What Is Multi-factor Authentication (MFA)?

Multi-Factor Authentication Introduction

As more businesses undergo digital transformation and the scope of the Internet continues to grow, data has become extremely valuable and increasingly at risk of breach. Providing comprehensive protection for that data (whether individual, corporate or customer) is no longer simply an afterthought on behalf of individuals but a large part of a cybersecurity team's job.

Today, a significant amount of time and resources are spent keeping monitoring, managing, and stopping cyberattacks that directly target sensitive data held by companies, and as the threats continue to grow and become more sophisticated, so too must the security measures used to protect it and ensure it cannot be easily accessed.

Multi-factor Authentication (MFA) is one method used to do this, confirming a user's identity by using a combination of two or more independent factors. These factors include something the user knows (a password or PIN), something the user has (a security token or a smartphone), or something unique to the user themselves (a fingerprint or facial recognition).

The goal of MFA is to provide an additional layer of security beyond a traditional username and password by requiring multiple forms of authentication. This makes it much more difficult for cybercriminals to gain unauthorized access to a user's account, as they would need to compromise multiple forms of authentication.

Why Is Multi-Factor Authentication Important?

Beyond making it more difficult for attackers to gain unauthorized access to user accounts, MFA is an increasingly important security measure in today's digital landscape, where sensitive personal and professional information is often stored online. In addition, MFA authentication is also essential for certain organizations to meet regulatory compliance standards.

One example of multi-factor authentication being used for compliance is with the Payment Card Industry Data Security Standard (PCI-DSS), which requires merchants to implement MFA for remote access to the cardholder data environment. The Health Insurance Portability and Accountability Act (HIPAA) is another area that requires covered entities to implement MFA for access to electronically protected health information (ePHI).

Similarly, Service Organizations (SOC) reporting frameworks, such as SOC 2, require MFA as part of the security controls, as it is a requirement to secure access to the system and to protect sensitive data.

How Does Multi-Factor Authentication Work?

Multi-factor authentication is defined as the use of two or more authentication methods to verify a user's identity, which is the key to how multi-factor authentication works. In practice, this means a strong username and password as the first factor combined with:

• a PIN or a security question
• a security token
• a smart card
• a phone
• hardware
• a key fob
• a fingerprint
• facial recognition
• other biometric data

When users attempt to log in to a system or application, they are first prompted to provide one form of identification, such as a password. Once this is verified, the user is asked to provide a second form of identification, such as a fingerprint or a code sent to their phone via SMS. Only once both forms of identification have been verified will the user be granted access to the system or application.

MFA makes it more difficult for unauthorized users to gain access to a system or application because even if an attacker could obtain a user's password, they would still need to have possession of the user's security token or phone to log in.

Benefits of Multi-Factor Authentication

Multi-factor authentication has numerous benefits over simpler username/password logins and generally speaking, does not significantly slow down logins, ensuring individuals are protected without impacting productivity. Below are the most common benefits of MFA:

• Increased security: Multi-factor authentication adds an additional layer of security to the login process, making it more difficult for attackers to gain unauthorized access.
• Protection against stolen credentials: Even if an attacker manages to obtain a user's password, they will still be unable to access the account without the second factor of authentication.
• Reduced risk of identity theft: With multi-factor authentication in place, the risk of identity theft is greatly reduced as the attacker would need both the password and the second form of authentication.
• Easy to use: Many multi-factor authentication methods are easy to use, such as using a code sent to your mobile phone or using a fingerprint or facial recognition.
• Compliance: Many regulations and industry standards, such as HIPAA, PCI DSS, and FFIEC, require multi-factor authentication for sensitive data.

Types of Multi-Factor Authentication

The types of multi-factor authentication can be broken down into three main categories: knowledge, possession, and inherence. They are as follows:

Knowledge

Knowledge-based multi-factor authentication is a type of authentication that requires the user to provide something they know, such as a password or PIN, in addition to their username or other identifying information. This is the most common form of MFA used today and provides a simple and effective way to add an extra layer of security to the login process.

Knowledge-based MFA examples usually include:

• Passwords: A common form of knowledge-based MFA is a password, which is a secret word or phrase that the user must enter to gain access to the system or application.
• Security Questions: Another form of knowledge-based MFA is security questions, which are questions that the user must answer correctly to gain access.
• One-Time Passcodes: A one-time passcode (OTP) is a unique code generated by the system or an authentication app and sent to the user's mobile device or email address. The user must enter this code to gain access.
• Personal Identification Number (PIN): A personal identification number (PIN) is a numeric code the user must enter to gain access.

