Multi-factor authentication checks multiple aspects of a person's identity before allowing them access to an application or database, instead of just checking one. It is much more secure than single-factor authentication.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Multi-factor authentication, or MFA, is a way to verify user identity that is more secure than the classic username-password combination. MFA usually incorporates a password, but it also incorporates one or two additional authentication factors. Two-factor authentication (2FA) is a type of MFA.
MFA is an important part of identity and access management (IAM), and it is often implemented within single sign-on (SSO) solutions.
Before granting a user access to a software application or a network, identity verification systems assess the user for characteristics that are specific to them in order to make sure they are who they say they are. These characteristics are also known as "authentication factors."
The three most widely used authentication factors are:
MFA refers to any usage of two or more authentication factors. If only two authentication factors are used, MFA can also be referred to as two-factor authentication or two-step verification. Three-factor authentication is another form of MFA.
Single-factor authentication is the use of just one of the above factors to identify a person. Requiring a username and password combination is the most common example of single-factor authentication.
The problem with single-factor authentication is that an attacker only needs to successfully attack the user in one way in order to impersonate them. If someone steals the user's password, the user's account is compromised. By contrast, if the user implements MFA, an attacker needs more than a password to gain access to the account — for example, they will likely need to steal a physical item from the user as well, which is much more difficult.
This issue also applies to other forms of single-factor authentication. Imagine if banks only required the use of a debit card for withdrawing money — the possession factor — instead of requiring a card plus a PIN. In order to steal money from someone’s account, all a thief would need to do is steal their debit card.
It is important to keep in mind that it is the use of different factors that makes MFA secure, not multiple uses of the same factor.
Suppose one application prompts a user to enter a password only, while another application prompts a user to enter both a password and an answer to a security question. Which application is more secure?
Technically, the answer is neither: both applications are relying on one authentication factor alone, the knowledge factor. An application that requires a password and either a physical token or a fingerprint scan is more secure than an application that only requires a password and some security questions.
This is a highly contextual question. Generally, any form of multi-factor authentication will be much more secure than single-factor authentication.
With that said, certain forms of MFA have been shown to be vulnerable to sophisticated attack methods. In one real-world example, attackers sent employees SMS phishing messages pointing to fake login pages for the organization’s single-sign-on service. If a user entered their username and password into this fake page, the following steps took place:
By contrast, another way of verifying possession — a USB security token — would not be susceptible to this particular attack. If all users are given unique security tokens to plug into their computers, and must physically activate those tokens in order to authenticate, attackers in possession of someone’s username and password would not be able to access accounts unless they stole that person’s computer. The same could be said of verifying identity using inherent qualities, e.g. a user’s fingerprint or facial scan.
Does this mean security tokens and fingerprint scans are more secure than one-time passwords? In a phishing context, yes. But organizations should evaluate their specific security risks and needs before selecting an MFA method. And again, any form of MFA is more secure than single-factor authentication, and would represent an important step forward in an organization’s security journey.
Some members of the security industry have proposed or implemented additional authentication factors besides the three main ones listed above. Though rarely implemented, these authentication factors include the following:
Location: Where a user is at time of login. For instance, if a company is based in the US and all its employees work in the U.S., it could assess employee GPS location and reject a login from another country.
Time: When a user logs in, typically in context with their other logins and with their location. If a user appears to log in from one country, then attempts a subsequent login from another country several minutes later, those requests are not likely to be legitimate. A system might also reject login attempts outside of normal business hours — although this is more like a security policy than an identity authentication factor.
If these are both considered to be additional identity factors — which is up for debate — then four-factor authentication and five-factor authentication are technically possible. Both fall under the umbrella of multi-factor authentication.
Implementing such strong security measures must be weighed against the toll this takes on the user, since overly stringent security measures often incentivize users to circumvent official policies.
Many consumer web services offer MFA today. Most applications that do have MFA offer a form of 2FA that requires the user to use their smartphone when logging in. Explore the security settings in each application to see if it is possible to activate 2FA. In addition, Cloudflare allows all Cloudflare users to implement 2FA for their accounts.
Using an SSO solution is a recommended step for implementing MFA. SSO provides a single place for implementing MFA across all apps, whereas not all individual apps will support MFA.
Cloudflare Zero Trust integrates with SSO vendors who support 2FA. Cloudflare helps protect companies' websites and cloud applications by controlling what users are able to do and enforcing security policies for employees whether they work remotely or within controlled office environments.