Demo Passwordless Login
Contact us

Two-Factor Authentication vs. Multi-Factor Authentication

Oct 25, 2020
3 min.
Why a password is no longer enough. Here’s why the new gold standard for data security is 2FA and MFA.
Eva Strübin

About ten years ago, some of the biggest players in online communications started offering a new feature: two-factor authentication, or 2FA for short. Though this concept of added data protection dates back to the 1980s, it was slow to catch on with users. Primarily because it relied on cumbersome methods, like fingerprint scanners or other additional hardware.

But as more and more companies began to realize that a password didn’t offer sufficient protection for sensitive personal data, 2FA started gaining widespread traction. Now, with more business models dependent on data, companies are going one step further with multi-factor authentication. As a subset of MFA, 2FA is a dependable security measure. But, as its name suggests, MFA relies on multiple identification factors, which lends it an added level of protection.

Over the last couple of years, MFA has become increasingly more urgent with statistics on data breaches and identity theft raising awareness for a more robust means of data protection. The Breach Level Index published in 2018 offered a sobering look at how susceptible our data really is. In just the first half of that year, there were 945 data breaches resulting in over 3 billion breached files across all industries from healthcare to finance to education to government. And one of the primary causes of these data breaches: insufficient security of cloud-based assets. So, what can companies do to ensure customer data doesn’t fall into the wrong hands?

 

How 2FA and MFA protect our data and our identities

Most of us are already very familiar with 2FA and MFA. The Tech Giants have been implementing these security standards across their social media offerings, platform businesses, and streaming services for over a decade. The concept is simple: users are required to identify themselves through two or more means of authentication. This ensures access is limited to only authorized users.

Online platforms and financial institutions are among the staunchest implementers of MFA. This makes sense since they are responsible for protecting some of our most private information. Where have you already encountered MFA and 2FA?

  • When using services like ApplePay, our device (smartphone or smart watch) and either a password or biometric indicator (a fingerprint or face scan) confirm our identity to complete a payment process.
  • When logging onto online retailer and social media accounts, users who have activated 2FA and MFA are verified via push notifications, biometric indicators, or single-use codes sent to an email address or mobile device.
  • When making online bank payments, most banks now require a password and a single-use TAN provided to the customer via a mobile device.

 

What exactly are authentication factors?

We’ve already mentioned several authentication factors. Let’s break it down now by type:

  • Something you know: The most common of these is your account password. However, a single-use TAN or pin number provided via SMS or email by a service provider or company is also standard. Some companies even still opt for a pre-provided response to personal questions. Although given the prevalence of data breaches and the real threat they pose, most companies rely on more vigorous measures for securing our most private data than the name of our first dog.
  • Something you have: This refers to tangible devices like physical credit cards, smartphones, smart watches, and hardware tokens. They offer a near surefire way to verify a person’s identity when combined with a password.
  • Something you are: Though Hollywood and sci-fi may lead us to think otherwise, fingerprints, facial expressions, vein recognition, and iris scans are still hard to fake. Using a biometric indicator is becoming more prevalent as more and more devices are equipped with the technology to perform biometric scans. 
  • Somewhere you are: Using GPS or an IP address, companies can verify users based on their location. This method is only starting to emerge and is primarily used as an internal verification system for corporations and organizations to facilitate remote access to company systems.

 

Are there any disadvantages to MFA and 2FA?

Like every technological innovation, MFA and 2FA are not without drawbacks. For example, customers without more advanced mobile devices won’t be able to provide biometric identifiers. Also, there is plenty of room for error when typing in complicated passwords on mobile devices. This and the use of additional pin codes and long TAN numbers can diminish the customer experience.

However, features like push notifications that simply require the user to click on or swipe yes on a device screen can simplify 2FA and MFA. Also, replacing the need for biometric scans with QR code scans is a reliable and safe workaround.

Ultimately, the benefits far outweigh any potential disadvantages. Verifying a user’s identity before providing access to data is one of the simplest ways to prevent data breaches and identity theft. Obviously sacrificing comfort at the expense of security isn’t the answer. But not doing everything possible to protect critical data is also not an option. By finding the right combination of 2FA and MFA authentication factors, companies can cater their data security solutions to their specific target audience and strike the right balance between safety and customer-friendly usability.