What Is Multi-Factor Authentication?

Multi-factor authentication (MFA) is a security process that requires users to respond to requests to verify their identities before they can access networks or other online applications. MFA may use knowledge, possession of physical objects, or geographic or network locations to confirm identity.

Why is multi-factor authentication needed?

As organizations digitize operations and take on greater liability for storing customer data, the risks and need for security increase. Because attackers have long exploited user login data to gain entry to critical systems, verifying user identity has become essential.

Authentication based on usernames and passwords alone is unreliable and unwieldy, since users may have trouble storing, remembering, and managing them across multiple accounts, and many reuse passwords across services and create passwords that lack complexity. Passwords also offer weak security because of the ease of acquiring them through hacking, phishing, and malware.

What are examples of multi-factor authentication?

The most common example of MFA is the process for using an ATM at a bank. To gain access to their accounts, users must insert a bank card (a physical factor) and enter a PIN (a knowledge factor).

Another familiar example is the time-based one-time password (TOTP) method, used by financial institutions and other large enterprises to secure workflows, applications, and accounts. Upon requesting login, users are asked to provide a temporary passcode that has been sent via a text message, phone call, or email.

How does multi-factor authentication work?

MFA requires means of verification that unauthorized users won’t have. Since passwords are insufficient for verifying identity, MFA requires multiple pieces of evidence to verify identity. The most common variant of MFA is two-factor authentication (2FA). The theory is that even if threat actors can impersonate a user with one piece of evidence, they won’t be able to provide two or more.

Proper multi-factor authentication uses factors from at least two different categories. Using two from the same category does not fulfill the objective of MFA. Despite wide use of the password/security question combination, both factors are from the knowledge category–and don’t qualify as MFA. A password and a temporary passcode qualify because the passcode is a possession factor, verifying ownership of a specific email account or mobile device.

Is multi-factor authentication complicated to use?

Multi-factor authentication introduces an extra step or two during the login process, but it is not complicated. The security industry is creating solutions to streamline the MFA process, and authentication technology is becoming more intuitive as it evolves.

For example, biometric factors like fingerprints and face scans offer fast, reliable logins. New technologies that leverage mobile device features like GPS, cameras, and microphones as authentication factors promise to further improve the identity verification process. Simple methods like push notifications only require a single tap to a user’s smart phone or smart watch to verify their identity.

How do organizations start using MFA?

Many operating systems, service providers, and account-based platforms have incorporated MFA into their security settings. For single users or small businesses, using MFA is as simple as going to settings for operating systems, web platforms, and service providers and enabling the features.

Larger organizations with their own network portals and complex user-management challenges may need to use an authentication app like Duo, which adds an extra authentication step during login.

Benefits of multi-factor authentication

Improved trust

The costs of hacking and phishing attacks can be high. Because MFA helps secure systems against unauthorized users–and their associated threats–the organization is more secure overall.

If organizations are hesitant to ask users to comply with tighter security, they should consider that users themselves–especially customers–may appreciate the extra security for their data. When customers trust a vendor’s security protections, they are more likely to trust the organization overall, which means MFA becomes an important competitive advantage.


Reduced costs

Successful defenses against attacks can provide a return on investment that covers the expense of an MFA solution–for example, preventing a costly and damaging attack on network resources. Even without preventing attacks, MFA can save organizations money by allowing IT departments to deploy resources to protect other parts of networks from different threats.


Easier logins

As multi-factor authentication technology advances, making greater use of passive methods like biometrics and software tokens, it becomes more user-friendly. Easy-to-use MFA processes help users log in more quickly, so workers can be more productive.

In e-commerce, login problems can mean lost sales. User-friendly MFA processes that improve the user experience can help customers log in and, therefore, purchase products.

Source: Cisco , “What Is Multi-Factor Authentication?” https://www.cisco.com. Accessed October 3, 2021. https://www.cisco.com/c/en/us/products/security/what-is-multi-factor-authentication.html

© Copyright 2021. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.