Multi-factor authentication (MFA) is the process of using multiple factors of authentication to verify a user's identity before giving them access to a particular resource. Guarding resources using only a single factor—traditionally usernames and passwords—leaves them vulnerable to breaches. Adding other factors of authentication grants ironclad protection for resources and reduces the likelihood of a cyberattack.
MFA plays an integral role in identity and access management, helping organizations take a step closer to creating a Zero Trust security framework.
MFA works by verifying users using authentication factors other than their usernames and passwords. These authentication factors may be something they know (knowledge factor), something they have (possession factor), and something they are (inheritance factor).
Knowledge factor: As the name suggests, the knowledge factor includes information that only the authorized user would know. Some common examples are:
Security questions are not usually recommended since attackers might easily crack them.
Possession factor: Here, authentication is performed with something the user possesses, like a mobile phone, a physical token, or a smart card. For example, it could be a code generated via an app on the phone or communicated to the user through an automated call.
Inheritance factor: The inheritance factor, being the most secure of the three factors, involves verifying identities with the help of inherited biometric means, such as:
In recent times, the location factor and the time factor have also been added to this list. The location factor verifies whether subsequent access attempts by a user are not from two completely different, impractical locations. The time factor checks the user's access request time and challenges them with additional authenticators if the access is requested at an odd hour.
Related reading: A guide to authentication techniques
Securing resources using just passwords does only the bare minimum to secure identities. There are numerous attacks that a hacker can use to breach passwords—like brute-force attacks, phishing attacks, dictionary attacks, and web app attacks—which is why it's important to implement additional layers of authentication to secure resources.
Users happen to be the weakest links of an organization's security chain. They might unknowingly choose weak passwords, repeat passwords for multiple resources, store passwords in plain sight, or retain the same password for an extended duration. Implementing MFA protects against these user vulnerabilities. So, even if an unauthorized person obtains a user's password, they still cannot gain access to the privileged resources since they would need additional information to complete the subsequent MFA methods.
Privileged accounts, such as admin or C-level executive accounts, are often prone to attacks. If an attacker gets hold of the credentials of any of these accounts, they’ll have access to the most important data and resources in the network, and the repercussions could be irreversible. To reduce risk, organizations must protect their high-risk accounts with additional layers of security.
Deploying MFA not only helps organizations fortify access but also helps them comply with data regulatory norms, like the PCI DSS, the GDPR, the NIST 800-63B, SOX, and HIPAA.
Related reading: MFA examples and use cases
Based on the number of authentication factors involved, MFA can be classified into:
Two-factor authentication (2FA) involves verifying a user's identity using two distinct authentication factors, which can be a combination of knowledge, possession, or inheritance factor categories. Learn more
2FA vs. 2SV
Two-step verification (2SV), unlike 2FA, uses two authenticators that are not from separate categories. For example, if a user must enter a password (knowledge factor) followed by a PIN (also a knowledge factor) to log in, this constitutes 2SV. However, if a password (knowledge factor) is followed by a facial scan (inheritance factor), it is considered 2FA. 2FA is generally regarded as more secure than 2SV.
Three-factor authentication (3FA) involves verifying a user's identity using three distinct authentication factors, which can be a combination of knowledge, possession, or inheritance factor categories. Learn more
Related reading: MFA vs. 2FA vs. 2SV vs. 3FA : Which is right for you ?
| 2FA | MFA |
|---|---|
| 2FA requires two distinct forms of verification from different categories of factors, including knowledge, possession, and inheritance factors. 2FA is a subset of MFA. E.g., entering a password and then confirming a code sent to a mobile device. |
MFA requires two or more forms of verification from different categories of factors, including knowledge, possession, and inheritance factors. E.g., using a password, a one-time code sent via SMS, and a fingerprint scan for login. |
Single-factor authentication (SFA) involves verifying a user's identity using a single authentication factor, which can be either a knowledge, possession, or inheritance factor. To learn more about SFA and how it works, click here.
Adaptive MFA, otherwise known as risk-based authentication, provides users with authentication factors that adapt each time a user logs in depending on the AI-determined risk level of the user based on contextual information. Contextual information includes the following:
The authentication factors presented to the user are based on the risk level that is calculated using the above contextual factors. For instance, consider a user trying to log in to their work machine at an untimely hour while on a vacation. The user behavior analytics tool recognizes that the user's location and time of access are different, and they are automatically prompted with additional authentication factors to prove their identity.
Sometimes, when user login conditions are checked using AI and no risk is detected, the MFA process can be bypassed for the user. And sometimes, if the user's activity seems suspicious, they can also be denied access to the requested resource.
