Auth & identity
January 10, 2022
Author: Julianna Lamb
MFA stands for multi-factor authentication. It’s a layered approach to confirming a user’s identity to ensure they have permission to access a protected website, application, network, or other digital system or perform a protected task within a digital system.
As its name suggests, MFA requires users to successfully present two or more identity credentials, called authentication factors, in order to gain clearance. This often (but not always) occurs at initial login; sometimes, the authentication factor prompts are dispersed throughout a digital experience.
As time passes, hackers only grow more sophisticated. They now have at their disposal advanced tools that allow them to generate and test username and password combinations until they arrive at the correct permutation and gain access to the system they are trying to breach.
Compounding the issue is the fact that users often select weak, obvious passwords and repeat them across multiple accounts, making it possible for hackers to breach multiple systems with one set of credentials.
As a result, passwords alone have been rendered insufficient as a means of protecting sensitive online data. In fact, 81% of all data breaches can be traced to weak or stolen passwords, and the Open Web Application Security Standard (OWASP) now encourages all authentication flows to treat passwords as “pre-breached.”
MFA makes online systems more secure in light of this threat. By requiring users to verify their identity through multiple factors—not just a single password or password alternative—MFA makes unauthorized logins and fraudulent transactions less likely to occur. In turn, it has become a pillar of cybersecurity.
MFA works according to a principle of layered security. By asking users to provide additional forms of identification, it increases the likelihood that the user is who they claim to be, reducing overall risk.
Often, a user is prompted to present all of their credentials at initial login. A typical security protocol might have them submit their username and password (factor 1) and answer a security question (factor 2) before asking them to enter a one-time passcode sent to them by text or email (factor 3). Once the user completes all steps, they have access to the entire application.
The advantage of MFA isn’t just that it asks for more than one piece of identification; it’s that it also asks for identification of different types. The most common types of authentication factors employed by MFA are:
Knowledge-based factors include information that ideally only the user will know. These include factors like:
Of the categories of authentication factors, knowledge-based authentication factors are generally the least secure, particularly when not paired with second or tertiary factors.
Possession-based factors refer to something the user has or has access to instead of knows. These include factors like:
Inherence-based factors rely on biological traits unique to the user. You may also hear these referred to as biometrics or factors based on what you are. Examples of biometric factors include fingerprints, hand geometry, iris or retina recognition, voice recognition, and facial recognition.
In customer-facing authentication, biometrics are typically paired with additional cryptographic technology. Good examples of these include WebAuthn, passkeys, and other technological standards that have come out of the FIDO alliance.
The main benefit of MFA is security – multi-factor authentication process makes it considerably more difficult for hackers to breach a system than single-factor authentication. That’s a huge advantage, especially when you consider the exorbitant costs incurred by organizations and individuals affected by security violations.
One of the biggest drawbacks to MFA is in its effects on the user experience: in the process of making systems more secure, MFA can add some amount of friction to the system’s user experience. The good news is that can be mitigated by smart authentication design.
One way to avoid undue hassle and frustration is to employ a route-based approach, in which MFA is only introduced for certain actions or transactions online. Another is to eliminate passwords as a verification factor entirely, since remembering and entering passwords are their own source of friction.
Passwordless authentication methods are simpler and faster than passwords, making user retention more likely. And because they can easily be layered in a multi-factor approach and avoid the security risks posed by weak and compromised passwords, they are inherently more secure.
MFA and 2FA are not fundamentally different. Two-factor authentication is just a subset of multi-factor authentication, which is an umbrella term for any authentication process that uses more than one verification factor.
In other words, all 2FA is MFA, but not all MFA is 2FA, because some applications of MFA use three or more factors.
This is a great question, as there are a few different terms that have overlapping or related meanings:
All three of these terms are important because they offer ways for companies to remove friction from MFA flows without compromising security – a key drive of conversion, adoption, and user engagement for any business model.
In short, no. There is virtually no authentication method or combination of methods that can guarantee 100% impenetrability from outside attacks. Just as authentication companies like Stytch are constantly innovating to improve our product, hackers are also constantly innovating to find new ways to compromise cybersecurity.
MFA is no exception: while more secure than single-factor authentication processes, secondary factors like one-time passcodes and email magic links can be phished or stolen by attackers who are willing to put in the time.
If phishing is a big concern for your product, it might be good to consider integrating “unphishable” authentication methods into your MFA flow – biometrics, Yubikeys, and passkeys are all much more difficult to phish or steal because they rely on inherence factors, rather than possession or knowledge.
To learn more, you can check our our article about unphishable MFA.
Not exactly, though they are often mentioned together:
Put another way, zero trust is a guideline or model for how often or in what cases you authenticate, while multi-factor authentication refers to how that authentication is performed.
At Stytch, we highly advocate for designing your authentication flows around what introduces the least amount of friction to your users, while still keeping them secure. Determining that usually varies from business to business.
While we provide a more in-depth rundown how to choose the right MFA flow in another article, any company can start by considering three main decisions:
Remember, when answering these, think about what kind of information is most at-risk or valuable that hackers might want to access, how much friction your users will tolerate, and at which junctures in their signup or login flow they’re most likely to tolerate that friction.
Looking for additional information on implementing secure, user-friendly, multi-factor authentication methods? Stytch has you covered. Sign up for a free account to get started, or talk to an auth expert today to discuss what MFA looks like for your product.