What is 2FA and MFA?

Hand increasing the protection level by turning a knob
(Image credit: Shutterstock)

If you use any type of hardware, such as a smartphone, computer or laptop, a username or email address and password can keep your accounts and personal information relatively safe. The same can be said if you spend any amount of time online, but the need for more robust security measures has become more obvious in recent years. Cybercriminals, especially hackers can compromise user accounts in various ways, and our information isn’t always as safe as we’d like to think. 

Two-factor authentication (as opposed to two-step verification) is one of the simplest and most effective strategies for improving account security. And, while 2FA utilization has increased dramatically over the past few years, it’s still far from universal. There’s another option too, in the shape of Multi-Factor Authentication, or MFA. In this article, we’ll explain how both two-factor authentication and multi-factor authentication work and why they both provide you with an excellent way of protecting your data.

How does two-factor authentication work? 

As the name implies, two-factor authentication introduces a second layer of security to the login process. A username/email address and password are considered a single factor when considered together. This is because usernames and email addresses are often available to others, so the password is the only thing securing the account.

The idea behind two-factor authentication is that it’s far more difficult to compromise both factors than either one individually. For example, your debit card acts as a single factor when withdrawing from an ATM. Asking for a separate PIN number substantially reduces the risk of fraudulent withdrawals—even if someone steals your card, they will still need to identify your PIN in order to get any cash.

Of course, part of what makes two-factor authentication effective is that the factors can’t be compromised in the same way. It wouldn’t be helpful for ATMs to require you to insert your driver’s license along with your debit card if you keep both cards in the same wallet.

Two-factor authentication is therefore described as the combination of two of three elements: something you have (such as your debit card or smartphone), something you know (such as your PIN or password), and something you are (such as a fingerprint or facial scan). Passwords are usually the first factor for online accounts, so the second factor is typically either something the user has or something they are.

With that in mind, 2FA solutions often rely on a second device to authenticate access on the first. For example, when logging into an account on a computer, the platform might send you a text to verify the login attempt. Someone would have to find out your password and steal your smartphone in order to access the account.

How effective is two-factor authentication? 

Do note that while a 2FA system is one of the most powerful methods of increasing your online security, it can’t completely eliminate risks. There are several notable ways that a determined attacker could bypass two-factor authentication in order to access your data. 

For example, some users have been targeted by phishing attempts in which the attacker simulates the website they’re trying to access. One of the most common phishing tactics involves sending a false security breach notification in order to create a sense of urgency and make the recipient less wary of potential scams. 

In another well-known attacking technique, scammers forward the target’s information to the legitimate site and use it to generate cookies that will allow them to access the account on their own device. The combination of Muraena and NecroBrowser, two popular phishing tools, makes this strategy accessible to almost any user. 

Two-factor authentication can also be vulnerable in cases where the user doesn’t have access to the second factor. Traditional account recovery systems simply provide a new password or password reset link, but this practice also gives attackers an opportunity to get around 2FA security. 

Of course, this isn’t to say that two-factor authentication is useless or isn’t worth implementing in your business. It’s simply important to note that 2FA isn’t foolproof on its own—it should always be considered one aspect of a broader approach to corporate security.

How can I start using 2FA? 

Two-factor authentication options are now available on a wide range of websites, authenticator apps, and other services. While there are a few standard providers, such as Duo and Authy, different platforms often have their own 2FA policies. 

Facebook, Twitter, and LinkedIn are among the most popular social media sites that make it easy for users to set up two-factor authentication on their accounts. Two-factor authentication is even more common in business settings. 

Many business services now offer 2FA, some even giving admins the option to require it for all accounts in the organization. These are just a few platforms that currently provide support for two-factor authentication: Google, Slack, Facebook, Twitter, Instagram, Microsoft, Apple, Dropbox. 

Duo and Google Authenticator are two accessible options for businesses that want to start using 2FA. Both apps are designed to be used with a variety of services. Duo also provides single sign-on for additional security and enables team admins to control permissions for every user in the organization.

How does Multi-Factor Authentication work?

So, those are the benefits of 2FA and it’s easy to see the appeal. Moving on to Multi-Factor Authentication, or MFA, however, takes things up a notch or two on the security scale. This is an even beefier security technology that calls upon multiple methods of authentication, using a selection of several different categories of credentials in order to make a login attempt successful. 

