A Guide to Multi-Factor Authentication Solutions

A Guide to Multi-Factor Authentication Solutions

Written by
Calvin Hoenes

August 29, 2021

Learn more about the product, pricing and features of AuthN by IDEE.

Request a free demo today!

Table of contents

In a world where organisations are constantly at risk of losing their valuable data to clever pretenders, user authentication is vital. In password-based systems, users are authenticated when they present valid credentials (passwords) to the system.

But such “single-factor” authentication systems introduce massive risks into the enterprise. For instance, in 2020, over 80% of breaches (hacking) involve brute force or the use of lost or stolen credentials. Since they don’t actually authenticate the person, if a threat actor gets their hands on these credentials, they can easily mimic an authorised user, and access the system in their stead. If such unauthorised and/or malicious users remain undetected, they can cause a lot of havoc over time.

To minimise their risk and protect themselves, organisations need more secure user authentication methods. They need multi-factor authentication solutions.

In this article, we’ll explore how these MFA solutions work, and how companies can implement MFA for stronger, multi-layered security. We also compare the risks of various authentication factors, the drawbacks of MFA solutions, and how passwordless can overcome these shortcomings.

Anatomy of Multi-Factor Authentication Solutions

MFA or multi-factor authentication solutions are a departure from traditional password-only authentication solutions. As the name suggests, they require users to use multiple authentication factors to validate their identity before they can access a system.

Early multi-factor authentication solutions were two-factor authentication (2FA) solutions. But increasingly, MFA now includes at least three authentication factors or identity credentials:

  1. Knowledge or something the user “knows”: Passwords, personal identification numbers (PINs), one-time passwords (OTPs),etc.
  2. Possession or something the user “has”: Security tokens (hardware- or software-based), smart cards, smartphones, etc.
  3. Inherence or something the user “is”: The user’s unique biological traits, e.g. iris scans, fingerprints, voice prints, face prints, etc

Why Multi-Factor Authentication Solutions Are Important to Security

The primary goal of multi-factor authentication solutions is to boost enterprise security, and make it difficult for unauthorised users to access a device, application or network. When used together, these factors strengthen the assurance that a user is really who they say they are. In other words, they increase the probability that the user or employee requesting access is genuine and authorised.

They also make it harder for a threat actor to hack into the system, because even if they manage to compromise one factor (often, the password), they still have to breach other barriers before they can gain access. Thus, such solutions decrease the possibility of successful cyber attacks. And this is the primary reason why it's important to have multi-factor authentication by default.

Multi-Factor Authentication Solutions for Strong Customer Authentication: Regulatory Requirements

Increasingly, multi-factor authentication solutions are also considered vital to ensure strong customer authentication (SCA)., especially in payments systems. For example, the EU’s Payment Services Directive (PSD2) regulatory technical standards (RTS) require all businesses involved in processing payments to implement multi-factor authentication solutions to protect the confidentiality and integrity of users’ payment transactions.

Apart from the PSD2 RTS for SCA, there are several other regulatory standards and guidelines that mandate (or recommend) the use of multi-factor authentication solutions:

- NIST SP 800-63B
- Payment Card Industry Data Security Standard (PCI DSS)
- ISO/IEC 27001 - Information Security Management Standard

- Defense Federal Acquisition Regulation Supplement (DFARS)

- ISO/IEC 29115 - Entity authentication assurance framework

Different Authentication Factors: Risk Comparison

Not all authentication factors are created equal. Some create more risks than others, and increase the organisation’s vulnerability to cyber attacks, data breaches, and even extortion attempts.

The IDEE IAM Risk Calculator is a simple and reliable way for organisations to compare the risks of different authentication factors and controls. The below table shows such a comparison:

How users are identified at registration
Email address w/ magic link verification
Social identity
Email address w/ magic link verification
Email address w/ magic link verification
Authenticator type
Password
Password
Authenticator device w/ user identity bound to the device
Authenticator device w/ user identity bound to the device
Authentication mechanism
Password
Social login
Passwordless SF
Passwordless MFA
Account management method
Self-service or Helpdesk
Dependent on social network
Self-service w/ strong identity proofing
Self-service w/ strong identity proofing
Other security measures
Access policies (regularly updated)
User consent
Trusted device w/ device binding
Trusted device w/ device binding
Risk Level
VERY HIGH
VERY HIGH
MEDIUM
LOW

To analyse your organisation’s risk using various authentication factors, explore IDEE’s IAM Risk Calculator here.

Drawbacks of Multi-factor Authentication Solutions

Multi-factor authentication solutions provide stronger security than single-factor/password-based solutions. However, they also come with certain drawbacks.

Many still use passwords as one authentication factor. Passwords can be easily compromised or stolen, increasing the risk to the enterprise. The possession factor, whether it’s an OTP token, key fob or access card, can be lost or stolen, which increases security risks, but also burdens IT teams with replacement requests. Often, they also create friction in the user experience. Biometric factors provide the strongest security. However, users (understandably) hesitate to use them due to privacy infringement concerns.

The best way to overcome these weaknesses is with passwordless zero-trust multi-factor authentication. Passwordless MFA does not rely on memorised secrets to validate or authenticate users. When used with a mobile authenticator, passwordless MFA that combines biometrics and possession offers very strong security. It is also convenient to deploy, since it only requires a user’s smartphone and no additional hardware. Moreover, since users are already familiar with their smartphones, passwordless MFA is also low-friction, and easy to use.

Conclusion

Multi-factor authentication solutions are several steps ahead of traditional, password-based authentication systems. Organisations that are serious about their security should definitely consider implementing them sooner rather than later.

Related posts

If you enjoy our content here, you’ll love the stuff we share on LinkedIn.

If you like our content
follow us on LinkedIn

Follow us
linkedin icon white

Adversary in The Middle (AiTM) - Video Demo

AiTM is the one attack that commentators say can bypass MFA. We disagree. Watch our videos to see these attacks in realtime & see how you can prevent them.

Watch AiTM demo