Multi-factor authentication: the ins and outs

What is multi-factor authentication (MFA)?

Multi-factor authentication, also referred to as “multi-step authentication” by some experts, is an access management component that requires users to provide two or more authentication factors to log in and access an account. Essentially, users must provide extra proof of identity besides their username and password. Think of MFA as an extra lock on your door.

Unfortunately, misconceptions about MFA exist: they’re especially prevalent in the business world and often deter users from using it and taking advantage of its security. Organizations tend to think that mandating multi-factor authentication in the IT infrastructure for the entire company is cumbersome and could be counterproductive.

The reality of the matter is actually the opposite: with today’s security technologies, setting up MFA company-wide is quick and causes practically no interruptions. Once it’s done, the benefits that MFA brings to the table far outweigh any possible inconveniences that a company might face during the implementation.

How does MFA work?

Multi-factor authentication employs various technologies, like one-time passwords, tokens, and biometrics, to authenticate users when they try to access their accounts. First, the user enters their username or email and their password. But besides these credentials, and with MFA switched on, the user is also asked to authenticate their identity using their selected secondary verification method. Once the two factors are authenticated, the user is granted access to their account.

One of the most popular MFA factors is known as one-time passwords (OTPs). They’re security codes that can be used only once to authenticate a login attempt. A one-time password is usually 4–8 digits long and can be valid for anywhere between 15 seconds and a few hours. When a user attempts to log in, a one-time password is sent via text message or email for authentication. OTPs can also be generated using an authentication app, like NordPass’ built-in Authenticator.

As you set up multi-factor authentication, your one-time password will be generated in one of two ways: either as a time-based one-time password (TOTP) or a hash-based one-time password (HOTP). Their core difference is how frequently a new code is generated. An authentication app refreshes a TOTP at a set interval (for example, every 30 seconds), while a HOTP only refreshes upon a new login attempt.

One-time passwords rely on two factors—a seed and a moving factor. The seed is a static secret key that stays on the server side, while the moving factor is affected by the counter, which ensures the periodical generation of new passwords. The process of generating a one-time password is randomized, and the number of OTPs that can be generated is practically limitless.

The process of multi-factor authentication takes 3 steps:

• Registration. You create an account on a website or app and, in addition to your login credentials, select a preferred method of additional authentication. You may use your phone number to receive authentication via text messages, get emails with the code, switch on biometrics, or use an authentication app. The exact method may vary depending on the platform’s permissions.

• Authentication. As you log in to your account, you enter your login credentials first and are then prompted to enter your multi-factor authentication code. Use your selected means of authentication to access and input the code. Some apps allow you to autofill the code so that you don’t lose it before it resets.

• Access. If the one-time code you entered matches the server request, your login attempt is authenticated and you can access your account. If you log out, you must start the process over.

Types of MFA factors

Varying from platform to platform, a number of different factors are used to authenticate login attempts. The most common examples include the following.

What you know (knowledge factor)

The knowledge factor typically consists of a password, PIN, passphrase, or security questions whose answers are known only to the rightful account holder. For the knowledge factor to work correctly, the user must enter the correct information requested by the online application.

What you have (possession factor)

Before smartphones existed as MFA devices, people carried tokens to generate an OTP that would be entered as an authentication factor. These days, smartphones are the primary physical tools for generating OTPs, usually via authenticator apps. However, physical security keys are also available as a possession factor, often considered one of the most secure MFA options.

What you are (inherence factor)

Biometric data, such as fingerprints, facial features, retina scans, voice recognition, or other biometric information, can also be used for multi-factor authentication. Biometric authentication is gaining more traction by the day, as this method is frictionless when compared to other types of authentication.

Where you are (location factor)

Last but not least, location-based authentication checks the user’s IP address and geolocation. Users can whitelist certain geolocations and block others. If the login attempt comes from an unrecognized location, MFA blocks access to the account and vice versa.

Why is multi-factor authentication important?

As cybercrime continues to increase in frequency and sophistication, individuals and companies alike look for effective and simple ways to ensure the security of their online accounts. Passwords are no longer enough. In fact, considering how frequently weak passwords are the culprit of breaches and how susceptible to attacks the most common passwords in the world are, additional security measures are not just a recommendation but a necessity. Multi-factor authentication provides that extra layer of security that can make the difference between a secure account and a hacked one.

When bad actors steal passwords and usernames, they can easily gain unauthorized access to accounts and network systems. But with MFA security in place—whether it’s OTP, biometric authentication, or other means—having correct login credentials alone wouldn’t be enough to get into the account. All of that complicates things for attackers, as they would need access to smartphones or other authentication devices related to the user to execute their scheme successfully.

