These days, data leaks affecting millions of users seem to be making headlines on an almost monthly basis. Multi-factor authentication (MFA) is an effective tool that can prevent hackers armed with stolen user credentials from infiltrating protected online resources and causing damage. It works by making users verify their identity with at least one other factor before they can gain access. How exactly does MFA work? And how can providers make sure that their users see logging in with two or more factors as a positive step rather than an inconvenience? MFA authentication in combination with passwordless access is one solution.
Single-factor authentication remains the standard for many login processes. But the most commonly used technology in this case, whereby users identify themselves with a user name and password, suffers from a major disadvantage in terms of security: hackers need only this information to infiltrate supposedly secure online areas. To make things worse, many people take a very careless approach to their passwords. For example, easily hacked numerical sequences such as “12345678” or simple word and number combinations such as “hello123” are still widely used. With methods such as brute force or credential stuffing, hackers can easily uncover these types of user name and password combinations and are then free to do as they please – but only if the online resource in question is secured with just this single factor. If at least one additional factor is requested to verify a user’s identity as part of MFA, the cybercriminals’ efforts will be in vain. They can still use hacked data to break open one lock, so to speak, but without the second factor, they are still facing a locked door.
The identification factors of knowing, having and being
With MFA, users must combine at least two different authentication technologies. If only two different variants are combined, this is also known as two-factor authentication (2FA).
These authentication technologies are divided into three groups: having, knowing and being. In addition, a location or time can also be used as a verification characteristic, thus adding another factor.
But what’s behind the factors of having, knowing and being?
Something that the user has, such as a bank card, a smartphone or a hardware token. Hardware tokens are used to generate a one-time passcode (OTP). Nowadays, this is usually done with the help of an authentication app that is installed on a smartphone and can generate the OTP security key.
A password, the answer to a security question or a PIN – something that only the user knows. For this factor to be used for MFA, the information must be saved beforehand and correctly entered by the user during the login procedure.
Being:Something that the user is. This relates to biometric characteristics such as a fingerprint, the pattern of an iris or a face that can be scanned using technology available on most modern mobile devices.
The financial industry in particular uses the location (IP address) and duration of use compared to the last or a typical online session as additional factors for identity verification.
Risk-based authentication and dispensing with passwords
It is important not to sacrifice user-friendliness in the pursuit of 2FA/MFA. As not every online operation needs the same level of security, the strength of the authentication solutions used should be based on risk. Put simply, while it is essential for financial transactions, it may not be necessary if a customer simply wants to check the status of an order.
Using passwordless authentication based on biometric processes such as face recognition as part of 2FA/MFA increases not only security but also user-friendliness. This in turn has a positive impact on the customer experience. Biometric procedures cost the user neither time nor effort. They also improve protection because insecure passwords are no longer necessary.
2FA and MFA systems are recommended for different applications: for instance, in electronic payment transactions, for accessing corporate networks, logging into cloud services and web-based applications or accessing physical high-security areas. In all of these scenarios, a combination of two or more identification factors effectively prevents identity theft.