What you effectively get with the MFA log-in process is a multi-layered procedure, which calls on more conventional tools, such as a password, but will also require the user to have a valid security token. On top of that, a user signing-in to their account will also need to be able to complete biometric verification. 

Using biometrics to assist during a log-in in process adds a much more complex layer of security protection to accounts. It will call on things that are unique to each individual user such as fingerprints, facial recognition or Iris scanning.

What are the benefits of MFA?

Having a multi-layered defence system in place for users is obviously a step up from conventional username and password arrangements. What’s more, with additional hurdles to get through the MFA process is much more secure than using 2FA, simply because the process is more involved. At the same time, the process for signing in using MFA is actually pretty straightforward for authorised users to navigate. 

The major benefit of MFA is that it means cyber-attacks are much less easy to pull off, because if just one piece of the authentication puzzle doesn’t fit, access will be denied. That means it’s a great option for covering a variety of sign-in scenarios, such as accessing a computing device, logging into a secure database or even gaining access to a physical location like a place of work.

What are the core ingredients of MFA?

Any organisation wishing to using MFA will invariably need to request a series of steps from users wishing to log in. This normally encompasses three things, with the first being something the user knows, the second being something they possess and the third being something they are. A successful MFA process works by ticking off a combination of at least two of these standards. 

In other words, a user trying to gain access to an account with be called on to provide knowledge-based information, such as a personal security question. This can include anything such as a password, a PIN number or a one-time use password. The second step will require the user to provide proof of something in their possession, which could be a security badge, token or similar item that is tangible. 

The third step in the MFA jigsaw can be something biological that the user can confirm their identity with. This is where biometrics comes into play, with the option for users to supply a fingerprint scan, a retina or iris scan, use voice authentication or complete a facial recognition test. In fact, biometrics can now include a wide array of unique processes, from analyzing the geometry of everything from hands through to earlobes. 

A further layer of the authentication procedure can also come by identifying the user’s location, which can commonly be determined from their smartphone. In fact, using someone’s location as another means of cross-checking they are both who they are and where they are supposed to be can prove vital in ensuring that access isn’t being attempted by cybercriminals from a remote location.

Is MFA the ultimate answer?

As with any security-based solution, the evolution of multi-factor authentication is gradual and being improved all the time. However, it is still seen as being one of the best ways of ensuring user accounts remain locked down and only accessed by those who are authorised. The great thing about MFA is how it adds several layers of security to an array of sign-in steps, calling on hardware, software and unique personal information in order to be completed. 

Using MFA is certainly much more secure than relying on a conventional username and password arrangement; a setup that has proved to be increasingly inadequate in fending off hackers. Another big benefit is that MFA can be set up by anyone who needs to use it without too much trouble, while also allowing companies to manage access levels and pin them down to specific dates, times or indeed locations. 

Calling on the power of MFA can be highly cost-effective too, which will be of obvious interest to businesses keen to keep close tabs on their security, infrastructure and IT expenditure.

Conclusion

Two-factor authentication plays a critical role in security for businesses, schools, and other organizations around the world, and it’s easy to see why it’s so popular. Setting up 2FA makes it substantially more difficult for attackers to compromise accounts and sensitive information, without requiring users to invest in any additional hardware. 

While businesses shouldn’t treat two-factor authentication as a complete solution, it’s one of the simplest ways to immediately improve security. Phishing and other threats are more prevalent than ever, and 2FA will give your company that much more protection against attacks. 

However, businesses and organisations now have the added attraction of multi-factor authentication to consider. It’s certainly got a lot going for it, although there are some potential downsides. For example, someone wanting to gain access to a system, service or location will need to have their phone to hand in order to receive a message code as part of the process. 

There’s also the biometric aspect of MFA, which isn’t always effective when scanning hardware doesn’t produce the correct result. This can happen during fingerprint or iris scanning, when a result might not be as it should. And, with a multiple step procedure needed to complete the process, systems need to be up and running in order to allow all of the parts of the jigsaw to be put in place. MFA is complex and that can sometimes work against it. Nevertheless, it is currently one of the most effective ways of keeping accounts secure, even if the steps involved in the process need to be constantly improved and updated in order to stay ahead of cybercriminals.

We've listed the best business VPN.

Rob Clymo

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.

TOPICS