Possession

Possession-based multi-factor authentication requires the user to provide something they have, such as a security token or a mobile device, in addition to their username or other identifying information.

Possession-based MFA examples include:

• Security Tokens: A security token is a physical device that generates a unique code or passcode that must be entered along with the password to gain access. These tokens can be in the form of a key fob, card, or mobile app.
• Mobile Device: A mobile device can also be used as a form of possession-based MFA. This can include receiving a one-time passcode via SMS or a push notification or using a mobile app with biometric authentication, such as facial recognition or fingerprint scanning.
• Smart Card: Smart card is a type of possession-based MFA that uses a card with a microprocessor or memory chip to store a unique identification number. Users must insert the card into a card reader or hold it close to a smart card reader to gain access.
• USB Key: USB key is a type of possession-based MFA that uses a small device, in the form of a USB key, that must be plugged into the computer before access is granted.

Inherence

This type of MFA authentication requires the user to provide something they are, such as a fingerprint or facial recognition, in addition to their username or other identifying information.

Inherence-based MFA examples include:

• Biometric Authentication: Biometric authentication uses unique biological characteristics of the user, such as fingerprints, facial recognition, iris scanning, or voice recognition, to verify their identity.
• Behavioral Biometrics: Behavioral biometrics use how a user interacts with the device, such as typing patterns, mouse movements, and swipes, to confirm their identity.
• Heartbeat Authentication: Heartbeat authentication uses electrical signals from the user's heart to confirm their identity.

MFA vs. 2FA vs. SSO

MFA security (Multi-Factor Authentication), 2FA (Two-Factor Authentication), and SSO (Single Sign-On) are all related but remain distinct from each other for a number of reasons with MFA being the overarching concept, 2FA a specific implementation of MFA which requires two forms of authentication and SSO a way to access multiple systems or application with one set of credentials after being authenticated. Each is listed in more detail below:

• MFA refers to a method of authentication where more than one form of authentication is required to access a system or application. This can include something the user knows (such as a password), something the user has (such as a security token or mobile device), or something the user is (such as a fingerprint or facial recognition).
• 2FA is a specific type of MFA that requires only two forms of authentication. This is the most common type of MFA used today.
• SSO (Single Sign-On) is a method of access control that allows a user to authenticate once and then gain access to multiple systems or applications without having to re-enter their credentials. SSO is often used in conjunction with MFA to provide an additional layer of security while also making the login process more convenient for the user

How to Implement Multi-Factor Authentication

Implementing multi-factor authentication within your organization requires several steps to ensure comprehensive coverage. Firstly, raising education and awareness of the need for MFA is important to ensure that all staff are on board and have the knowledge they need to navigate the new systems. Additionally, these MFA cybersecurity steps will allow your organization to integrate multi-factor authentication tool seamlessly:

• Assess the current security situation: Understand the current security measures in place, identify any potential vulnerabilities, and determine the level of protection required for the organization's sensitive data.
• Choose an MFA solution: Select an MFA solution that fits the organization's specific needs and budget. There are several options available, such as SMS or voice call-based MFA, TOTP, hardware tokens, biometric-based MFA, and risk-based MFA.
• Configure and test the solution: Set up the MFA solution according to the vendor's instructions. Test the solution to ensure it is working properly and that it integrates seamlessly with existing systems.
• Roll out the solution: Roll out the solution to the targeted systems and users. Provide training and support to ensure that users can use the new system effectively.
• Monitor and evaluate: Regularly monitor the system's performance and evaluate the effectiveness of the MFA solution. Make any necessary adjustments to improve the overall security posture of the organization.
• Continuously update and improve: MFA is not a one-time implementation. Keep up with the latest security trends and adjust your solution accordingly. Continuously improve the solution to stay ahead of new threats.

Conclusion: Multi-Factor Authentication

Multi-factor Authentication (MFA) is a powerful tool for increasing the security of an organization. It adds an additional layer of protection by requiring users to provide multiple forms of verification before being granted access to sensitive systems and data.

However, it is important to remember that MFA is only one aspect of an overall security strategy, and it should be combined with other security measures such as exhaustive security awareness trainings, intrusion detection, access controls, incident response plans, and regular security audits to ensure the overall security of an organization.

For more information on what MFA means for your organization, how to implement it effectively, and how you can combine it with your existing cybersecurity practices, contact Mimecast today or explore our blog for more insights into the latest cybersecurity trends.