3 Min

MFA

Multi-factor authentication (MFA) is a security procedure that requires a user to combine several independent verification methods to gain access to a system, application, or online service. It adds an additional layer of protection to traditional login methods that typically use only a username and password. The goal of MFA is to prevent unauthorized access to user accounts and sensitive data, even if a password has been compromised.

The three categories of authentication factors

MFA uses authentication factors from at least two of the following categories:

  1. Knowledge: Something only the user knows.
    • Examples: passwords, PINs, security questions.
  2. Possession: Something only the user has.
  • Examples: A physical token (such as a smart card or USB security key), a smartphone with an authentication app (e.g. Google Authenticator), a one-time password (OTP) message via SMS or email.
  1. Inherence: Something that the user is (biometric characteristics).
  • Examples: Fingerprints, facial recognition, iris or retina scan, voiceprint.

A typical example of MFA is the combination of password (knowledge) and one-time password (OTP) sent to the userโ€™s smartphone via SMS or an authentication app (possession).

How does MFA work?

  1. First factor - knowledge: The user enters their username and password, as with a normal authentication method.

  2. Second factor - possession or inherence: After successfully entering the password, a second verification method is requested. This can be a one-time code sent to the smartphone or a request to perform a fingerprint scan.

Without access to this second factor, the attacker cannot authenticate even if they have stolen the password.

Why is MFA important?

  • Security against password theft: Even if a password is stolen or compromised (e.g. through phishing, brute force attacks or data leaks), an attacker cannot gain access to the account without the second factor.

  • Prevention of automated attacks: MFA makes it harder for attackers to carry out automated attacks on systems because they require the second factor in addition to the password.

  • Protection against phishing: Attackers can steal credentials via phishing emails, but if the second factor is required, the attack is ineffective because the attacker does not have access to it.

Examples of MFA in practice

  1. Banking and financial services: Many banks require an SMS TAN or a push notification in an app for transactions in addition to a password.
  2. Corporate networks: Companies use MFA to ensure that employees access sensitive systems not only with passwords, but also with security keys or biometric data.
  3. Email accounts: Services such as Google or Microsoft offer MFA options where a one-time code must be entered via an app (e.g. Google Authenticator) after the password.
  4. Social media: Platforms such as Facebook and Twitter allow users to enable MFA so that in addition to the password, a code sent via SMS must also be entered.

Methods for implementing MFA

  1. SMS or email-based one-time codes:
    • A code is sent to the userโ€™s phone number or email address, which they must enter when logging in.
    • Advantages: Widely used and easy to implement.
    • Disadvantages: SMS can be intercepted (e.g. through SIM swapping).
  2. Authenticator Apps (TOTP):

  • Apps like Google Authenticator or Microsoft Authenticator generate time-based one-time passwords (TOTP) that run on the userโ€™s device.

  • Advantages: More secure than SMS because there is no dependency on the cellular network infrastructure.

  • Disadvantages: If the device is lost, the user may no longer have access to the app.

  1. Hardware security keys (e.g. YubiKey):

  • Physical devices that act as security keys and are connected to the computer or smartphone via USB, NFC or Bluetooth.

  • Advantages: Very secure because physical possession is required.

  • Disadvantages: Costly and inconvenient if the key is lost.

  1. Biometric verification:
    • Fingerprints, facial recognition or other biometric data are used as a second authentication method.
    • Advantages: Convenient and difficult to forge.
    • Disadvantages: Biometric data can be copied or forged in some scenarios.
  2. Push notifications:
    • The user receives a push notification on their smartphone to confirm or reject a login.
    • Advantages: User-friendly and more secure than SMS.
    • Disadvantages: Requires a smartphone with the corresponding app.

Conclusion

Multi-Factor Authentication (MFA) provides additional protection against most types of attacks on user accounts. It significantly improves security by not only relying on passwords but adding a second or even third authentication factor. To ensure the best possible protection, companies and end users should use MFA, especially for critical accounts or sensitive data.

Updated:

Similar Content