MFA (Multi Factor Authentication) vs 2FA (2 Factor Authentication): What is the difference? 

All 2FAs are MFA, but not all MFAs (Multi Factor Authentication) are 2FA.

‍

When trying to find the best authentication solution, industry terminology can often be confusing, especially when it comes to two factor (2FA) vs multifactor authentication (MFA). In this article we will go through a detailed comparison of the two solutions and discuss the differences.  

MFA vs 2FA - What's the difference? 

When I talk about authentication with others, I realize that many people are confused with multi factor authentication (MFA) and two-factor authentication (2FA). Let’s start with the obvious, the names themselves: Multi – means “many” whereas two means “two,” that is, “one more than one.”  
 
MFA requires many different factors (at least two, or more) whereas 2FA requires only two different factors (exactly two, not more than two) to authenticate a user. Now what exactly is considered a ‘factor’? The explanation is simple. The three main authentication factors are something you know, something you have, and something you are.   

• Knowledge (e.g., a password or a PIN; something you know) 
• Possession (e.g., a smart card, computer, smartphone, wearable, or a cryptographic device; something you have) 
• Inherence (e.g., a fingerprint or facial ID; something you are) 
  ‍ 

According to NIST, multi factor authentication (MFA) is: 

“A characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication.”. 

The point is “more than one distinct authentication factor” is required to achieve MFA. 2FA uses exactly two factors. Since MFA requires more than one authentication factor and 2FA uses two factors, then all 2FAs are MFA, but not all MFAs are 2FA.

Now let’s consider the different authenticators and how multi-factor authentication (MFA) and 2-factor authentication (2FA) can be achieved. Authenticators fall into one of two categories: multi factor (MF) authenticators and single factor (SF) authenticators.  

Multi Factor vs. Single Factor Authenticators 

Let’s first clarify the difference between the two terms “authenticator” and “authentication.” One is the device, the other the method.  

• An “authenticator” is the device, token or piece of software used to achieve the act of authentication. Examples of the different factors made possible with a device could be a security key, hardware token or UBS or a cell phone, laptop, or desktop. It could also include a one-time password (OTP) generator app This is mostly something you have.  
• “Authentication” is the process of validating that the user trying to authenticate is who they claim to be. 

Here is an example: A security key is plugged to a computer by an employee to get access to an application. The security key is the authenticator. 

Multi-factor (MF) authenticators are authenticators that require a second factor of authentication before authenticating a user. They require an independent factor such as a password (factor: knowledge) or a fingerprint (factor: inherence) to become usable.  

The most obvious day-to-day example is when we unlock our cell phones. Most of us now, use a fingerprint, face-ID or at the very least a PIN to access our phones. The phone is the authenticator, and on its own it is the first factor (factor: possession). The second factor is the fingerprint, the face-ID, or the PIN (factor: inherence or knowledge). 

Single-factor (SF) authenticators are authenticators that do not require any second authentication factor to become usable (a token for example). 

According to NIST SP 800-63B, “multi-factor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors”. So, it is also possible to use more than one single-factor authenticator to achieve MFA.  

Multiple Device MFA 

What is safer? 2FA or MFA? And which one is the best? 

So, this is where it gets interesting in terms of a comparison. As we have established, there are various ways to achieve both 2FA and MFA. No prizes for guessing which is the most secure of the two. It should be obvious that the more layers (more factors) the authentication solution requires, the more layers that would need penetrating by a cybercriminal. Multifactor authentication is more secure than 2FA, but let’s focus on the method itself. As usual the trade-off between better security and user experience is always at the forefront of this discussion.  

‍

So, more factors equal more secure solutions, right? Yes. But, what about user experience? You could ask users for five or six or seven authentication factors, but you may find this has a negative impact on productivity and becomes time-prohibitive in a real-life application. Make the process too cumbersome and employees will quickly disengage and look for hacky workarounds, rending the implementation futile.  

Let us consider the most widely adopted application of MFA today, and the method we are all most accustomed to. That is, more than one single-factor authenticator used in conjunction, to perform multifactor authentication. The example is, I want to login to an online account. I put my password into the webpage. Then, I’m sent a one-time passcode (OTP) to my cell phone to input on the webpage. This is multifactor authentication, but using two devices often creates fiction and furthermore this method can still be intercepted and is easily hacked via tactics such as adversary in the middle AiTM attacks. It also has the potential to be extremely expensive for organizations as employees do not want to use their own handsets, so supplying and managing multiple additional handsets (or tokens) for every employee quickly becomes untenable.  

Thankfully, there is another way.  

Single Device MFA 

If you are selecting multifactor authentication over 2FA, then the chances are you will also be looking for solutions that users will love (as well as IT (Information Technology) teams). Single device MFA can help.  

With a single device MFA, the users existing device becomes the authenticator. If the goal is to enable users with secure and easy access to applications from their devices with utmost assurance that they are in control of the device at the time of access, then organizations should look towards solutions such as AuthN by IDEE.  

AuthN by IDEE uses transitive trust and a zero-trust and zero knowledge security architecture that allows users to authenticate, simply by unlocking their device. This is what it looks like in practice: 

1. The user wants to access a trusted company resource, on a trusted, registered device. 
2. At login, the user is directed to simply unlock their device. AuthN trusts the device because it has already been registered and uses a cryptographic key stored in the device’s TPM chip to prove the identity of the user. 
3. The user is logged in, having proven they are in control of something they own (device), and something they are or know (fingerprint, face-ID, or PIN).  

Login is simple. Furthermore, it goes one step beyond ensuring that the act of authentication is secure. It protects the entire identity lifecycle, for example, adding a new user, account recovery and off-boarding. Where many other solutions fall back to phishable factors such as passwords, AuthN by IDEE protects every step of the user identity lifecycle.  

Transitive trust ensures that a transaction was carried out on a “trusted service” by a “trusted device” coupled to “trusted user” and authorized under the “user’s total control.”  

This makes AuthN by IDEE’s MFA solution architecture immune to credential phishing and all password-based attacks including AiTM (Adversary in The Middle). It also means that the traditional friction in the authentication process is removed, with passwordless single device MFA. To find out more please reach out for a free demo or free trial.  

This post was first published in June 2020 but has been updated (December 2023) for fresh accuracy and relevancy.