The main purpose of using multi-factor authentication (MFA) software is for increased security when users log in to accounts. Companies use this software to ensure only authorized users—such as employees, contractors, or customers have secure access to specific company accounts. This helps prevent both insider threats, such as unauthorized employees from accessing sensitive data, and external threats, like cybercriminals deploying phishing attacks for data breaches, from accessing restricted accounts.
MFA requires users to complete additional authentication steps to prove their identity prior to being granted access to applications, systems, or sensitive information. The software helps secure accounts by providing additional security using a layered, multi-step authentication approach. Generally, the first step to authenticate a user’s identity includes a standard username and password login process. After this initial login attempt, the second step might require users to enter a code provided by a software app on a mobile device, a hardware token like a key fob, or a code sent to a user via (SMS) text message, email, or phone call. Other authentication steps might include presenting a biometric like a fingerprint or a faceprint, or presenting other identifying signals like the user’s typical IP address, their device ID, or via behavioral factors verified by risk-based authentication (RBA) tools.
What Does MFA Stand For?
MFA stands for multi-factor authentication. It requires two or more different authentication factors. This software may also be referred to as two-factor authentication (2FA) or two-step verification when employing exactly two different authentication factors.
What are the factors of authentication?
MFA software requires users to authenticate with some or all of the following five factors:
Single-factor authentication: Single-factor authentication requires users to authenticate with something they know. The most common single-factor authentication is password-based authentication. This is considered insecure because many people use weak passwords or passwords that are easily compromised.
Two-factor authentication: Two-factor authentication requires users to authenticate with something they have. It requires users to provide the information they have, usually, a code provided by an authenticator app on their mobile devices, SMS or text message, software token (soft token), or hardware token (hard token). The code provided can be either an HMAC-based one-time password (HOTP) which does not expire until used, or a time-based one-time password (TOTP) that expires in 30 seconds.
Three-factor authentication: Three-factor authentication requires users to authenticate with what they are. It takes into account something unique to the user such as biometric factors. They can include fingerprint scans, finger geometry, palmprint or hand geometry scans, and facial recognition. Using biometrics for authentication is becoming increasingly common as biometric logins on mobile devices, including facial recognition software and fingerprint scanning capabilities, have gained in popularity among consumers. Other biometric authentication methods, such as ear shape recognition, voiceprints, retina scans, iris scans, DNA, odor identity, gait patterns, vein patterns, handwriting and signature analysis, and typing recognition, have not yet been widely commercialized for MFA purposes.
Four-factor authentication: Four-factor authentication requires users to authenticate with where they are and when. It considers a user’s geographic location and the time it took for them to get there. Usually, these authentication methods do not require a user to actively authenticate this information, instead, this runs in the background when determining a specific user’s authentication risk. Four-factor authentication verifies a user’s geolocation, which points to where they currently are and their geo-velocity, which is the reasonable amount of time it takes for a person to travel to a given location. For example, if a user authenticates with an MFA software provider in Chicago and 10 minutes later attempts to authenticate from Moscow, there is a security issue.
Five-factor authentication: Five-factor authentication requires users to authenticate with something they do. It relates to specific gestures or touch patterns that users generate. For example, using a touch-screen enabled with a relatively new OS, that supports the feature, users can create a picture password where they draw circles, straight lines, or tap an image to create a unique gesture password.
What Types of Multi-Factor Authentication (MFA) Software Exist?
There are several kinds of MFA software. In addition to standard MFA functionality, many companies are moving toward RBA software, also known as intelligent MFA, which uses risk monitoring to determine when to request users for authentication. The different types of authentication methods can include:
Mobile apps: A common way users prefer to authenticate is using MFA software’s mobile app.
Software token: Software tokens enable users to use MFA mobile apps including wearable devices. Using software tokens is considered more secure than using OTP via SMS, since these messages can be intercepted by hackers. Software tokens can be used when offline, making it convenient for end users who may not have access to the internet.
Push notifications: Push notifications make authentication simple for end users. A notification is sent to a user’s mobile device asking them to approve or deny the authentication request. Convenience is crucial for user adoption of MFA tools.
Hardware token: Hardware tokens are pieces of hardware users carry with them to authenticate their identity. Examples include OTP key fobs, USB devices, and smart cards. Common issues with hardware tokens include the hardware’s expense plus the added cost of replacements when users lose them.
One-time passwords (OTP) via SMS, voice, or email: Users who can’t use mobile apps on their phones can opt to use OTP sent to their mobile devices via SMS text message, voice call, or email. However, receiving authentication codes via SMS is considered one of the least secure ways to authenticate users.
Risk-based authentication (RBA) software: RBA, also known as intelligent or adaptive MFA, uses real-time information about end users to evaluate their risk and prompt them to authenticate when needed. RBA software analyzes IP addresses, devices, behaviors, and identities to set personalized authentication methods for each distinct user attempting to access the network.
Passwordless authentication: Passwordless authentication, also known as invisible authentication, relies on RBA factors such as location, IP address, and other user behaviors. Push notifications are considered passwordless authentication, as a user is not required to enter a code, but merely asked to accept or reject an authentication request.
Biometrics: Biometric authentication factors, such as facial and fingerprint recognition, are gaining popularity among consumers, and therefore, MFA software providers are beginning to support them. Currently, other biometric factors, such as iris scanning, are not available in MFA tools. One issue with using biometrics for authentication is that once they are compromised, they are compromised forever.
MFA as a service: Tying in with a company’s cloud-based directories, some MFA providers offer cloud-based MFA as a service solution. These often support multiple authentication methods including push notifications, software tokens, hardware tokens, online and offline authentication, and biometrics.
On-premises MFA: On-premises MFA solutions run on a company’s server. Many software vendors are phasing out these kinds of MFA solutions and pushing customers to cloud-based solutions.
Offline-available MFA: Users who need to authenticate, but do not have access to the internet, can use MFA solutions with offline support. For example, many federal employees work in controlled, secure environments and might not have access to the internet. Federal government civilian employees might use personal identity verification (PIV) cards to authenticate, while the Department of Defense employees authenticate using a common access card (CAC). For general civilians, they can authenticate offline using a mobile app with offline access to OTPs or one that uses a hardware-based U2F security key.
Enterprise solutions: Companies that manage MFA deployments to many users need robust solutions and will opt for software with administrator consoles, endpoint visibility, and connect with single sign-on (SSO) software.
