What Is Multi-Factor Authentication? MFA Defined: Then, Now, and Tomorrow
Have you ever gone to your favorite pizza joint’s website to place an order, only to be asked to verify your credit card at checkout by entering a code sent to you via text message? While this extra step might not be good if you’re hungry, it’s a great example of multi-factor authentication at work.
In recent years, multi-factor authentication (MFA) has become a highly popular and effective way to protect much more than online pizza orders — it is a crucial measure in reducing identity theft, credit card fraud and even safeguarding sensitive government, healthcare, and financial information.
This article is intended to demystify MFA, providing a glimpse into its past, and providing a preview into its future — including challenges it faces along the way.
What Is MFA, Anyway?
NIST, the National Institute of Standards and Technology, defines multi-factor authentication as, “An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.”
Simply put, MFA is easily explained by breaking the term into its parts. We know ‘multi’ means multiple, or more than one. “Factor” can be considered as a piece of information or data that is unique to the individual. And “authentication” is defined by Oxford as, “the process or action of verifying the identity of a user or process.” Once combined, the basic definition of multi-factor authentication is a system that uses more than one identifying data point to provide access to a user.
Or in the case of our pizza example, one factor of authentication could be a user’s email address, another factor could be an account password, and the final factor could be the code sent via text message to identify the user as the owner of the credit card.
What’s interesting is the three authentication factors as defined by NIST offer numerous combinations to authenticate depending on use case and sensitivity of information looking to be accessed.
- Something you know (knowledge): Passwords, PINs, security codes or passphrases
- Something you have (possession): Smart cards, security keys or tokens, mobile device
- Something you are (inherence): Fingerprints, facial scans, iris scans or other forms of biometrics and behavioral analysis
History and Evolution of MFA
Multi-factor authentication has a controversial past — or at least we’re not fully sure who deserves credit for the technology. One camp claims that the infamous Kim Schmitz, better known as Kim Dotcom, first pioneered the invention based on a patent filed in the US in April 1998 and issued in June 2000. Another camp points to a patent filed by AT&T in May 1995 and issued in June 1998.
Regardless of who is credited with the title of first, the technology itself has evolved greatly over the past 25-ish years. Much of this is due to the sweeping power of the internet and its enablement of ecommerce, which saw with it a rise in credit card and identity fraud. An even bigger catalyst was the introduction of the smartphone, which forced companies and organizations of all sizes to address the issue of employees and users having personal devices used for business purposes.
The now familiar “BYOD” term, or “Bring Your Own Device,” reset priorities for IT and Security departments around the globe. The number of smartphones, laptops, smart watches — just to name a few — that could connect to enterprise networks boomed in the late 2000s and into the 2010s. This forced IT teams to find a way to secure personal devices and determine access levels, both inside and outside a facility.
Beyond BYOD, the general population became generally more familiar and comfortable with MFA, namely in the form of 2FA, or two-factor authentication. This was ushered by tech giants like Apple, Google, and Facebook requiring a user to present two factors to access their accounts, most commonly a username and password followed by a one-time password sent via text message or email.
Then came the pandemic in 2020. Those who were able to work from home did, meaning that enterprises, schools, government agencies and all other kinds of organizations, were forced to rapidly adopt MFA to allow their users to securely access networks and shared tools remotely. Fast forward to today and the notion of truly hybrid work, with MFA to support it, is here to stay.
Benefits of MFA
The obvious benefits of MFA are strong security and better user experience. Simply put, using a single factor for authentication is no longer enough in today’s digital world — especially when the most common password continues to be “123456”. Microsoft also states that “your account is more than 99.9% less likely to be compromised if you use MFA.”
To further bash the simple password, data breach after data breach exposes and sells those to a variety of nefarious players who use this data to steal identities, launch ransomware attacks, and make the online world a more dangerous place. With MFA, you can strengthen your user login protocols or choose to eliminate the reliance on passwords and keep your data safe — while simultaneously enhancing the user experience.
In addition to providing a passwordless authentication experience, MFA offers end users an extra layer of protection for what matters most — their identities — and the related peace of mind of knowing their data is better secured. For IT departments, MFA reduces the risk of unauthorized access to sensitive corporate resources and data, provides flexibility to employees to use a multitude of devices, and ensures a consistent security posture across the organization.
And most importantly, MFA reduces the likelihood of large-scale cyberattacks that can greatly hurt a company’s brand, reputation and bottom line.
Examples of MFA in Action
So now that you know what MFA is and why it’s important, let’s talk through some different examples of how it works in practice.
- Ecommerce: Just like our pizza scenario, when you buy anything online, you are likely to experience MFA at the time of checkout. Some card providers or financial services providers send OTP via SMS or email which is referred to as out-of-band (OOB) while others go for a more secure solution and implement push authentication for transaction signing.
- Online Banking: When you log in to your online bank account, the bank’s website (or app) will first ask for your username and password. If you are in a known location using a known device, providing those two may be enough to be granted access. But if you try to access the account from a new IP address, new geography, or even a new device, your bank will likely ask you to, for example, answer a known security question. Or they will send you a code via SMS or link via email to verify your identity. Any of these authentication methods help ensure that you are who you say you are.
- Accessing Networks, Applications and Data: For organizations of all sizes, one of the most important MFA use cases is providing secure remote access, especially in today’s hybrid work environment. It’s becoming increasingly common to use push authentication methods to identify users quickly and securely. In this type of scenario, a user would first enter their approved username and password to log in to their workstation or account. Once validated as correct, a push notification will be sent to a secure application on the user’s mobile device, informing them that an authentication attempt is taking place. From there, the user can deny or approve it to get access to the company network, VPN, online software and applications, etc.
Looking Ahead: The Future of MFA
The future of MFA is clear: adoption will continue to expand — and quickly — due to sheer necessity. The technology and tactics for MFA will continue to evolve through passwordless authentication methods mainly motivated by the increased focus in protecting our identities, data, and corporate networks.
We expect to continue seeing a bigger influence from governmental organizations. For example, Executive Order 14028 requires the US Federal government to adopt a Zero Trust security model and deploy MFA and encryption by the end of 2024.
Perhaps the future and importance of MFA is best summarized by Jen Easterly, Director of the US Cybersecurity & Infrastructure Security Agency (CISA), when she said: “The bottom line is that we need to all get in the game and work this issue together. By tackling the MFA challenge from different angles, we can significantly improve online security — and by extension our business, personal and even national security.”
Maria MacRitchie leads the product marketing efforts for the IAM Workforce Authentication solution globally. She has over 15 years of experience with B2B and B2C product, services and marketing communications within the IT and telecom industries. Maria has been with HID for 7 years, holding various communication roles within the Professional Services, PACS Cloud Services and Product Marketing teams.