What Is MFA?
Multi-factor authentication (MFA) is a security measure that goes beyond a password to double- and triple-verify a user’s identity before they can access data.
What Does MFA Stand For?
Multi-Factor Authentication (MFA) is the practice of adding multiple unique authentication methods to user identity verification at login.
What Does 2FA Stand For?
Two-Factor Authentication (2FA) — The practice of adding a second unique authentication method to user identity verification at login
What Type of Security Is Multi-Factor Authentication?
Identity Security — An essential security control in today's digital world, identity security products are used to verify the user's identity and prevent use of stolen passwords / compromised credentials
Secure Access — The idea that anyone who accesses data is properly verified to ensure all logins are benevolent and safe
Zero Trust — A cybersecurity strategy framework that encourages users and organizations to take added security measures, assuming that nothing can be trusted without proper verification. Zero trust is often described by the mantra of “never trust, always verify”
What Does MFA Protect Against?
MFA is essential to access and endpoint security because it adds a layer of protection to a user or company’s data which effectively helps prevent stolen passwords, malware, phishing and ransomware attacks. With an effective MFA system in place, only the correct user will “hold the keys,” so to speak, keeping unauthorized access out.
Malware — A program or software that enters a system to access data or steal passwords with malicious intent
(e.g., credential or credit card number theft, exploitation of personal contact information, demands of ransom payment for data)
Phishing — A program or individual that disguises itself as a company or person to scam the user and gain malicious access to data
(e.g., a user receives a text message asking for a banking password. The message appears to come from their bank, but is actually a bad actor looking to steal credit card information)
Ransomware — A malware attack that successfully seizes personal or company data and then demands monetary payment (ransom) in exchange for the stolen data
Who Does MFA Protect?
MFA has changed internet safety and the way we access our accounts. A key player in the zero trust approach to security, MFA has been deemed one of the most effective and employable verification methods in personal, corporate and government settings alike.
Streamline Authentication for Users
Each and every digital user leaves behind a digital footprint full of personal data. Regardless of what data you handle on a day-to-day basis, you deserve to feel secure while you work, bank, go to school or do anything else online. MFA is a security control solution that is user-focused, meaning it starts with you.
Secure SMB Cybersecurity
Small businesses need to invest in MFA even if their company’s size deems them exempt from some of the heftier regulatory compliance mandates. As new statutes arise to protect SMB org’s from new hacker technologies, MFA is encouraged in more and more small businesses. Why? Simply put: it works! When securing an SMB, it is important to find an MFA solution that works easily and deploys quickly in unique settings and custom applications.
Cybersecurity for Enterprise Organizations
Data is foundational to the digital economy and therefore securing it is too. With a great workforce comes great responsibility, which is why MFA is usually legally required for everyone who works in an enterprise-level organization.
Where Is MFA Required?
Deciding which employees are entitled to various levels of access to data is not only a strategic decision, but also has legal implications. Hundreds of laws and cybersecurity entities, at the very least, strongly recommend multi-factor authentication for verification, including:
General Data Protection Regulations (GDPR), for all organizations that carry out business or handle sensitive data in the EU
System and Organization Controls 1-3 (SOC, SOC1, SOC2 & SOC3), for all organizations that carry out business or handle sensitive data in the US
The Federal Financial Institutions Examination Council (FFEIC), for all US financial organizations
Payment Card Industry Data Security Standard (PCI-DSS), for all US organizations that handle credit card transactions and the respective sensitive data
Family Educational Rights and Privacy Act (FERPA), for all US K-12 schools and higher education institutions
…and hundreds more. Cyber liability insurance providers almost always require that a policyholder has MFA and access control standards implemented as a baseline for coverage, also.
Which Industries Require MFA?
The short answer? MFA is integral to cybersecurity in every industry. Two-factor and multi-factor is an important component to data security and endpoint security for any company that works online.
- MFA for Retail Organizations
- MFA for Colleges and Universities
- MFA for Elementary, Middle and High Schools
- MFA for Financial Services
- MFA for Hospitals and Other Medical Practices
- MFA for Legal Offices and Firms
- MFA for Tech Companies
- MFA for the Federal Government
- MFA for State and Local Governments
How Does MFA Work?
When you are using a second authentication method in addition to your personal pin or passcode, for instance, you are authenticating with second-factor or two-factor authentication (2FA). When you add a third, fifth, sixth or any additional verification tool after that second factor, you’re using multi-factor authentication (MFA)!
Is MFA Different from 2FA?
MFA expands upon the 2FA concept by adding additional identity verification steps and therefore layers of security. The more additional factors you use to verify identity, the safer you, your device, your company and your data are! MFA>2FA
What Are the Best MFA Methods?
