Back to Glossary Home | Multifactor Authentication (MFA)
Multifactor Authentication (MFA)
What Is Multifactor Authentication?
Authentication is the process of verifying a user’s identity before granting them access to a secured system.
An authentication factor is any piece of information that can be used to verify a user’s identity, such as a password, PIN number, or fingerprint.
Multi-factor Authentication (MFA) is a highly secure approach to user authentication where multiple authentication factors are required to verify a user’s identity before granting them access to a secured system.
Organizations undergoing digital transformation can implement MFA to better secure applications, data, and infrastructure hosted in the cloud. Implementing MFA to protect enterprise applications, IT systems, and cloud infrastructure bolsters organizational cybersecurity, making organizations more resilient against credential theft and account takeover attacks.
Why is Multi-factor Authentication Necessary?
Computer systems and software applications have traditionally verified user identity with a single-factor authentication approach based on username and password combinations.
During account creation, users enter their personal information, select a username that will be linked to their identity, and establish a secret password that will serve as an authentication factor. When the user wants to access the account, they simply enter their username (an assertion of their identity) and password (an authentication factor verifying their identity) to gain access.
Username/password combinations are a relatively secure method of authentication as long as they remain secret, but this isn’t always the case.
In reality, hackers and digital adversary groups invest significant time and resources to launch social engineering (e.g. phishing, domain spoofing, etc), malware, and other kinds of cyber attacks with the goal of stealing credentials, taking over accounts, and gaining access to secured systems and data.
Multi-factor authentication provides an additional layer of security in the login process by requiring more information than just a username and password to access a secured system. With malicious actors working overtime to steal credentials and gain unauthorized access to enterprise data, multi-factor authentication ensures that secure systems and data cannot be accessed - even if hackers are successful at stealing or exposing access credentials.
The growing prevalence of phishing, credential theft attacks, and other cloud computing security risks has made it that much more important for enterprises to secure their most critical systems and databases with multi-factor authentication.
Understanding the 4 Types of Authentication Factors in Multi-factor Authentication
A multi-factor authentication process uses more than one type of authentication factor to verify the user’s identity. Below, we summarize 4 types of authentication factors that may be used.
Location-based Authentication Factors
A location-based authentication factor can help verify a user’s identity by providing evidence of their physical location. If a user account is normally accessed from Palo Alto, California, location-based authentication factors can be used to determine whether a login attempt originated from the expected location.
Location-based authentication factors may include:
- GPS coordinates - Enterprises can use location services and geo-fencing technology to grant access only when a user is located in a specific geographic area.
- IP addresses - Enterprises can grant access only when a login attempt originates from a familiar IP address.
Location-based authentication is not the most secure, as malicious actors may be able to thwart these checks by using a VPN or spoofing techniques to send fake location data to the authentication server.
Knowledge-based Authentication Factors
A knowledge-based authentication factor verifies user identity by having the user supply secret information that is only known to them. Knowledge-based factors are typically memorized by the user or recorded offline and should never be shared with others, including other employees of the business.
Knowledge-based authentication factors may include:
- Usernames or login IDs - Authentication systems can allow users to create their own usernames, generate a unique Login ID for each new user, or have users login with their email address.
- Passwords - Passwords are a standard knowledge-based authentication factor.
- PIN numbers - A 4-6 digit number is easily memorized and can be used to authenticate user identity.
- Secret questions - Some authentication services verify user identity by having the user create or select secret questions that only the user knows how to answer.
Knowledge-based authentication systems require additional security features to prevent hackers from using machines to guess passwords or PIN numbers via brute force attacks. Hackers have also used social engineering techniques to discover the answers to a user’s secret questions.
Knowledge-based authentication works best when users are educated on cyber risk and diligent about safeguarding their secret information.
Possession-based Authentication Factors
A possession-based authentication factor is a digital asset or physical object belonging to the user that can be used to verify their identity.
Possession-based authentication factors may include:
- Email addresses and phone numbers - The most common possession-based authentication factors.
- MAC addresses - A MAC address is a unique identifier code assigned to a network adapter.
- Mobile Device IDs - A device ID is a unique string of numbers and letters that identifies a mobile phone or tablet device.
- Physical security tokens - Enterprises can assign their employees a programmed USB key or wireless tag that serves as possession-based authentication when accessing the network.
Possession-based authentication can be highly secure, especially with physical security tokens that are difficult for malicious actors to replicate. Hackers can sometimes defeat possession-based authentication by taking control of a target’s email account (e.g. with a phishing or credential theft attack) or phone number (e.g. with a SIM hijacking attack).
Biometric Authentication Factors
With biometric authentication, the user’s personal physical characteristics are used to verify their identity. Common biometric authentication methods today include fingerprint or retina scanning as well as facial or voice recognition technology.
How Does Multi-factor Authentication Work?
Users Configure MFA in the Account Creation Process
During the account creation process, users will be asked to establish multiple authentication factors that can be used to verify their identity. A username/password combination is almost always required, but users may also be asked to:
- Verify their email account or phone number,
- Choose a security PIN number,
- Select and provide answers to one or more secret questions, or
- Provide a biometric reading (e.g. fingerprint, retina/facial scan, or voice sample)
MFA Validates User Identity in the Login Process
During the login process, users will be asked to provide multiple authentication factors to verify their identity. In addition to providing a valid username/password combination, users may be asked to:
- Confirm a verification code that was sent to their phone or email address,
- Input their secret PIN number,
- Answer secret questions, or
- Complete a biometric scan.
Some location or possession-based authentication factors (e.g. device ID, IP or MAC address, GPS coordinates) may be automatically transmitted from the user’s device to the authentication server by specialized services.
System Access is Granted when MFA Succeeds
When a user provides the information necessary to verify their identity, multi-factor authentication succeeds and the user will be granted access to the secured system, database, or application.
What are the Benefits of Multi-factor Authentication?
Prevent Unauthorized Access to Secure Systems
Multi-factor authentication thwarts credential theft and account takeover attacks, preventing cyber attackers from accessing secure systems without the proper authorization. The additional security provided by MFA helps organizations protect against ransomware attacks, cryptojacking, and other kinds of cyber attacks.
Safeguard Cloud and On-premise Databases
The consequences of a data breach can be severe for enterprise organizations, including unplanned operational downtime, direct remediation costs, regulatory penalties, and legal liability costs.
Implementing multi-factor authentication helps enterprises secure critical data against unauthorized access and avoid the negative consequences of a data breach.
Comply with Data Security/Privacy Regulations
Some data privacy and security regulations (e.g. HIPAA, PCI DSS, etc.) require enterprises to protect sensitive data by implementing secure access controls that prevent unauthorized access. Implementing MFA can help enterprises show compliance with these data privacy/security regulations.
Secure Your Critical Applications with TierPoint’s Multi-factor Authentication Solutions
TierPoint offers managed IT security services to help our customers cost-effectively safeguard critical IT systems and cloud infrastructure against unauthorized access.
TierPoint’s CleanIP Managed MFA Solution empowers our customers with a streamlined and secure login service for every application and user, helping to ensure that only authorized users can access secured business applications, IT assets, or cloud infrastructure.
Ready to learn more?
Book an intro call with us and see how TierPoint’s multi-factor authentication service can help you prevent data theft, prevent unauthorized access to your IT infrastructure, and comply with data security/privacy regulations.