What is Multi-factor Authentication?
Multi-factor authentication (MFA), or two-factor authentication (2FA), secures an object (i.e. system, application, network, etc.) by requiring a user to input multiple factors to gain entry to it.
With MFA, users must present at least two different sources for authentication, including something they know (i.e. username/password), something they have (i.e. a phone or physical key), or something they are (i.e. biometrics, such as a fingerprint). For the “two-factor” part of MFA/2FA, the user generally first leverages their username/password credentials, then uses a second factor, sometimes a Time-Based One-Time Password (TOTP) token, among others.
The first concept of a factored authentication system can be traced back to the Egyptians, who used a wooden pin lock to bar access to certain structures. When the key was inserted, pins hidden inside the fixture would lift out of drilled holes, allowing it to move. This is very similar to the current iteration of the lock and key, except it is now made with metals to be more durable.
By 1985, Kenneth Weiss, who founded Security Dynamics in 1984, invented and patented “an apparatus for the electronic generation and comparison of non-predictable codes.” His invention sparked the first concept of what came to be known as 2FA.
Smartphones have since made it possible for users to authenticate their identities from virtually any location. Although organizations originally used MFA for financial transactions, they’ve started to administer MFA for both customer and employee user identities to keep valuable information secure. The evolution of MFA has allowed for IT admins to keep sensitive data away from the encroaching threat of hackers.
MFA Facts & Figures
The main strength of MFA is that it prevents hackers from taking advantage of weak or stolen passwords. In 2015, Symantec found that 80 percent of data breaches could have been prevented if MFA had been enabled, but by 2017 only 45 percent of businesses were using it.
Plus, 95 percent of all web application attacks are made possible by weak or stolen user credentials, and 31 percent of targeted attacks are aimed at businesses with fewer than 250 employees. Additionally, a Clark School study at the University of Maryland found that, on average, there is a cyber attack every 39 seconds. What all of this boils down to is, no matter the scale of your business, you are at risk. Using just a password or identity-based questions does not provide adequate security for keeping hackers at bay.
Figure 1, courtesy of Google Security Blog
MFA also provides a level of security unmatched by typical practices like SMS codes or knowledge-based questions, which question a user to recall individual-specific information. As shown in Figure 1, device-based challenges secure accounts more than knowledge-based ones, and only security keys block 100% of automated bots, bulk phishing attacks, and targeted attacks.
The Pros and Cons of MFA
- Protects sensitive information: Users are the number one risk point for a network, so MFA relieves user and IT admin anxiety by protecting data from falling into the hands of relentless hackers.
- Almost always secure: If a hacker has somehow acquired a user’s password to a system, they cannot gain access, as they do not have the token (which is in the user’s possession).
- Don’t lose sleep over lost devices: Device-based 2FA (and when paired with full-disk encryption) ensures that lost devices don’t mean that your information is compromised.
- Blocked access: If you don’t have access to a TOTP generator and haven’t set up backup resources for authenticating user access, you cannot be granted access to a particular application or system. However, if you know you’ll be going somewhere without access to your mobile device, you can come prepared with a one-time recovery MFA code. It is recommended to store this recovery code in a safe and secure location until needed.
- Can be expensive: Traditionally, MFA can be quite expensive if an organization uses a solution that requires on-prem hardware and has to integrate with existing identity solutions.
- Time-consuming: The time needed to log in on your system and verify using a mobile device can be inconvenient.
- Inconsistencies: It is hard to implement MFA across an entire organization, as it is often left up to the users to fully implement it. IT admins may not always have insight into an organization’s use of MFA.
MFA takes out the stress of wondering whether your current password is secure while still providing a solution that does not rely solely on one device for authentication. Although some forms of MFA can be costly, and mobile MFA always requires a working device, it prevents the vast majority of malicious attacks, ensuring that users and systems remain much more secure. That means IT admins no longer have to rely entirely on password management for keeping a company’s infrastructure safe.
Implementing MFA from the Cloud
Need help implementing MFA across your organization? We can help. JumpCloud’s Directory-as-a-Service® (DaaS) enables IT professionals to administer MFA across virtually all systems, networks, applications, and more. JumpCloud MFA protects IT resources while also being simple to use for both users and IT admins.