Related reading: What is step-up authentication?
Choosing the right MFA method involves evaluating security needs, user convenience, and implementation feasibility. Here are five key considerations for choosing the right MFA methods for your business:
Security requirements: The primary factor in selecting an MFA method is the required security level to protect sensitive data or systems. High-risk sectors like finance and healthcare need stronger MFA to counter phishing and related cyberattacks. Compliance with regulations (e.g., the GDPR, the PCI DSS) also shapes choices. The NIST MFA guidelines mandate the use of different kinds of MFA methods per the authentication assurance level that organizations must comply with. MFA methods that best suit environments with high security requirements are:
User convenience: A smooth user experience is essential for successful MFA adoption. Complex or intrusive processes can deter users and compromise security. MFA methods that fit user workflows seamlessly through the use of smart phones, balancing security and usability, are:
Device availability and compatibility: It is essential to select an MFA solution compatible with various devices and platforms. In environments where users access multiple devices (e.g., desktops, smartphones, or tablets), the solution should offer a consistent experience. It must also support BYOD policies, enabling secure use of personal devices. Passcodes, biometrics, and TOTPs are methods that integrate seamlessly with existing systems and applications.
Environment and accessibility: Organizations must consider users' environments. Remote workers or those with limited internet may need offline-capable, app-based authentication solutions, like Microsoft and Google Authenticators, or other TOTP and push notification authenticators. Accessibility is key—consider options for users with disabilities. Fallback methods, such as backup codes, should be available for unexpected issues.
Cost and scalability: Budget is a key factor in choosing an MFA method. High security methods, like security keys and biometrics, can be expensive, while software-based MFA, like Microsoft Entra ID MFA and Duo Security, may involve ongoing subscription costs. Organizations need to ensure that the solution is scalable to accommodate future growth, including adding new users, devices, or systems over time without excessive costs or operational complexity.
Related reading: How authenticator apps enhance security
Learn more about the challenges of rolling out MFA and get tips on how to tackle them effectively.
Related reading: MFA best practices
ManageEngine ADSelfService Plus is an identity security solution for ensuring secure and seamless access to enterprise resources and establishing a Zero Trust environment. With capabilities such as adaptive MFA, single sign-on, workforce self-service, and password management and security, ADSelfService Plus provides your workforce secure yet easy access to resources.
ADSelfService Plus offers different types of robust MFA techniques to secure endpoints such as:
MFA stands for multi-factor authentication. It simply means verifying a user's identity using multiple authentication factors, apart from the traditional and less secure username and password authentication method. MFA can be used to guard user access to any type of resource in the network.
Signing in to your Gmail account from a new device is a good example to highlight the MFA process. Upon signing into your Google account from a new device, you are asked to verify your identity either using verification codes sent to your email ID or through TOTPs in addition to entering your password. Once your identity is verified, you are logged in. This sums up the MFA verification process that Google has enabled to secure user accounts.
MFA can be used to fight against common yet powerful cyberattacks like credential stuffing, dictionary attacks, brute-force attacks, phishing, and manipulator-in-the-middle attacks.
Changing passwords alone regularly without using MFA does not stop hackers from stealing passwords. They can still use a password that was stolen through advanced hacking techniques to barge into the system. Instead, when MFA is used, hackers have no use for a stolen password since there will be other authentication factors that they will have to pass through to gain access to the resources.
Implementing MFA techniques in your business is highly recommended to improve security in your networks. The username and password method of authentication is outdated, as it cannot withstand today's advanced cyberattacks on its own. MFA secures your organizational resources and gives the right access to the right individuals. It helps create a Zero Trust environment within your business.
ADSelfService Plus single-handedly takes care of all your MFA needs with features like adaptive authentication, conditional access, and passwordless authentication. Start a free trial.
With MFA in place, your organization can meet various regulatory compliance standards, including the NIST SP 800-63B, the PCI DSS, SOX, and HIPAA.
Conditional access is taking authentication decisions to verify a user's identity based on a few preconfigured conditions. That is, users are provided with authentication factors depending on whether certain set conditions are fulfilled or not. An example of a condition would be verifying a user with an additional authentication factor if they have requested resource access from a geolocation that is different from the configured ideal geolocation.
Adaptive MFA utilizes AI to calculate the risk level of users, based on which relevant authentication factors are provided to them for identity verification. This risk level is calculated based on users' contextual information, such as the number of consecutive logon failures, the physical location of the user requesting access, and the type of device used. Adaptive MFA is effective in creating the ultimate Zero Trust environment.
