Multi-factor authentication (MFA) uses a combination of two or more credentials to verify identity. The security of logon procedures can be significantly increased thanks to MFA. Identity theft is made more difficult.
What is multi-factor authentication (MFA)?
Multi-factor authentication, or MFA for short, is an authentication method that combines two or more credentials (factors). MFA can be used to secure logon procedures and verify transactions. Identity theft is significantly more difficult compared to authentication procedures that use only one factor, such as logging in with a user ID and password. The factors used are based on biometric characteristics, special knowledge or an item carried and are independent of each other.
One form of multi-factor authentication is two-factor authentication (2FA), which combines exactly two credentials. MFA is used, among other things, for electronic payment transactions, for logging on to cloud services and web applications, for access to networks and computer systems, or for access authorization to protected areas. Authentication can be done, for example, by entering a PIN and presenting an identity card, entering a password and an identifier sent to the smartphone or swiping a card, answering a security question, and scanning the iris.
What classes of factors are used for MFA?
The credentials (factors) used in multi-factor authentication generally fall into three different categories. These categories are:
- Physical objects of possession such as a token or swipe card
- Secret knowledge such as a password or PIN
- Unique physical characteristics or biometric data such as the fingerprint, voice, or iris pattern.
Secret knowledge is the most commonly used factor for authentication methods. Many methods (single-factor authentication) use only secret knowledge to log on to a system or secure a transaction. Passwords, PINs, or answers to security questions are examples of such knowledge. It must be known only to the user and should not be guessable or discoverable by trial and error.
Physical possession objects are items that are in the possession of the person who wants to authenticate. Typical examples are keys, magnetic cards, tokens, or the cell phone with its unique phone number. When registering, this item must be presented in addition to one or more other factors. The person must therefore carry it with him.
Unique physical characteristics are unmistakable and linked to the user’s identity. In most cases, biometrics are used as physical characteristics. It is important that the features are tamper-proof and can be uniquely determined by systems such as scanners. Examples of systems for recognizing biometric features are fingerprint scanners, eye-iris scanners, or voice recognition systems.
Two-factor authentication as a special case of MFA
Two-factor authentication (2FA) represents a commonly used form of MFA. In many cases, 2FA relies on the factor of secret knowledge and a carried item. The use of an ATM, where a PIN must be entered and a card swiped, represents a typical example of 2FA. Two-factor authentication methods that use the cell phone or smartphone as a second factor are becoming more and more common. Since the cell phone is a constant companion for many people, such procedures offer the advantage that the user does not have to carry any additional items for proof of identity.
The login process may involve the user first entering his or her user ID and password into the system. The system then sends an additional one-time identifier via SMS to the previously stored mobile phone number or directly to a registered app on the smartphone. After entering the correct one-time identifier, the system grants the user access. For two-factor authentication via cell phone or smartphone to work, it must be ensured that the device is logged into a cellular network and that there may also be an online connection.
Advantages and disadvantages of multi-factor authentication
The main advantage of multi-factor authentication is that it eliminates the common threat scenarios of identity theft through simple password theft. Even if an attacker is in possession of the password, he still does not have access to the system. He needs at least another credential to do so.
Since these logon procedures represent an increase in security on the Internet and in the use of IT systems, the BSI (German Federal Office for Information Security) recommends using these procedures in its IT basic protection catalogs. A disadvantage arises from the fact that the additional security often represents a restriction on usability.
The more factors that have to be used for logon, the more time-consuming and complex the logon process can become for the user. If a factor is lost, no access to the system is possible at first, and a considerable amount of extra work is required to replace the missing factor.