2FA, 3FA, MFA… What does it all mean?

Simply put, authentication is the act of proving you are who you say you are. To gain access to protected information, systems or locations, the user must prove their identity by providing specific access credentials.

The system asks: “Who are you? Prove it.” When the user successfully authenticates (and depending on the permissions associated with their account), the system allows them to perform specific actions, access specific information or specific physical locations.

Identification requires a user ID (e.g., a username). To prove their identity, users then provide a password or another authentication factor, which is then paired with the username. The combination may or may not result in the user gaining access to the system.

Multi-factor authentication (MFA) is the process in which the user must provide two or more pieces of evidence (i.e., factors) to a system or location, in order to be let in. MFA protects a system, location, or sensitive data from being accessed by an unauthorized user (and potential threat actor).

Types of authentication factors

There are several main categories of authentication factors:

Knowledge factors (something the user knows): E.g., a password, a passphrase, or a PIN. Security questions fall in this category but are no longer recognized as an acceptable authentication factor because the widespread use of social media made the answers easily obtainable to attackers.

Possession factors (something the user has): The user can verify their identity with an object in their possession, such as an access card, key fob, or another physical security token. MFA systems also consider a one-time password/code received by the user via SMS or authenticator app as a possession factor (a software token).

Inherence factors (something the user is or does in a particular way): This type of authentication factor is based on a biometric characteristic of the user – fingerprint, palm print, iris, face – or on how the user uniquely performs an action (e.g., their typing or vocal timbre and pattern).

In an MFA setup, if one factor can’t be provided or is incorrect, the user will not be given access!

Contextual information

Contextual information may also influence whether an authentication attempt will be successful. This information may not be an authentication factor by itself, but it may help authentication systems assess whether a login/access attempt is legitimate.

This information includes:

Location: The physical location of the user/device when they are logging in. For instance, if all employees are in the US and the login request comes from an unknown/unsanctioned location or network, the system may deny access based on that information (because it believes the authentication credentials and factors have been compromised).

Time: The specific timing of a login request may point to its potentially malicious nature. A system can be programed to deny login attempts outside of regular business hours, or to deny a login request seemingly made by the same user that logged in just moments before – if that second login request is apparently coming from another country.

What is 2FA?

Two-factor authentication (2FA) is an authentication setup that requires the user to provide two authentication factors to be granted access.

The withdrawal of money from an ATM is an example of 2FA in action: The user can withdraw money only with the correct combination of a bank card (possession factor) and PIN (knowledge factor).

Another example: The user wants to access an online account protected by 2FA. They need to provide the correct password (knowledge factor) and one-time password (possession factor) available only on the users’ device/smartphone (either sent via SMS or provided via an authentication app).

2FA is currently the most used MFA method, but as technology evolves and attackers come up with effective ways to bypass the protection it offers, businesses will have to implement 3FA, 4FA, etc.

What is 3FA?

Three-factor authentication (3FA) is a more secure authentication process that adds a third layer of protection to user accounts. It requires users to provide three distinct authentication factors.

For example: a password, a security card, and their fingerprint (to be scanned and compared to a previously created record). Or a PIN, an OTP password, and their voice (to be compared with a recorded audio file).

With 3FA in place, stolen passwords become much less of a problem.

3FA is usually deployed by businesses and organizations that require a high level of security, e.g., banks, government agencies, airports, hospitals, etc.

Why do we need multi-factor authentication?

The threat landscape is constantly evolving. Attackers have noticed that more individuals work remotely than ever before and that cloud-based solutions have become standard across different sectors. As a result, securing access to various systems and assets has become paramount.

Compromised user credentials represent one of the greatest risks to organizations. To better protect personal, commercial, and public resources from unauthorized access, employing multi-layered (multi-factor) authentication is becoming normal.

Traditional passwords are simply not enough anymore, especially since users often reuse the same weak passwords on different websites and services.

Advice for organizations and end users

Companies should:

  • Implement strong password management policies
  • Implement MFA, in combinations of factors that make sense for specific use cases and a specific user base
  • Use single sign-on (SSO). One login for multiple accounts reduces the overall attack surface and makes employees’ work easier
  • Implement passwordless authentication, if possible
  • Adopt a zero-trust approach to user authentication and validation

Since exceedingly strict and complex security measures often “encourage” users to violate official policies, it’s important to strike a good balance between security and usability.

End users, on the other hand, are advised to:

  • Use complex and unique passwords for various accounts, so that multiple accounts can’t be compromised after one of these sites or online services suffers a data breach
  • Check if any of their accounts appear in existing data breaches (e.g., on Have I Been Pwned?). If they do, they should change the compromised password to a complex and unique one
  • Use a password manager to generate strong passwords and store them securely
  • Enable MFA on accounts that allow it. They should opt for app-based OPTs or a FIDO security key if they suspect they might be specifically targeted by attackers
  • Use single sign-on (SSO) in concert with MFA, to reduce the risk of account compromise

This Help Net Security video brings attention to the importance of implementing multi-factor authentication, upgrading security awareness efforts to protect organizations’ and personal user accounts on different websites and services, and what are the best practices.

Don't miss