Multi-factor authentication (MFA) is a security system that requires users to provide two or more forms of identification to gain access to a system or application. If you’ve ever signed into your social media account, or banking app for example, it might occasionally ask you for further authentication, to add another layer to the security of your data.
As well as protecting customer data, organisations might choose to use this method of login for work related apps so that the network that staff access is safe from unauthorised and unintended access.
MFA works on the premise of the following factors; Something you know, something you have, and something you are.
There are several types of MFA available for organisations to use to protect their data and customer information. The reason for this, is that layered security makes it harder for an attacker to gain access to your device or data.
Password-based MFA is a type 1 authentication, or 'something you know’, and requires users to enter a password and a second form of identification, such as a security question or a one-time code generated by the app itself. While this type of MFA is easy to implement and manage, it can be vulnerable to phishing attacks and password breaches.
Hardware-based MFA involves the use of a physical device, such as a USB key or smart card (type 2, or ‘Something you have'), to authenticate users. These keys are built with a secure element chip and support the FIDO2 standard, making them a strong option for organisations looking for an extra layer of security. However, it can be more costly and may require additional training and maintenance. It’s also the most likely to be abandoned in a non-mandatory environment as it relies on using the physical key each time the app or information is accessed. This can lead to fatigue of use.
Software-based MFA (type 2) uses an authenticator app to generate a one-time code that users must enter along with their password. This can also double as a managed password vault, and rolled out as part of a identity role-based app so that staff only have access to what they need. This type of MFA is easy to implement and manage, but on it's own it can be vulnerable to malware and device theft.
SMS-based MFA (also a type 2) sends a one-time code to the user's phone via text message. While this type of MFA is one of the easiest to use, it can be vulnerable to SIM swapping and other forms of mobile-based attacks. This type of MFA is most used with ecommerce stores, and low use web apps.
Biometric-based MFA uses the user's physical characteristics, such as their fingerprint or facial recognition, to authenticate their identity (type 3, ‘something you are’). This type of MFA is highly secure and convenient, but there have been reports of less robust apps or devices falling victim to the camera or fingerprint pad being high tolerance and therefore fooled by a photo or fingerprint transparency.
Choosing the right type of MFA depends on an organisation’s needs, budget, and user base. By implementing MFA, you can ensure that data and customer information is more secure and protected from unauthorised access.