What Is Multi-factor Authentication (MFA) and How Does it Work?

The fact is, if you aren’t using multi-factor authentication (MFA), then your accounts are not as secure as you think.

 min. read
Published on
November 16, 2021

Modern technology makes life easier. The way the internet has become deeply ingrained in our day-to-day routine brings with it many benefits. We can now shop, bank, do our taxes, and more all from our computers and smartphones. 

With convenience, though, there are often downsides to be concerned about. Indeed, as the amount of our personal information online has grown, so to have the frequency of cyber attacks. You may think you are safe from these threats because you have a highly randomized password that could certainly never be guessed. 

This feeling of confidence in the cyber security you are currently using is exactly what cybercriminals prey on. The fact is, if you aren’t using multi-factor authentication (MFA), then your accounts are not as secure as you think.

Limitations of Password Security

Passwords have been the authentication method of choice in the online world essentially since day one–or at least since in-home internet became popular. If you had an email account in the early-90s, your authentication was accomplished using a password. That was thirty years ago, and most people are still using passwords as the only means of securing their online accounts.

Why are passwords insecure, though? There are several factors that result in passwords lacking in security. 

Easy to Guess Passwords

The first, and most obvious reason, is users often use easy-to-guess passwords. Hackers are smart, and if your password consists of dictionary words and numbers it won’t be long before a persistent hacker is able to programmatically run through millions of possibilities to land on your correct password.

Stolen Passwords

Even if you make your password difficult to guess by using a random collection of letters, numbers, and special characters, you still have to contend with cybercriminals using other methods of obtaining your password. For example, there are phishing emails that can be very convincing. Also, if your system is hacked, it is simple for the cybercriminal to install a keylogger to identify your keystrokes when you type your password. 

Further, compounding the insecurity of password authentication is the tendency of many users to save hard or digital copies of all their passwords. Believe it or not, many people keep a text document right on their hard drive, unencrypted, that has all of their passwords listed. This may seem like a good idea because it is genuinely frustrating to forget a password, but all it takes for disaster to strike is one determined hacker to get into the system to locate this password list.

We know that passwords are not very secure, so what can you do to protect your private information? That is where multi-factor authentication comes in.

How does Multi-Factor Authentication Work

To put it simply, and as the name suggests, multi-factor authentication is a system in which additional layers of cybersecurity are added in addition to a password. There is also what is called two factor authentication (2FA), which means exactly two factors are needed to authenticate a user. With MFA, there can be two or more factors, thus making 2FA a subset of MFA.

There are three commonly defined factors to be used for authentication:

  • Knowledge Factor - The knowledge factor is based on information that the user should know. This includes passwords, passphrases, and pin codes. This is the least secure form of authentication.
  • Possession Factor - The possession factor has to do with what you have with you, which typically means a device such as a mobile phone. This is a strong level of security because odds of another person both stealing your password and taking possession of your phone are remote.
  • Inheritance Factor - The inheritance factor is about who you are, and generally this factor is related to biometric data such as fingerprints, retina patterns, and facial recognition. Think of Apple’s Touch ID or Face ID. This is the most secure authentication factor as this biometric data will always be 100% unique to every individual in the world.

How MFA works is fairly straightforward. The authentication process typically starts with the knowledge factor, by requiring the user to enter a password (most common) or PIN. If this is entered incorrectly, of course, the request will be denied. If the password is entered correctly, the second form of authentication will then be required.

The next step in the authentication process is dependent on how the system you are trying to access has its authentication requirements set up, or the user may be given options of how to go about the second level of authentication.

Here are some examples of what this next step may look like in different scenarios.

Possession Factor

Some authentication systems may use a security fob (also known as hardware tokens), magnetic badge, or another form of possession factor authentication. This would be most common in a physical security system for a business, or a debit card with a PIN code.

More recognizable for the average user who is simply trying to log in to their bank account, for example, would be using a smartphone as the second authentication factor. There are several different ways that possession of a registered smartphone can be used as part of an MFA process.


App Notifications

This can be accomplished by sending a notification to the relevant app on a smartphone–for example, your bank may send the notification through their mobile banking app– that has previously had the account authenticated on it. 

Because this device was previously registered to the account as being owned by the user, the authentication system can be highly confident that it is genuinely the account owner that is trying to log in when they approve the notification. This is a prevalent form of authentication, though the type we will look at next is starting to become the go-to method.

Authenticator Apps and One-Time Passwords

Possession factor authentication may use special authenticator apps, where users will need to access a time-based One-Time Password (TOTP). This application isn’t necessarily owned or maintained by the party whose system is being accessed. In fact, authenticators are typically third-party applications that can integrate with your accounts.

The way this works is relatively straightforward. The user sets up their accounts with the authenticator app on their smartphone, and when they log into their account on any device they are then instructed to open their authenticator app to confirm the TOTP that has been generated on the initial login attempt. Two popular apps for this are Google Authenticator and Microsoft Authenticator, though there are a myriad of options to choose from. It may be best to stick with the two mentioned, as they are more time-tested, but there are other strong options.

SMS OTP and email OTP are similar to the TOTP in authenticator apps. The difference is these are delivered via text message or email rather than the authenticator app.

Inheritance Factor

The use of biometric data for authentication isn’t a new concept in many applications, but it is a relatively recent evolution in the landscape of smartphones.

This authentication factor is the simplest for the user, as it is a matter of their device simply recognizing either their fingerprint, eyes, or face. Apple’s Face ID and Touch ID are perfect examples of this authentication method. There are other smartphone manufacturers with similar features, and many laptops have had fingerprint scanners for years. Newer versions of Windows also have the Windows Hello feature which uses facial recognition as an authentication factor.

Benefits of Using Multi-Factor Authentication

The benefits of using MFA are in the added depth of security. No longer is the user’s security solely based on knowing a password that could potentially be stolen or shared. In the event that your password is stolen, the cybercriminal will be unable to access your account unless they have also physically stolen your smartphone, which is exceedingly unlikely. 

With some MFA systems, there is also an added benefit if you were to forget your own password. For example, you may have the option to authenticate with your authenticator app, which may also use Apple’s Face ID. Remember, MFA most frequently uses the password as the first factor, but it isn’t mandatory.

There are also benefits for a business to require MFA when their employees are accessing certain files, systems, or physical locations. By requiring a password in combination with biometrics or a physical security device, the business can more easily track precisely who is accessing which systems.

Harness the Power of MFA with Authgear

Authgear is a powerful tool for developers when they need to add authentication to their applications. 

You can enable MFA for your apps with a few clicks on Authgear

The robust plug-and-play software provides the capability of adding a multitude of security features within a matter of minutes. Authgear supports 2FA using TOTP through the Google Authenticator app as well as options for SMS OTP and Email OTP. Additionally, Authgear also works with biometric authentication methods, which can be easily enabled by the developer.

Authgear offers flexible pricing based on your monthly active users (MAUs), including a free tier that allows up to 5,000 MAUs.

Featured image: Computer vector created by stories - www.freepik.com