How to Set Up MFA: A Brief Guide

Multi-factor Authentication (MFA) provides strong, reliable security against the rapidly-evolving cyberthreat landscape. MFA uses two or more authentication factors to verify a user’s identity before granting them access to a system or application.

But how to set up MFA? Read on to know more.

Set Up MFA with One-time Passwords (OTP)

Unlike single-factor authentication that requires only a password, some two-step MFA systems ask for credentials plus an authentication code. This code is a one-time passcode generated by an authenticator application like Microsoft Authenticator or Google Authenticator installed on the user’s smartphone. This 2-step authentication mechanism ensures that even if a bad actor gets the user’s password, they still need to get through a second step to break into their account.

How to set up MFA with OTP

‍Step 1: Install the authenticator app

‍To set up MFA with OTP, every user would have an authenticator app installed on their device.

Step 2: Set up MFA

‍1. The user navigates to the app’s setup page using a computer browser, fills in their company-issued credentials, and signs in.

2. They open the authenticator app on their smartphone, and scan the QR code that appears in the browser. This will set up the app to begin generating OTP codes.

‍Step 3: Sign in with MFA

‍1. The next time they want to log into the app, the user fills in their company-issued credentials and opens the authenticator app to generate an OTP.

2. They enter this OTP into the system or app they need to access.

3. If they enter the correct OTP, they will be allowed access. Otherwise the system will deny them access.

OTPs can only be used to login once (usually valid for 30 seconds). Any attempt to use the same code again is rejected. The security here is that it's more difficult to steal two sets of credentials compared to one. OTPs can still be stolen for example via on-the-fly phishing attack.

Set Up MFA with Security Keys (FIDO2)

A security key is a physical device that uses the FIDO2/WebAuthN authentication protocol for user authentication.

FIDO2/WebAuthN MFA authentication requires users to have both a physical device and information that only they would know (such as PIN) or inherence (such as fingerprint). It uses public-key cryptography with both a public and private key. The private key never leaves the user’s security key at any time. The public key is sent to the system/application that they would access.  

How to set up MFA with FIDO2

‍Step 1: Sign into the service using your password

Step 2: Choose the option to enable a security key (this must be supported by the service)

Step 3: Select your security key

Step 4: Provide a second factor such as a PIN or biometric. This would be used to protect the private key

Step 5: The security key generates a cryptographic key pair

The security key can now generate a cryptographic key pair. The private key is stored on the physical security key. The public key is sent to the web service, which registers it in its key database, and associates it with the user’s account for authentication.

Step 6: User signs in to a service that supports FIDO2/WebAuthN  

1. The user provides their account ID.

2. The service asks the user to verify their identity using their security key, which is unlocked based on some user action, e.g., providing a PIN or fingerprint.

3. The server verifies the user’s response with the corresponding public key. If the verification is successful, the user can access their account.

As you can see, FIDO2/WebAuthN provides more secure authentication than password-based authentication especially with the need of a physical security key (device). However, there’s no way to recover the user credentials stored in the security key, as a result, in most cases, password is still used as a fallback. This fallback, remains the most vulnerable vector in FIDO2/WebAuthN.

Set Up Passwordless MFA such as IDEE AuthN

A passwordless MFA is an MFA that doesn’t just provide a passwordless experience but eliminates password completely. An example of such MFA is the IDEE AuthN™. It eliminates passwords and credential databases. It thus removes all password-related threats like phishing, key logging and brute force attacks, and significantly increases security. With built-in features like advanced Multi-Party-Authorisation and secure identity proofing, it also simplifies auditing and compliance.

How to set up Passwordless MFA with IDEE AuthN

Step 1: Create an account on the IDEE’s Zero Touch Portal

Step 2: Connect enterprise applications to AuthN as the identity provider

Connect any enterprise application to AuthN using existing standards such as SAML OIDC, RADIUS, REST API etc  via .

Step 3: Install the AuthN app

Users install IDEE’s authenticator app (AuthN)  

Step 4: Proof your identify via AuthN

Users securely proof their identity to enable authentication to connected services using strong passwordless MFA

Step 5: Users sign in

Users sign in to connect services  securely and conveniently via AuthN

Important Considerations to Set Up MFA

- Regardless of MFA type, these considerations are vital to ensure consistent, unbroken security:

- The device must be registered to establish trust from the root, and ensure its authenticity and trustworthiness

- The user’s identity must be bound to the device and the authentication app with explicit transitive trust to prevent identity theft

- Account recovery should be set up at the client (user) side

- Secure identity proofing must be done to ensure that only the real user can access the recovered data

- All authentication data should be sent via a secure authenticated channel

- The identity provider should not be able to store user authentication secrets

- Any new device should be authorised from an existing trusted user device

Conclusion

It’s easy to set up MFA – if you know what you’re looking for. For a reliable MFA solution that offers the perfect blend of strong authentication, dependable security and affordable cost, try passwordless MFA with IDEE AuthN.