Multi-Factor Authentication: The Ins and Outs

Lukas Grigas
Cybersecurity Content Writer
multi factor authentication

Multi-factor authentication, often referred to simply as MFA, is what we call an additional layer of security that, today, we can enable on most of our online accounts for better security. Unfortunately, MFA is often overlooked. Whether it’s because users don’t know what it is or how it works remains a mystery. Today, we’ll explore MFA. We’ll look into what it is, how it works, and why it is important. Hopefully, by the end of this post, you’ll be rushing to enable MFA on all of your online accounts.

What is MFA?

What does MFA stand for cyber security? Multi-factor authentication, although some security experts refer to it as “multi-step authentication”. Usually MFA is described as an additional layer of security. Technically speaking, MFA is an access management component that requires users to provide two or more factors of authentication to access an account. Essentially, MFA requires users to provide extra proof of identity besides their username and password. Think of MFA as an extra lock on your door.

Unfortunately, misconceptions about MFA exist and often deter users from using it and taking advantage of the security that it provides. The misconceptions seem to be prevalent in the business world. Organizations tend to think that incorporating multi-factor authentication software into their IT infrastructure and rolling out MFA for the entire company is difficult and cumbersome and could be counterproductive.

The reality of the matter is the opposite. With today’s security technologies, enabling MFA for company-wide use can be done quickly and with virtually no interruptions. And once it is done, the benefits that MFA brings to the table far outweigh any possible inconveniences that a company might face during implementation.

How does MFA work?

MFA works by employing a variety of technologies to authenticate the user once they try to access their online account. With MFA enabled, a user first needs to enter their username and passwords, but besides these credentials, the user is also asked to authenticate their identity by some other means. Once the two factors are authenticated, the user is granted access to their account. One of the most popular MFA factors is known as one-time passwords (OTP); these are the 4-8 digit codes that are sent to you via SMS, email, or authentication app.

how does mfa work

Types of MFA factors

A variety of factors could be used by MFA to authenticate the user. Here are some of the most common ones.

What you know (knowledge factor)

The knowledge factor typically consists of a password, PIN, passphrase, or security questions and their answers known only to the rightful account holder. For the knowledge factor to work correctly, the user must enter the correct information requested by the online application.

What you have (possession factor)

Before we had smartphones that we could use for MFA, people carried tokens or smartphones to generate an OTP that would be entered as a factor of authentication. These days, smartphones are the primary physical tools that we use to generate an OTP, usually via authenticator apps. However, physical security keys are also available as a possession factor, which are often considered one of the most secure options when it comes to MFA types.

What you are (inherence factor)

As an additional factor of authentication, users today can use biometric data.

Such data includes the person’s fingerprints, facial features, retina scans, voice recognition, and other biometric information. Biometric authentication is gaining more traction by the day, as authentication is frictionless when compared to other types.

Where you are (location factor)

The last (but not least) of the authentication factors — location-based authentication — usually checks the user’s IP address and their geo-location. Users can whitelist certain geo-locations and block others. If the login attempt comes from an unrecognized location, MFA blocks the access to the account and vice versa.

inner types of mfa

Why is multi-factor authentication important

As cybercrime continues to increase in frequency and sophistication, individuals and companies alike look for effective and simple ways to ensure the security of their online accounts. MFA provides just that.

When bad actors are able to steal passwords and usernames, they can easily gain unauthorized access to accounts and network systems. But with MFA enabled, even hackers with the correct login credentials would need to get through an additional layer of security, whether it’s OTP, biometric authentication, or other means of MFA. All of that complicates things for attackers because for a successful hack they would need to somehow have access to smartphones or other devices related to the user.

Given that up to 80% of data breaches are related to poor password habits in one way or the other, MFA can significantly improve your security. Reports also indicate that the volume of brute force attacks grew by 160% starting in May 2021. But that’s not all. Security experts and researchers continue to see an increase in phishing attacks, which are usually at the top of the hacking funnel. As cybercrime continues to rise in prominence, MFA is quickly becoming a critical part of everyone's security, whether it's an individual or a large organization.

Difference between MFA and Two-Factor Authentication

As you can probably guess, the difference between 2FA and MFA — as the names suggest — lies in the number of authentication factors required to authenticate a given user.

Two-Factor Authentication (2FA), unsurprisingly, requires exactly two factors of authentication – no more, no less.

Therefore, following this logic, Multi-Factor Authentication (MFA) requires two or more authentication factors to work as intended.

Basically, this means that every two-factor authentication is an example of multi-factor authentication, but not the other way around.

MFA benefits

The number one thing that MFA brings to the table is enhanced security. MFA works hand in hand with strong passwords to ensure the best possible security. It makes it harder for devious parties to access accounts or system networks without factored authentication. This applies to both individuals and organizations.

However, for businesses, MFA also helps with compliance. Security standards such as the GDPR and HIPAA require the highest level of security to protect sensitive user data and MFA can be that additional layer of security that helps businesses comply with security standards.

Additionally, MFA can boost a company’s reputation among its customers if it offers MFA as an additional layer of security for their accounts. These days, ​​customers trust and appreciate businesses that take precautions to protect them seriously.

Multi-factor authentication examples

As already mentioned, multi-factor authentication is about using two or more authentication factors to identify a given user. Those factors can be passwords, pins, passphrases, tokens, or biometrics (f.ex. fingerprint recognition or face IDs). By creating combinations of the factors above, you can build authentication sequences with different levels of security.

For example, you can make log-in credentials — such as an account number or email address and the password that was set for the account — the first factor (or step) in the multi-factor authentication. By providing these two pieces of information, the user can specify which account they want to access and confirm that they know the password required to log in. That’s a great starting point, but as you know, passwords can be stolen, therefore, you must make sure that the person trying to access the account is its real owner.

So, you can put another line of defense by asking that person to also provide the pin number sent right after they entered the password to the phone number associated with the account. This will be the second factor. If the person provides the pin, this will be an indication that they are in possession of the mobile device with the correct phone number and thus it is very likely that they are the rightful owner of the account.

You can add more factors to be absolutely sure that you do not grant access to the wrong person. For example, you can ask a person to confirm their identity by using biometrics, e.g. scanning their fingerprints with their mobile device. Keep in mind, however, that the introduction of too many authentication factors may negatively affect the user experience, making logging into the application or system too burdensome.

MFA types that NordPass Business supports

NordPass Business is a secure and intuitive password manager purpose-built to facilitate smooth and secure password management in a corporate environment, and it comes equipped with three MFA options: an authenticator app, a security key, and backup codes, which can come in handy when you don’t have access to the authenticator app or a security key. NordPass supports major authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy.

Besides MFA, NordPass Business is packed with a variety of advanced security and productivity features. Not only does NordPass allow users to create complex and unique passwords on the spot and store them in an encrypted vault, but it also can autofill login credentials and autosave new ones with just a few clicks.

Furthermore, with NordPass Business, organizations can regularly check for weak, old, or reused passwords with Password Health and check if any of company-related domains or emails have been compromised in a data leak with the Data Breach Scanner. A business password manager is quickly becoming a ubiquitous tool for any company wishing to succeed in today's digital world.

If you are interested in learning more about NordPass Business and how it can fortify corporate security and even bring business closer to cyber insurance eligibility, do not hesitate to book a demo with our representative.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.