What is MFA (Multi-Factor Authentication)?

MFA stands for multi-factor authentication. It’s a layered approach to confirming a user’s identity to ensure they have permission to access a protected website, application, network, or other digital system or perform a protected task within a digital system.

As its name suggests, MFA requires users to successfully present two or more identity credentials, called factors, in order to gain clearance. This often (but not always) occurs at initial login; sometimes, the authentication factor prompts are dispersed throughout a digital experience.

Why is MFA important?

As time passes, hackers only grow more sophisticated. They now have at their disposal advanced tools that allow them to generate and test username and password combinations until they arrive at the correct permutation and gain access to the system they are trying to breach. 

Compounding the issue is the fact that users often select weak, obvious passwords and repeat them across multiple accounts, making it possible for hackers to breach multiple systems with one set of credentials. 

As a result, passwords alone have been rendered insufficient as a means of protecting sensitive online data. In fact, 81% of all data breaches can be traced to weak or stolen passwords, and the Open Web Application Security Standard (OWASP) now encourages all authentication flows to treat passwords as “pre-breached.”

MFA makes online systems more secure in light of this threat. By requiring users to verify their identity through multiple factors—not just a single password or password alternative—MFA makes unauthorized logins and fraudulent transactions less likely to occur. In turn, it has become a pillar of cybersecurity.

How does MFA work?

MFA works according to a principle of layered security. By asking users to provide additional forms of identification, it increases the likelihood that the user is who they claim to be, reducing overall risk. 

Often, a user is prompted to present all of their credentials at initial login. A typical security protocol might have them submit their username and password (factor 1) and answer a security question (factor 2) before asking them to enter a one-time passcode sent to them by text or email (factor 3). Once the user completes all steps, they have access to the entire application.

MFA can also be implemented according to a route-based (aka just-in-time) approach. In this scenario, users present one credential at login to gain initial access and perform basic functions like checking an account balance or viewing a completed order. They are only required to provide additional authentication information when they want to access particularly sensitive data or perform a particularly sensitive task within an application they already have access to (e.g., move money between accounts, make a purchase, etc.). 

This approach is considered more user-friendly because it doesn’t ask users who are only looking to pursue relatively low-risk functions to go through the friction of performing multiple security checks. 

Types of MFA factors

The advantage of MFA isn’t just that it asks for more than one piece of identification; it’s that it also asks for identification of different types. The most common types of factors employed by multi-factor authentication are:

  • Knowledge-based (things a user knows)
  • Possession-based (things a user has)
  • Inherence-based (things a user is)

Knowledge-based factors include identifying information like usernames and passwords, PINs, and answers to personal security questions (e.g., What street did you grow up on?). 

Possession-based factors include hardware and software security tokens (e.g., a digital certificate or a fob or badge with an embedded chip) as well as a host of mobile-friendly solutions:

  • Magic links, which let users instantly log in via a URL sent to a pre-registered email address
  • SMS one-time passcodes (OTPs), which ask users to enter a unique numeric or alphanumeric sequence sent by text to a recognized mobile phone number
  • Time-based one-time passcodes (TOTPs), which ask users to confirm control of their device within a certain time frame via a passcode generated by a smartphone app like Google Authenticator
  • Push authentication, which sends notifications to an app on users’ devices, asking them to approve or reject a login attempt

Inherence-based factors rely on biological traits unique to the user and can include biometric authentication methods like fingerprinting, iris scans, and face and voice recognition technology. WebAuthn is one example of an inherence-based authentication solution.

MFA vs two-factor authentication (2FA)

MFA and 2FA are not fundamentally different. Two-factor authentication is just a subset of multi-factor authentication, which is an umbrella term for any authentication that uses more than one verification factor to authenticate a user’s identity. 

In other words, all two-factor authentication is multi-factor authentication, but not all multi-factor authentication is two-factor authentication, because some applications of MFA use three or more factors.

MFA pros and cons

Multi-factor authentication makes it considerably more difficult for hackers to breach a system than single-factor authentication. That’s a huge advantage, especially when you consider the exorbitant costs incurred by organizations and individuals affected by security violations. 

In the process of making systems more secure, MFA can add some amount of friction to the system’s user experience, but that can be mitigated by smart authentication design. 

One way to avoid undue hassle and frustration is to employ a route-based, just-in-time approach, as discussed above. Another is to eliminate passwords as a verification factor entirely, since remembering and entering passwords are their own source of friction.

Passwordless authentication methods are simpler and faster than passwords, making user retention more likely. And because they can easily be layered in a multi-factor approach and avoid the security risks posed by weak and compromised passwords, they are inherently more secure.

Explore passwordless, multi-factor authentication solutions

Looking for additional information on implementing secure, user-friendly, multi-factor authentication methods? Stytch has you covered. Sign up for a free account to get started, or contact support@stytch.com to discuss all things auth.