What Is Multi-factor Authentication (MFA)?


Learn More

What is Multi-factor Authentication (MFA)?

As a concept, multi-factor authentication (MFA) goes back well before cloud computing, e-commerce, online services, and all the other activities that take place over the internet. Many of us remember a time when banking services required you to supply your government-issued ID along with your mother's maiden name to gain access to account information. Today, in its simplest terms, multi-factor authentication adds a layer of security as people access online accounts by requiring the use of two or more types of credentials or "factors."" The classic definition of MFA factors is "something you have" (like a one-time password), "something you know" (like a PIN or password), or "something you are" (like a biometric). Using two or more of these factors delivers MFA.

As data breaches and fraud have escalated, the need for multi-factor authentication has become critical to reducing risk.


Why a username and password are no longer enough

Enterprises across all sectors are spending a fortune on cybersecurity. Gartner estimated that spending on information security and risk management will total $172 billion in 2022, up from $155 billion in 2021 and $137 billion the year before. And yet, the breaches continue unabated.

According to the 2023 ForgeRock Identity Breach Report, unauthorized access was the leading cause of breaches for the fifth consecutive year. Questionable yet common practices, like sharing or reusing passwords, give bad actors an easy path to gaining access to valuable data, such as birth dates or Social Security numbers. This reality brings into sharp focus the need to adopt a multi-layered, defense-in-depth approach to identity and access management (IAM), which includes MFA.

Multi-factor authentication can help to prevent the most common types of attacks from succeeding, such as brute-force attacks, credential stuffing, and man-in-the-middle attacks. And it can prevent devastating account takeover (ATO) attacks from occurring. By requiring an added credential, such as a one-time password (OTP) delivered via text message (SMS) or authenticator app, an attacker with credentials still can't gain access to the targeted resources.

Learn more about breach prevention.

There was a 233% Increase in U.S. breaches exposing user credentials compared to 2021. Credentials — username and password combinations — are attractive targets as they enable unauthorized access to sensitive systems, networks, and data.

2023 ForgeRock Identity Breach Report

The problem with passwords

The most common password worldwide, according to VPN leader Nord Security, is 123456. More than 100 million people use that password for their personal accounts despite persistent warnings about weak passwords and recommendations for the use of unique passwords that would be difficult to guess even if someone knew something about you. (Read some password tips here.)

There are many reasons why people don't follow guidelines for creating complex passwords. One is that they're too complex to remember. Another reason is that people don't think their own data is valuable, so they believe they're not at risk. After all, why would an intruder go to the trouble of infiltrating an account without monetary value or the promise of lots of sensitive data?

The trouble with that thinking is that the holder of the infiltrated account is rarely the intended target. If attackers have stolen credentials or a simple or default password, they can use an infiltrated system or account to gain a foothold into a network, where the valuable data resides. So, an employee's poor security practices don't simply affect that employee — they may lead to the exposure of customer data, intellectual property, and other valuable assets.

Another problem with passwords is that most people use the same passwords across multiple sites and accounts. So, if an attacker gains entry into one account, there's a good possibility that the same credentials will be used on other, perhaps more interesting, accounts. Furthermore, 53% of people store their passwords in an insecure manner, according to a Forrester survey.

To counter these risks and others, many organizations are adopting passwordless authentication. By eliminating passwords, you can eliminate their risks and the associated costs.


The "factors" in multi-factor authentication

The three most common categories, or authentication factors, are described as something you know, something you have, and something you are. MFA works by combining two or more factors from these categories.

  • Something you know, also known as the "knowledge" factor, typically includes passwords, personal identification numbers (PINs), and one-time passwords (OTPs). It may also include asking the user to answer a security question, such as the name of the street you grew up on.
  • Something you have, also known as the "possession" factor, includes a device or something else in a user's possession. It may include an authenticator app on a mobile device, security keys, or a security token, which is a hardware device that plugs into your computer's USB port. A smartphone frequently provides the possession factor in conjunction with a one-time passcode (OTP) app.
  • Something you are, also known as the "inherence" factor, is where "biometrics" come in. It may include a fingerprint scan, facial recognition, retina scan, or voice authentication.


The increasing role of AI in authentication

Everyone agrees that authentication is important, but it must strike a balance between its role as a security enforcer and its position as the front door to your organization. You don't want known, low-risk employees to undergo rigorous authentication each time they log in; such an experience would be frustrating and a barrier to productivity. If you make the experience of registering or purchasing too cumbersome for customers, there's a good chance those customers will take their business elsewhere.

That's where artificial intelligence (AI) comes in. As MFA integrates machine learning and AI, authentication methods become more sophisticated, more attuned to who is logging in and whether there is anything different about this login attempt or online behavior. As context changes, such as the user's location or device—or even the sensitivity of the app being accessed—further risk-based authentication will be triggered, known as step-up authentication. When all the context is as expected, the system requires less authentication, which makes access easier for the user.

ForgeRock's AI-driven solution is called ForgeRock Autonomous Access. Very simply, Autonomous Access assigns a risk score to every login attempt based on a variety of factors. It uses that score to instantly apply the appropriate level of friction based on risk.

  • Low risk: this is a trusted user, logging in during expected hours using the same device and network, within the same geolocation, as is typical. This user sails through and bets immediate access.
  • Medium risk: this may be a known user logging in on the usual device, but may be in a different time zone or even a different country. Additional authentication is required before access is granted.
  • High risk: This user is almost certainly malicious, possibly a bot, having failed multiple automated login attempts. Access requests can be remediated or fully blocked.

ForgeRock Autonomous Access is an AI-driven threat protection solution prevents account takeover (ATO) and fraud during authentication, while removing unnecessary friction for legitimate users.


MFA: It's the law

In an effort to make the country less vulnerable to cyberthreats, the Biden administration issued an Executive Order (EO) requiring the use of MFA by U.S. government agencies. The Executive Order (EO) 14028 on Improving the Nation's Cybersecurity was signed in May 2021 and required agencies to adopt multi-factor authentication within 180 days of the EO, stating, "Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life."


Conclusion: the need for MFA

Authentication used to be simpler, back when all employees were connected to a network and accessed applications and resources in a centralized data center. Now, employees connect using multiple devices, many of them unmanaged, and they are constantly on the move, connecting from home, public Wi-Fi, and often from various geolocations. Organizations serving customers—whether they're consumers, patients, citizens, students, or others—must provide a simple, low-friction experience while managing identities that may number in the millions.

The use of a modern authentication system, including artificial intelligence and machine learning, enables organizations to provide the necessary security to keep intruders out. At the same time it makes access easy for legitimate users to keep employees productive and customers happy.


Additional Resources

ForgeRock Recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Access Management


What are the Critical Capabilities of Access Management in 2023?


IAM 101 Series: What is Account Takeover?


AI-Driven Identity


Passwordless Authentication

Solution Brief

ForgeRock Identity Management