Multi-factor authentication (MFA) is a security strategy requiring multiple methods of authentication of a user’s credentials in order to verify that user’s identity for a login or other type of access. MFA combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, using biometric verification methods.
The goal of MFA is to create a layered defense that makes it difficult for an unauthorized person to access a target, thereby reducing the likelihood of a breach. If one factor is compromised or broken, the attacker would still need to overcome at least one or more barriers before successfully entering the device, app or network.
One of the biggest shortcomings of traditional logins that require only a user ID and password is that passwords can be easily compromised, potentially costing organizations millions of dollars. Brute-force attacks are also a real threat, as bad actors can use automated password-cracking tools to guess various combinations of usernames and passwords until they find the right sequence, notes TechTarget. MFA is critical, as it can help reduce security risks.
In the past, MFA systems typically relied on two-factor authentication (2FA). This usually meant the user supplying a password and then one more authentication factor, such as a one-time passcode sent to a smartphone. However, vendors are increasingly leveraging the label “multifactor” to describe any authentication protocol that requires two or more identity credentials to decrease the possibility of a cyberattack. Multifactor authentication is a core component of an identity and access management framework.
History of MFA
While some form of MFA and its related protocol, two-factor authentication (2FA), have been in use for over 20 years, the idea that multiple security modalities would be necessary didn’t catch on until the mid-2000s, notes the LastPass blog.
This is in large part because consumers found it inconvenient to use and (incorrectly) assumed that a single form of authentication — a password — would provide enough of a defense against a cyberattack. Of course, years ago, people used fewer devices (phones were not smartphones) and there were fewer apps, meaning that there was less of a need for authentication in general.
Although some larger organizations adopted a form of public-key cryptography known as RSA that used two separate authentication tokens to validate user logins, many businesses found this kind of solution too costly and complicated to implement at the time.
Thanks to the evolution of phones into smartphones, MFA accelerated, as employees and customers could use their devices to receive one-time, temporary passcodes or use security keys or a fingerprint to gain entry to their devices, apps and networks.
Unfortunately, as both businesses and consumers were becoming more comfortable with using 2FA and MFA on their smartphones throughout the late 2000s and early 2010s, hacks and data breaches began to proliferate, and the need for stronger authentication and identity management solutions grew and has become ubiquitous.
There is no one-size-fits-all approach to choosing and implementing the individual factors or categories of an MFA solution. Let’s look at a few questions end-users might have about MFA:
Is MFA expensive?
Companies need to strike the right balance between protection and cost. This can be achieved by leaning on experts for guidance and use case examples that illustrate what industry peers are paying for MFA implementation strategies.
IT leaders can also seek internal resources in finance and risk management to better understand how much the organization is willing to set aside for security, including introducing MFA.
What’s the risk if I don’t implement MFA?
Further to the question above, companies can assess the damages that have resulted from breaches at some of the biggest, well-known companies in addition to the expenses they had to incur to correct the situation.
Verizon’s 2022 Data Breach Investigations Report found that 82% of breaches involved the human element, ranging from social attacks, errors and misuse. According to IBM, the average cost of a breach in 2022 is $4.25 million.
Does it take long to implement?
MFA implementation timelines can vary. Perhaps the longest part is not in the installation of the software itself but rather in training employees on how to follow the new protocols.
Which type balances the cost and security tradeoff?
Each factor is different and needs to be evaluated for its capability and potential suitability.
For example, biometrics is often deemed the strongest and safest authentication factor. It is difficult for bad actors to hack or replicate a fingerprint or voiceprint, and biometrics is certainly more convenient for the end user, as there is no password to memorize or physical object to have in their possession (other than themselves).
Still, there are issues. Biometrics can be costly to implement at scale. Further, some employees might wonder about any misuse of biometric data as part of any type of surveillance on the part of the company.
Will the added complexity annoy my employees?
New procedures can lead to mild annoyance at the beginning. However, some factors like the one-time passcode have gained popularity from mobile banking and other consumer apps, creating a sense of familiarity with employees. Since they have most likely used it before, employees will understand that it will add an extra level of protection to their corporate network.
Another authentication factor to consider for employees is the hardware key. As a physical object that the employee must have in their possession, it reduces complexity. While the key could become lost or stolen, a key is easy to replace and it cannot be used on its own to gain access to company assets.
The Best MFA Solution for Your Business
The Migus Group can help you better understand multifactor authentication and how its implementation fits into your identity and access-management policies across your organization. Contact us today to learn more.
Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, he covers such topics as security, mobility, e-commerce and the Internet of Things.