MFA, but certain features or data accessible within it may need extra security. For instance, a finance app may allow a user to log in with just a password but then prompt the user for an additional login factor before they are allowed to move money. In this way, MFA enables granular security controls.
MItigating user errors
MFA helps to mitigate the impact of these actions by ensuring that a security oversight that gives bad actors one login credential won't translate to total access to a system.
In all of these ways, MFA security helps businesses protect their most sensitive resources.
Limitations of MFA
It's important to note as well that although MFA significantly enhances security, it doesn't guarantee protection against attacks. It's possible for threat actors to steal multiple credentials in order to bypass MFA controls. For instance, an attacker could use social engineering to trick an employee into handing over both a password and the security code emailed to the employee as a secondary authentication factor.
Partly for this reason, NIST recommends requiring login factors that can't be looked up—such as a biometric factor—as part of a successful MFA strategy. Because authentication factors like scanning a fingerprint require physical interaction, it is much more difficult for attackers to bypass security controls that require biometric authentication than it is for them to supply simpler types of factors, like passwords and login codes.
That said, even biometric login factors can sometimes be defeated by attackers. For instance, a group of sophisticated researchers were able to bypass the existing security measures by using brute-force fingerprints and unlock the devices, termed a BrutePrint Attack. According to the article by LatestHackingNews.com, “The concept behind this attack is to unlock a physically possessed device, such as a smartphone, locked with fingerprint scans, via hardware. Although, carefully conducting this attack requires the attacker to possess a huge library of fingerprint scans for brute-forcing.”