The password has been a staple of access control for decades. However, we can no longer rely on this form of single-factor authentication for robust cybersecurity. Multifactor authentication (MFA) was developed to further protect account access, resources, and data, and to prevent cyberattacks. This article shows how MFA is used to protect assets and to ensure compliance.

Why use multifactor authentication?

For many years, the “username and password” combination — known as single-factor authentication — was the default method for controlling access to resources. . Unfortunately, having only one user-verification factor gives cybercriminals only one control mechanism to target and overcome. To do this, they’ve developed several cyberattack techniques:

Phishing: Credential theft is often achieved through phishing — sending emails or other messages purporting to be from trustworthy companies, in order to trick people into revealing information such as passwords. This is the most popular cyberattack technique, according to IBM research.

Social engineering: This is a form of phishing in which cybercriminals psychologically manipulate people into willingly handing over passwords.

Spear phishing: This form of phishing targets specific individuals and is often used to steal password credentials from employees with wide-ranging access, such as administrators.

Brute force: According to Cybernews research, the most commonly used passwords in 2024 are:

1. 123456

2. 123456789

3. Qwerty

Brute force attacks are automated attempts to guess a password in order to access an application. With easy-to-guess passwords, brute force attacks become a serious threat to single-factor verification systems.

Credential stuffing: Attackers often use passwords stolen through phishing attacks or found via data breaches to attempt to access other applications.

Server compromise: Hackers also try to gain access to stored corporate passwords. If they are poorly secured, the attacker can get all of a company’s passwords.

Man-in-the-middle (MitM) attacks: Some attackers attempt to intercept usernames and passwords when they are submitted via a web browser. If the attempt is successful, the attacker then uses the credentials to log in.

Keylogging malware: Certain types of malware are used in stealth mode to detect when a password is entered on a device. The malware then captures the information and sends it to a hacker’s account for reuse.

Password recovery systems based on a single factor are highly vulnerable and often a target for attackers. Password-recovery systems are frequently a point of attack, as even passwordless authentication must have a robust recovery system in place.

Where does a multifactor authentication system fit in with identity management?

MFA is a strong security measure that addresses the issues inherent in single-factor authentication. In access management, MFA is used to request multiple verification methods whenever a person attempts to log in to an app or access a resource.

MFA has been criticized for providing a poor user experience — because, for example, after entering a first factor such as a password, the user must then enter another factor such as a one-time code sent to a mobile device. However, many identity management systems have strategies for improving user experience when using strong authentication. For example, rules allow a user to log in using MFA once and then apply device authorization. The next time the user logs in, the second factor won’t be requested. This rule can be granular and set authorization to a specific time, geolocation, and so on.

Instances where using multifactor authorization would have mitigated a breach

MFA adds layers of security to help prevent unauthorized access to online accounts. The two examples of cyberattacks shown below could have been prevented if an MFA system had been in place:

• In 2022, Uber suffered a serious breach via a social engineering attack. The attacker tricked an employee into handing over their password. This was then used to access the employee’s Slack account and several other internal systems.

• In 2023, 23andMe, a DNA testing company, suffered a massive public data breach affecting 6.9 million customers. Using a “credential stuffing” tactic, the attacker stole passwords from previous breaches and used them to log into accounts.

These breaches and other similar attacks could have been prevented if an additional authentication factor had been in place.

Multifactor authentication factors

MFA is based on a few types of secure authentication factors:

1. Something you know (knowledge): Such as a password, the answer to a question, or a personal identification number (PIN).

2. Something you have (possession): Such as a security code or token.

3. Something you are (inherence): Such as a biometric authentication or a behavioral characteristic.

Sometimes a fourth a authentication factor is included:

4. Somewhere you are (location): The geolocation of an individual logging in can be enforced as a factor in controlling access.

Examples of multifactor authentication methods

Multifactor authentication combines security and usability. The following examples show the different authentication methods used to apply multiple authentication factors.

Time-based one-time password (TOTP)

This is typically a six-digit code generated by, for instance, aMicrosoft or Google authenticator app that a user has on an approved device. The user enters the correct username and password, and then enters the code. The code works only for a limited amount of time, typically measured in seconds (this is configurable by the system).

SMS text message code

Like a TOTP, an SMS text code is generated once a username and password are successfully submitted. The SMS text code is sent to the phone registered with the account. The user then enters the code within a given timeframe to gain access to the account or resource.

Biometric

Biometric authentication, such as facial recognition, fingerprint scans, and behavioral biometrics are used on mobile devices to control access. Biometrics are increasingly used to access bank apps and other financial services. Often, a biometric is associated with a username and password, which can be used as part of the recovery system if the biometric fails for some reason.

Security questions

Another MFA method is the use of personal security questions set up during the registration of an account. Sometimes, a security question is used to perform phone verification when a customer calls a company, such as a bank.

Physical token

A physical security token such as a hardware key can be used to access an account or another network resource. The key is inserted into a computer’s USB port or sometimes tapped on a device to authenticate the user.

Is two-step verification the same as multifactor authentication?

Two-step verification, also known as two-factor authentication (2FA) is a subset of multifactor authentication (MFA). While MFA requires two or more authentication factors to validate access, 2FA requires two. In other words, 2FA is a form of MFA, but MFA is not a form of 2FA.

What is adaptive authentication?

Risk-based, adaptive authentication, or step-up authentication, is a type of access control that adapts to login risk levels. Rules determine the risk level, and additional authentication factors, or adaptive MFA, are employed under certain conditions. For example, if a person logs in from London and then two hours later attempts to log in from Moscow, the identity management system would request additional authentication factors. Similarly, risk-based authentication can be used to suppress authentication factors if the conditions are low risk — for example, access from a specific IP address.

What are the benefits of using multifactor authentication?

MFA is a layered approach to security that makes unauthorized access more difficult. By using MFA to protect digital resources, a company reduces the risk of many types of cyberattack. An MFA solution prevents phishing, account compromise, identity theft, ransomware infection, and data breaches.

Implementing multifactor authentication helps an organization meet data security regulations including HIPAA, SOC 2, PCI-DSS, SOX, and GLBA.

Single sign-on (SSO) and risk-based authentication are MFA techniques for improving usability and security. SSO is an authentication method that enhances usability while reducing risks associated with a single-factor authentication approach.

Google Workspace and 2FA

Productivity applications such as Google Workspace support the use of 2FA (also known as 2-step verification or 2SV). Two-factor authentication for Google Workspace can be set up by the user directly or enforced by the service administrator. Google Workspace 2FA can be used to ensure that a specific team uses security keys with certain apps.

The types of 2FA methods supported by Google Workspace are:

• Security keys (key fob)

• Google prompt, text message, or phone call

• Google Authenticator app

• Backup codes