{"id":51458,"date":"2021-06-10T15:18:12","date_gmt":"2021-06-10T19:18:12","guid":{"rendered":"https:\/\/live-jc-marketing-site.pantheonsite.io\/?p=51458"},"modified":"2023-06-14T12:45:04","modified_gmt":"2023-06-14T16:45:04","slug":"different-factors-of-multi-factor-authentication-mfa","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/different-factors-of-multi-factor-authentication-mfa","title":{"rendered":"What Are The Different Factors Of Multi-Factor Authentication (MFA)?"},"content":{"rendered":"\n

It is an undeniable fact that users tend to be the weakest link in IT security, due to human imperfection and easily compromised credentials. In fact, credentials are involved in 61% of data breaches<\/a> and they increase the cost of a data breach by 23%<\/a>.<\/p>\n\n\n\n

How can IT admins mitigate this risk? By implementing multi-factor authentication (MFA). MFA is an IT system\u2019s first defense against security breaches, and is the lowest-hanging fruit for organizations with little to no security protocols in place.<\/p>\n\n\n\n

For a more detailed look at why you should use multiple factors for authentication, check out part one of this series, Multi-Factor Authentication: What Is It and Why Should You Use It?<\/a>. For part two, we will dive into the different types of factors you can use to develop an MFA protocol that works for your organization.<\/p>\n\n\n\n

What Is a Factor? <\/h2>\n\n\n\n

In the context of identity and access management (IAM<\/a>), a factor is simply a type of authentication used to confirm someone\u2019s identity. For example, when you log in to your email, you are providing an email address to establish your identity. Your password is then the factor used to authenticate your identity and grant you access to your inbox. The more factors layered onto a login process, the more robust the security\u2014although IT admins must also balance this with user experience. <\/p>\n\n\n\n\n

\n
\n \"JumpCloud\"\n <\/div>\n
\n

\n The Fine Art of Making MFA Palatable <\/p>\n

\n In this webinar recording, learn tips & tricks for maximizing IT security while minimizing user pushback with DoorDash's System Administrator <\/p>\n <\/div>\n

\n Watch Now<\/a>\n <\/div>\n<\/div>\n\n\n\n\n

Three Most Common Types Of MFA Factors<\/h2>\n\n\n\n

The most commonly used MFA factors fall into one of three categories:<\/p>\n\n\n\n

    \n
  1. Knowledge<\/strong>, aka something you know<\/em>, such as a password or security question<\/li>\n\n\n\n
  2. Possession<\/strong>, aka something you have<\/em>, such as an SMS code or physical key<\/li>\n\n\n\n
  3. Inherence<\/strong>, aka something you are<\/em>, such as a fingerprint or face ID<\/li>\n<\/ol>\n\n\n\n

    Some would argue that there are a total of five categories of authentication factors, including Location<\/strong>, aka somewhere you are<\/em>, and Behavior<\/strong>, aka something you do<\/em>. Since these are less common forms of authentication\u2014and often less secure\u2014this article will focus on the three primary categories of MFA factors.<\/p>\n\n\n\n

    Knowledge Factors Are The Least Secure Authentication Factors<\/h2>\n\n\n\n

    Password fatigue<\/a> is real. In today\u2019s tech-driven society, every single one of us manages multiple devices and accounts. This means multiple passwords, PINs, and answers to security questions, which are all examples of knowledge factors. What\u2019s the easiest way to keep them all straight? Use the same ones across work and personal accounts. <\/p>\n\n\n\n

    The innate weakness of knowledge factors can be illustrated by this telling statistic: 91% of people<\/a> understand the risk of reusing passwords, yet 61% still do it<\/a>. The fear of forgetting \u201csomething you know\u201d drives behavior more heavily than the fear of a hypothetical security breach. This is why IT admins need to step in with additional authentication factors.<\/p>\n\n\n\n

    Examples Of Possession Factors<\/h2>\n\n\n\n

    Email & SMS Verification Codes<\/h3>\n\n\n\n

    Verification codes sent via text or email are arguably the most widespread form of authentication. Unfortunately, they are also the least secure of the possession factors because they can be intercepted by malicious players. Targeted attacks on mobile networks<\/a> or email inboxes are easier to execute than we\u2019d like to think.<\/p>\n\n\n\n

    Time-based, One-Time Passwords (TOTPs)<\/h3>\n\n\n\n

    TOTPs<\/a> are similar in concept to email and SMS verification codes, but they are more secure in practice. This is for two reasons: <\/p>\n\n\n\n

      \n
    1. the code is produced directly on a device in the user\u2019s possession, and; <\/li>\n\n\n\n
    2. the code adheres to a strict time limit before expiring <\/li>\n<\/ol>\n\n\n\n

      With no third-party network involved and a very narrow time window, there is much less opportunity for a potential breach.<\/p>\n\n\n\n

      Push Notifications<\/h3>\n\n\n\n

      Push notification factors<\/a> are a more sophisticated version of TOTPs and can be easily implemented with mobile apps like JumpCloud Protect<\/a>. Instead of inputting a time-sensitive code, the user just needs to accept the authentication request produced directly on their smartphone. <\/p>\n\n\n\n

      This factor is literally as easy as pressing a button and provides a better user experience than TOTPs. Additionally, push notification MFA incorporates another factor of security in a seamless way by requiring a user to authenticate to their phone with a PIN, fingerprint, or face ID.<\/p>\n\n\n\n

      Hardware Keys<\/h3>\n\n\n\n

      Hardware MFA devices<\/a> are a highly secure possession factor because they require the use of a physical piece of hardware. Hardware keys only pose a risk to security if they are lost or stolen from the user. Also known as universal second factor (U2F) keys, users can either plug the key directly into their login device for authentication, or use the key to generate a unique code for a variation of a TOTP.<\/p>\n\n\n\n

      Examples Of Inherence Factors<\/h2>\n\n\n\n

      Physical Biometrics<\/h3>\n\n\n\n

      Unlike behavioral biometrics, physical biometrics are unable to be changed by the user and independent of any device. Physical biometric factors include:<\/p>\n\n\n\n