Multi-factor authentication (MFA) is a method of confirming a user’s claimed identity in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).
Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
A good example of two-factor authentication is the withdrawing of money from an ATM; only the correct combination of a bank card(something that the user possesses) and a PIN (something that the user knows) allows the transaction to be carried out.
Another example of two factor authentication is being frequently used on gmail.com. Every fresh login would ask for the password & a system generated one-time password (OTP) sent on the registered mobile number or email-id.
Two-step verification or two-step authentication is a method of confirming a user’s claimed identity by utilizing something they know (password) and a second factor other than something they have or something they are. An example of a second step is the user repeating back something that was sent to them through an out-of-band mechanism. Or, the second step might be a six digit number generated by an app that is common to the user and the authentication system.
Use of mobile phones
Many multi-factor authentication vendors offer mobile phone-based authentication. Some methods include push-based authentication, QR code based authentication, one-time password authentication (event-based and time-based), and SMS-based verification. SMS-based verification suffers from some security concerns. Phones can be cloned, apps can run on several phones and cell-phone maintenance personnel can read SMS texts. Not least, cell phones can be compromised in general, meaning the phone is no longer something only the user has.
The major drawback of authentication including something that the user possesses is that the user must carry around the physical token (the USB stick, the bank card, the key or similar), practically at all times. Loss and theft are risks. Many organizations forbid carrying USB and electronic devices in or out of premises owing to malware and data theft-risks, and most important machines do not have USB ports for the same reason. Physical tokens usually do not scale, typically requiring a new token for each new account and system. Procuring and subsequently replacing tokens of this kind involves costs. In addition, there are inherent conflicts and unavoidable trade-offs between usability and security.
Mobile-phone two-step authentication involving devices such as mobile phones and smartphones was developed[by whom?] to provide an alternative method that would avoid such issues. To authenticate themselves, people can use their personal access-codes to the device (i.e. something that only the individual user knows) plus a one-time-valid, dynamic passcode, typically consisting of 4 to 6 digits. The passcode can be sent to their mobile device by SMS or push notification or can be generated by a one-time-passcode-generator app. In all three cases, the advantage of using a mobile phone is that there is no need for an additional dedicated token, as users tend to carry their mobile devices around at all times.
As of 2018, SMS is the most broadly-adopted multi-factor authentication method for consumer-facing accounts. Notwithstanding the popularity of SMS verification, the United States NIST has condemned it as a form of authentication, and security advocates have publicly criticized it.
In 2016 and 2017 respectively, both Google and Apple started offering user two-step authentication with push notification as an alternative method.
Security of mobile-delivered security tokens fully depends on the mobile operator’s operational security and can be easily breached by wiretapping or SIM cloning by national security agencies.