The best MFA methods are the methods that work best for the individual user. An ideal MFA provider will provide companies with the autonomy to customize their MFA, enabling them to employ two or more methods of their choice and, theoretically, their users’ choice too.
What Types of MFA & 2FA Are There?
Second- and multi-factor authentication methods come in many different forms including tokens like the Yubikey, biometrics like TouchID, to classic call-back verification and TOTP. Any authentication methods can be combined to strengthen your MFA.
What Are the Best MFA Methods?
The best MFA method is one that's user-focused. They fall into one or more of the following categories:
What the user knows
What the user has
Who the user is
Where the user is
What is Phishing-Proof MFA?
The Fido 2 Security Key has been deemed a phishing-resistant second- or multi-factor (2FA or MFA) solution because the tool will, physically, remain in a user's possession. It then uses biometrics or another secondary authentication method to verify identity.
Is Time-Based One-Time Passcodes (TOTP) MFA?
In somewhat of a gray area of categorization are SMS and callback codes and TOTP. While they are indeed knowledge-based, arguments have been made to categorize them as possession-based tools because they are allocated from a third party to the user. They are sometimes even considered to be in a category of their own (Mobile Phone-Based authentication). Regardless of the category(ies) they do or don’t fall into, SMS and phone call TOTPs are more secure than other knowledge-based tools because they maintain a very short window for possible compromises. That said, TOTPs are often exploited in successful phishing attacks like Craigslist scams.
Knowledge-Based MFA
What the User Knows
Knowledge-based MFA tools are based on the memorized information you hold in your mind such as your password or a personal pin number.
Examples:
Application or web passwords
Smartphone passcodes, pins or pattern lock tools
Security questions (e.g., “What is your first pet’s name?” or “What is your mother’s maiden name?”)
Pros:
Inexpensive
Typically, this is the most customizable method for an individual user
Users can select information or sequences that they are confident no one will guess, giving them more control over their authentication
There are essentially endless possibilities in sequences of letters and numbers
Easy to change
Cons:
A user may become frustrated if they forget their information
If written down or stored in an insecure place, they can be stolen
Personal data can legally and somewhat easily be found in public directories like government birth records, social media, etc.
Susceptible to phishing scams
Possession/Physical MFA
What the User Has
Possession-based MFA tools are physical things you carry with you to verify identity.
Examples:
Tokens/Fobs
Access control smartphone applications like Duo Push
Bank cards or government IDs
FIDO 2 security keys
.jpg)
Pros:
Wide range of price; can be as expensive and robust or as inexpensive and cost effective as you'd like
You can carry them with you physically, so some methods are theoretically immune to phishing attacks
One of the safest methods
-1661952639.jpg)
Cons:
They are typically small and difficult for some users to keep track of
Can become damaged if not properly stored or care for
In the case of cheaper hardware tools, they can sometimes be defective or poorly built
Some tools can be difficult or expensive to replace
Inherent MFA Tools
Who the User Is
An inherent MFA tool does not require knowledge or physical keys, but instead employs a user’s inherent being. This type of verification works by use of a bridge between the physical trait (fingerprint, face, etc.) and the hardware to software network tool such as artificial intelligence (AI).
Examples:
Fingerprint scanners like TouchID
Iris scanners
Voice recognition
Facial recognition
Pros:
One of the safest MFA methods
Difficult to lose, as they are part of a user’s physical self
The level of AI and/or algorithmic modeling required to replicate a human’s face for instance, in the case of facial recognition MFA, is beyond the scope of most bad actors’ abilities
Cons:
Robust hardware and software must exist behind every biometric authentication to ensure that the most unique details are captured to prevent people with similar features from passing each others’ authentication checks and to ensure that the tool is able to respond to human error-based variations
Fingerprints, faces, voices and eyes can become damaged, too
Location-Based MFA Tools
Where the User Is
If you’ve ever tried to use a friend’s streaming account at your house and been denied access, you’ve failed a location-based authentication check. A location-based MFA tool will evaluate whether or not a user is physically in the proper location or proper device.
Examples:
IP address
Geographic location
Pros:
Difficult for bad actors to replicate (e.g., a phishing attacker who may have stolen both a password and TOTP will almost certainly operate in a different location and on a different IP address)
Requires least amount of effort from user
Generally inexpensive
Cons:
Could impede user's privacy (e.g., they may be required to have their location tracked at all times, or they may not feel comfortable sharing IP address)
Network errors can make authentication difficult in certain situations
Which MFA Method Should I Use?
The best MFA methods are the methods that work best for the individual user. An ideal MFA provider will provide companies with the autonomy to customize their MFA, enabling them to employ two or more methods of their choice and, theoretically, their users’ choice too.
Your next step: experience Duo now with a free trial