What Is Multifactor Authentication (MFA)?

 

Learn More

What is Multifactor Authentication (MFA)?

As a concept, multifactor authentication (MFA) goes back well before cloud computing, e-commerce, online services, and all the other activities that take place over the internet. Many of us remember a time when banking services required you to supply your government-issued ID along with your mother's maiden name to gain access to account information. Today, in its simplest terms, multifactor authentication adds a layer of security as people access online accounts by requiring the use of two or more types of credentials or "factors."" The classic definition of MFA factors is "something you have" (like a one-time password), "something you know" (like a PIN or password), or "something you are" (like a biometric). Using two or more of these factors delivers MFA.

As data breaches and fraud have escalated, the need for multifactor authentication has become critical to reducing risk.

Why a username and password are no longer enough

Enterprises across all sectors are spending a fortune on cybersecurity. Gartner estimated that spending on information security and risk management will total $172 billion in 2022, up from $155 billion in 2021 and $137 billion the year before. And yet, the breaches continue unabated.

According to the latest ForgeRock Consumer Identity Breach Report, unauthorized access was the leading cause of breaches for the third consecutive year. Questionable yet common practices, like sharing or reusing passwords, give bad actors an easy path to gaining access to valuable data, such as birth dates or Social Security numbers. This reality brings into sharp focus the need to adopt a multi-layered, defense-in-depth approach to identity and access management (IAM), which includes MFA.

Multifactor authentication can help to prevent the most common types of attacks from succeeding, such as brute-force attacks, credential stuffing, and man-in-the-middle attacks. And it can prevent devastating account takeover (ATO) attacks from occurring. By requiring an added credential, such as a one-time password (OTP) delivered via text message (SMS) or authenticator app, an attacker with credentials still can't gain access to the targeted resources.

Learn more about breach prevention.

"This year's report notably reveals that attacks involving usernames and passwords increased a staggering 450% over 2019, translating into more than 1 billion compromised records in the U.S. alone."

2021 ForgeRock Consumer Identity Breach Report

The problem with passwords

The most common password worldwide, according to VPN leader Nord Security, is 123456. More than 100 million people use that password for their personal accounts despite persistent warnings about weak passwords and recommendations for the use of unique passwords that would be difficult to guess even if someone knew something about you. (Read some password tips here.)

There are many reasons why people don't follow guidelines for creating complex passwords. One is that they're too complex to remember. Another reason is that people don't think their own data is valuable, so they believe they're not at risk. After all, why would an intruder go to the trouble of infiltrating an account without monetary value or the promise of lots of sensitive data?

The trouble with that thinking is that the holder of the infiltrated account is rarely the intended target. In its 2021 Data Breach Investigations Report, Verizon reported that compromised credentials were involved in 60% of breaches, noting, “Credentials remain one of the most sought-after data types.” The reason is that attackers are always looking for the weakest link to exploit. If they have stolen credentials or a simple or default password, they can use an infiltrated system or account to gain a foothold into a network, where the valuable data resides. So, an employee's poor security practices don't simply affect that employee — they may lead to the exposure of customer data, intellectual property, and other valuable assets.

Another problem with passwords is that most people use the same passwords across multiple sites and accounts. So, if an attacker gains entry into one account, there's a good possibility that the same credentials will be used on other, perhaps more interesting, accounts. Furthermore, 53% of people store their passwords in an insecure manner, according to a Forrester survey.

To counter these risks and others, many organizations are adopting passwordless authentication. By eliminating passwords, you can eliminate their risks and the associated costs.

The "factors" in multifactor authentication

The three most common categories, or authentication factors, are described as something you know, something you have, and something you are. MFA works by combining two or more factors from these categories.

  • Something you know, also known as the "knowledge" factor, typically includes passwords, personal identification numbers (PINs), and one-time passwords (OTPs). It may also include ask the user to answer a security question, such as the name of the street you grew up on.
  • Something you have, also known as the "possession" factor, includes a device or something else in a user's possession. It may include an authenticator app on a mobile device, security keys, or a security token, which is a hardware device that plugs into your computer's USB port. A smartphone frequently provides the possession factor in conjunction with a one-time passcode (OTP) app.
  • Something you are, also known as the "inherence" factor, is where "biometrics" come in. It may include a fingerprint scan, facial recognition, retina scan, or voice authentication.

The increasing role of AI in authentication

Everyone agrees that authentication is important, but it must strike a balance between its role as a security enforcer and its position as the front door to your organization. You don't want known, low-risk employees to undergo rigorous authentication each time they log in; such an experience would be frustrating and a barrier to productivity. If you make the experience of registering or purchasing too cumbersome for customers, there's a good chance those customers will take their business elsewhere.

That's where artificial intelligence (AI) comes in. As MFA integrates machine learning and AI, authentication methods become more sophisticated, more attuned to who is logging in and whether there is anything different about this login attempt or online behavior. As context changes, such as the user's location or device—or even the sensitivity of the app being accessed—further risk-based authentication will be triggered, known as step-up authentication. When all the context is as expected, the system requires less authentication, which makes access easier for the user.

Using risk scores, modern MFA basically breaks down users into three categories:

  • Low risk: this is a known user, logging in during expected hours using the same device and network, within the same geolocation, as is typical. This user may have access immediately.
  • Medium risk: this is a known user using the same device as usual but is logging in from a different country. Additional authentication is required before access is granted.
  • High risk: this is a known threat, perhaps a bot. It is immediately blocked from access.

In all cases, the information from these attempts is shared with the security information and event management system (SIEM) to log new behaviors from legitimate users and to identify new threat signals.

MFA: It's the law

In an effort to make the country less vulnerable to cyberthreats, the Biden administration issued an Executive Order (EO) requiring the use of MFA by U.S. government agencies. The Executive Order (EO) 14028 on Improving the Nation's Cybersecurity was signed in May 2021 and required agencies to adopt multi-factor authentication within 180 days of the EO, stating, "Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life."

Conclusion: the need for MFA

Authentication used to be simpler, back when all employees were connected to a network and accessed applications and resources in a centralized data center. Now, employees connect using multiple devices, many of them unmanaged, and they are constantly on the move, connecting from home, public Wi-Fi, and often from various geolocations. Organizations serving customers—whether they're consumers, patients, citizens, students, or others—must provide a simple, low-friction experience while managing identities that may number in the millions.

The use of a modern authentication system, including artificial intelligence and machine learning, enables organizations to provide the necessary security to keep intruders out. At the same time it makes access easy for legitimate users to keep employees productive and customers happy.

Resources

Blog

IAM 101 Series: What is Account Takeover?

Webpage

AI-Driven Identity

Webpage

Forget Passwords. Go Passwordless.

Solution Brief

ForgeRock Identity Management