What is MFA?
This blog was originally published in 2021 and has been updated in 2024.
What is MFA?
Multi-factor Authentication (MFA) is an authentication method that requires users to provide two or more verification factors in order to gain access to a resource such as an online account or an application. This means that a username and password will simply not be enough in order to login to your resources and services.
MFA is also known as 2-step verification and 2-factor authentication, although specifically MFA can include more than two methods of authentication to be extra secure.
Examples of MFA methods include:
- One-time passcodes
- Biometrics such as fingerprint or facial recognition
- Security questions
- Verification links sent via emails or text messages
- Phone calls for voice verification
- Physical hardware token devices e.g. bank card reader
Not all MFA methods are created equal however, some are proving to be more secure than others. Using the FIDO2 security standard such as biometrics as a MFA method is recommended by the NCSC as it is more phishing-resistant than other methods.
How does MFA work?
When you login to a service/website, you will first enter your username and password. Once this has been entered successfully, you have made it past the first stage.
This next step is where MFA kicks in. It will ask you for some further info to prove it is really you trying to log in, and not someone pretending to be you. This second piece of info will be something that would be much harder for an imposter to access or guess. For example, it could be a one-time passcode which is sent to your mobile phone. The multiple factors are verified separately to enhance security against unauthorised access.
Once satisfied with your authentication answers, the service will let you in.
What categories of information can MFA ask for?
Most MFA authentication methods require users to provide multiple credentials from different categories:
Knowledge - Something you know, such as a password or PIN.
Possession - Something you have, such as a mobile phone which can include a one-time passcode sent to the device.
Inherence - Something that is part of you. This includes fingerprints, voice recognition, facial recognition or a retina scan.
I'm using a strong password. Do I need to use MFA?
A username and password have always been the most common method of authentication, but in recent years it has become apparent that this is not secure enough. You may have noticed that over the years different sites and providers have started to demand more complex and lengthy passwords, as part of their authentication policy. This is to make them harder for malicious parties to guess.
Many sites which deal with finances such as online banking sites have already been using MFA for years. When you try to login to your banking app, it will ask for a security code from a text message or a fingerprint scan.
Whilst strong passwords are sensible, passwords are increasingly vulnerable to modern cyberattacks and it’s thought that eventually passwords will be faded out entirely as MFA becomes more widespread.
Implementing MFA reduces cybersecurity risks and consequences if a password is stolen. Without MFA, a threat actor can use a password to take over victim’s accounts (multiple if the same password is repeatedly used), commit fraud and steal sensitive information.
For both individuals and organisations, this type of cyber-attack can have devastating financial, reputational, and legal consequences.
What is phishing-resistant MFA?
Referring to the more secure methods of MFA, phishing-resistant MFA is needed because attackers can bypass vulnerable MFA types (e.g. text message-based MFA) by intercepting codes or tricking victims into providing them.
Threat actors use phishing websites or social engineering tactics to capture credentials and website session tokens, then log in as the victim.
Phishing-resistant methods, like FIDO2, prevent this by using cryptographic keys tied to specific sites which means the attackers can't reuse the credentials, even if the victim is tricked into revealing them.
Why is MFA being used more now?
Computers are being used in virtually every profession these days. Sensitive information which would have previously been stored in record books or physical folders and lockable boxes, are now being stored electronically. This means the contents of your online accounts could be extremely valuable to you and your business, and hackers know this. Adding the extra layer of security provided by MFA is enough to be the difference between your sensitive data being safe or being compromised.
With the recent surge of cloud computing, MFA has become even more vital. As organisations move their systems and data to the cloud, they can no longer rely on their users being physically connected to the same network as their systems, as a security factor. This means additional layers of security are required to ensure only their trusted users can access these systems. As these users have the potential to access the company's systems from anywhere and at any time, MFA can help ensure that these users are who they claim to be, and not suspicious actors.
Data-breaches are also becoming more frequent. Hackers have been able to gain access to thousands of username and password records from some high-profile organisations and have then sold them on via the ‘black market’. If your details have been included in one of these data-breaches, your username and password may already be in the wrong hands, and through no fault of your own. Adding an extra layer of security via MFA could stop this login info from being used against you.
See the below short video for an example of using MFA in the workplace:
With the amount of phishing emails, suspicious websites, and data-breaches that exist today, it is easier than ever for third parties to get a hold of users' passwords. This is why an extra layer of security is vital in order to protect sensitive data. MFA is the perfect solution here, as when used correctly can make it virtually impossible for your data to fall into the wrong hands.
To learn more about the advantages of using MFA, contact Fuse Collaboration Services today.
About the author
Fuse is a Microsoft Partner, based in Northampton. We help organisations of all sizes to maximise IT efficiencies through the use of Microsoft cloud computing solutions.
