As industry leaders Transmit Security explains (https://www.transmitsecurity.com/blog/what-is-mfa), multi-factor authentication (MFA) is a form of authentication where the user is granted access to an application or online resource only after providing at least two pieces of information to verify their identity. These pieces of information are referred to as “factors.” It reinforces knowledge-based authentication in that the user is required to have something in addition to providing information to access the said platform.
Knowledge-based authentication was the main method for verification before the onset of MFA. However, it is easier to hack into usernames and passwords stored on devices or online resources.
Besides, the recovery methods used, such as specific questions had become easier to crack as social media usage increased. Most people also tend to use machine-guessable passwords such as their names, birth dates, or ID numbers, which could be susceptible to social engineering.
When is MFA used in Identity Verification?
According to NCSC password guidelines, organisations should add a layer of security by incorporating additional authentication factors. This additional factor can be offered by a cloud-based or internet-based service.
In most cases, the user is given MFA as an option for added security. However, it becomes a mandatory requirement if the user is logging into the application using a device that they have not used before or that is not among the list of trusted devices.
Besides, MFA is always used in services that could have a higher impact if they get compromised, such as online banking or access to medical information. Users also need to re-verify themselves when performing activities that have the highest risk, such as changing a password, contact information, or transferring cash online.
Other organisations prompt users to use an extra authentication factor when connecting from a different part of the world or IP address than what is normal for them.
Available Multifactor Authentication Factors
There are several choices of authentication factors depending on the service you are using and what resources are available to you. As explained earlier, single-sign on (SSO) is usually the default method for most organisations unless there is a need as explained above. Organisations can add one or many of these factors below.
Using Another Piece of Knowledge as an Extra Factor
This method involves requesting the user to provide additional information when they attempt to log in. The information is usually something that the user knows or has provided in the past but is not easy to guess for a third party.
For example, the application may ask users to answer a set of questions based on provided information such as their date of birth, their middle name, or their school. In many cases, the user provides the answers when setting up the factor. However, there are cases where the application may generate questions based on the data that they have regarding the user.
On social media, users may be shown photographs of their friends or excerpts from their status updates and asked a few questions. This method does not include personal information that may be revealed to a possible hacker.
Using a Trusted Account as an Extra Factor
This is a technique where a code or token is sent to a phone number or email address that is registered to the user. The service sends the code once the user has entered their username and password. In other cases, the service may send a clickable link that authenticates users without the need for extra information.
Some organisations make it easier for mobile users by enabling their apps to automatically detect codes that may have been sent to a mobile device. Therefore, users do not have to copy the codes to the application.
In other cases, the code could be generated by a trusted app, such as the case with Google Accounts. Sometimes the user just needs to allow a second login via the trusted app.
Using a Physical Device as an Extra Factor
This method uses a physical device that proves that the user is the actual owner of the account. Once the user inputs their login information, they are required to put in the information only available in the security token. This means that the user needs to always have the device when they log in. Such token devices could be FIDO universal 2nd factor authenticators or bespoke devices such as RSA tokens and smartcards.