What is Multi-Factor Authentication (MFA) and why is it necessary?

What is Multi-Factor Authentication (MFA)?

Multi-factor Authentication (MFA) is a security technology that requires users to provide multiple verification factors to verify the user’s identity for a login or approve access to a resource such as an application, or an online resource.

Rather than just asking for a username and password, MFA will require a combination of two or more independent credentials, which decreases the likelihood of a successful cyber attack.

The goal is to have a layered defense that makes it more difficult for an unauthorized person to gain access to a target. If one factor is broken, the attacker will still have one or more barriers to breach before successfully breaking the target.

How Does MFA work?

MFA works by requiring additional verification information (factors). It combines two or more independent credentials: what the user knows (knowledge factor); what the user has (possession factor); and what the user is (inherence factor).

• Knowledge factor: This factor will require the user to provide something only they would know. The most common example of this factor is the security questions and of course, the password, which could also take the form of a PIN or even a passphrase — something only you would know.
• Possession Factor: With this factor, the user must have something specific in their possession in order to log in. It’s much less likely that a hacker has stolen your password and stolen something physical from you, so this factor confirms that you are in possession of the specific item. This includes mobile phones, tokens, badges, smartcards, etc.
• Inherence Factor: This factor is commonly verified using biological traits that the user has. The most common form of this factor is using fingerprint scans on a mobile phone, but also includes anything that would be a unique identifier of who you are as a physical person — voice authentication, facial recognition, retina scan, and any other kind of biometrics.

One-time passwords (OTPs) are the most common form of MFA. OTPs are 4–8 digit codes that are often sent via SMS, email, or some sort of mobile application. A new code is generated periodically or each time an authentication request is submitted.

The possibilities spread across the three categories are endless, and different authentication mechanisms may be better for different companies depending on their unique needs and use cases.

Why is MFA Important?

With MFA, both organization and personal security is enhanced by requiring users to identify themselves by more than a username and password. As much as username and passwords are important and reign supreme as the most common way to authenticate identity, they provide very little protection. And there are an alarming variety of attack vectors hackers can take advantage of to steal passwords or gain access, including phishing attacks, brute force attacks, web app attacks, point of sale intrusions, and even stolen hardware. Enforcing the use of MFA means increased confidence that your organization will stay safe from Cyber-criminals.

Conclusion

Stopping all online crime is not a realistic goal, but simple steps can massively reduce the likelihood you’ll be the next victim. MFA is very fundamental in reducing the likelihood of being a target and should be used whenever possible, especially when it comes to sensitive data — like primary email, financial accounts, etc.

Some organizations will require MFA as a fundamental step, others will offer it as an extra option. Even then, we must take the initiative to turn it on. Furthermore, if an organization is processing personal sensitive information and does not provide MFA, it should be our responsibility to say ‘no thanks, not until you provide MFA to secure my information.’

This article has been written by Ann Kangerwe, a Network Security Engineer at the E-Kraal Innovation hub. Passionate about Cybersecurity Awareness and with a keen interest in transforming the Kenyan Cyberspace to be a safe space for all citizens. Twitter