Given that around 68% of data breaches are related to human error in one way or another, adding MFA to your accounts can significantly improve your security. According to the 2024 Elastic Global Threat Report, brute-force techniques grew by 12%. But that’s not all. Security experts and researchers continue to see an increase in phishing attacks, which are usually at the top of the hacking funnel. As cybercrime continues to rise in prominence, MFA is quickly becoming a critical part of everyone's security, whether it's an individual or a large organization.

What’s the difference between MFA and two-factor authentication?

As the name suggests, the difference between two-factor authentication (2FA) and multi-factor authentication lies in the number of authentication factors required to authenticate a given user. Two-factor authentication requires exactly two authentication factors, whereas MFA requires two or more factors to work as intended. Essentially, you can think of multi-factor authentication as an umbrella term that includes 2FA as one of the options.

Multi-factor authentication examples

As already mentioned, multi-factor authentication involves two or more authentication factors that identify a given user. These factors include static and one-time passwords, PINs, passphrases, tokens, and biometrics like fingerprint recognition and face ID. By combining a range of these factors, you can build authentication sequences with different levels of security—but any combination can be stronger than using a single factor.

Usually, your login credentials—your username, account number, or email address and your password—are the first step in the authentication process. Once you provide this information, your login attempt is validated. However, if your login details are breached, anyone can use them to log in to the account and pretend to be you. There is no way of guaranteeing the person logging in is actually you, unless the platform checks to see if the IP matches your usual one—but this would fall under location authentication.

To truly prove it’s you logging in, you need to get the second factor in place. This can be a single-use code sent to you by text, the one-time password generated by your authentication app, or a pop-up on your phone requesting you to verify your fingerprint. For improved accessibility, you can also receive an automated call that uses text-to-speech to list the numbers of your verification code.

From here, you can take it up a notch and add another authentication method. For example, you can combine the one-time password with a biometric proof of identity. However, the principle of “less is more” still stands true—introducing too many authentication factors may negatively affect the overall user experience, making the process too burdensome. Imagine using a token as your second layer and biometrics as your third. If you forget or lose either of the two, you’re barred from accessing your account.

MFA benefits

We’re now familiar with the technical side of MFA and how it works to support data protection. Let’s take a minute to see the practical benefits of using multi-factor authentication to protect your personal and work-related credentials.

The number one advantage that MFA brings to the table is, naturally, enhanced security. Multi-factor authentication works hand in hand with strong passwords to ensure more robust account and app security. Switching on MFA makes it harder for bad actors to access accounts or system networks without accessing the authentication device.

While increased security is one of the biggest benefits of multi-factor authentication, it’s far from the only one. MFA can be crucial for regulatory compliance. Many cybersecurity policy guidelines list it as a necessity to meet appropriate data protection standards. For instance, the CIS Password Policy Guide has different standards for accounts that use a password only and those that have MFA mandated. Compliance adherence allows businesses to build stronger trust with customers as it shows they take precautions against cyber threats.

Of course, it cannot be understated that multi-factor authentication is a user-friendly and convenient solution. It may seem contrary at first, as it does require extra steps than just logging in. However, with features like autofill for one-time passwords or biometric authentication, the MFA process can take as little as a tap on the screen. Furthermore, passkeys are a type of multi-factor authentication that reduces login time by eliminating the password step altogether while maintaining a high level of security. They combine biometric verification with cryptographic keys, ensuring no one else can access your accounts without your authentication.

In the long term, setting up multi-factor authentication is a cost-effective strategy for businesses. With the average breach costing small and medium-sized businesses as much as $3.31 million, setting up company-wide MFA policies can help protect your organization’s reputation and stop the threats before they get to your doorstep. Thanks to its range, MFA can help future-proof businesses from emerging threats. For instance, users can opt for biometric authentication over one-time passwords and vice versa.

What types of multi-factor authentication does NordPass Business support?

Multi-factor authentication is tightly knit with password protection and is essential for businesses and individuals alike. So, it’s unsurprising that password managers aim to improve not just your credential storage but the way you handle MFA as well.

NordPass is a secure and intuitive password manager that’s purpose-built to facilitate smooth and secure management of passwords, passkeys, credit card details, and other sensitive information. It offers support for 3 types of multi-factor authentication:

• An authenticator app

• A security key

• Backup codes

NordPass supports major authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy. However, it makes things easy for you by letting you generate and store your one-time passwords directly in your vault. NordPass Authenticator for Business allows you to set up two-factor codes alongside your passwords, eliminating the need for third-party authentication apps. You can also stay flexible, as NordPass will autofill your one-time passwords for you, whether you’re on your mobile device or desktop browser.

NordPass comes equipped with other security features that help you optimize your business credential security. With features like Password Health and Data Breach Scanner, you can ensure that all credentials used in your organization are strong and secure. Furthermore, you can set up a centralized Password Policy to enforce compliance with high security standards. Try NordPass today and see for yourself how it can help fortify your corporate security.