Q
Get started Bring yourself up to speed with our introductory content.

Which authentication method is better: 2FA or MFA?

Which authentication method is better for securing enterprise devices and systems: two-factor authentication or multifactor authentication?

What's the difference between two-factor authentication and multifactor authentication? I've seen both terms used,...

but the specifics are still a bit unclear. What's the better option in terms of securing devices and systems?

Each of these authentication frameworks uses more than a simple username/password scheme to identify an individual, but they go about it in different ways. Two-factor authentication (2FA) uses a single authentication step where the individual authenticates with something he knows, for example a login name, and something he has, such as a biometric component -- like retinal scans, fingerprints or voice recognition -- or an assigned 2FA token issued by the organization. For example, when I log onto my workstation it first prompts me for my login name, then prompts for the number showing on my hard token that I have on my person. If both match my login data, then I can then access my files.

Multifactor authentication (MFA) can include both 2FA and non-2FA credentials, but its major distinguishing factor is that it is a multi-authentication process. Using the same example from above, when I log onto my workstation it prompts me for my login name, and then prompts for the number showing on my hard token. I am then prompted to enter a number that is texted to my mobile phone. If the information entered matches my login data I can then access my files. In reality, instead of working in conjunction with a 2FA credential, more often than not MFA is used with a simple username and password, and the number from a text message to a mobile phone, or some other non-2FA information such as secret question responses, typing in text garbled on an image, picking an image that the user previously selected in another session, or entering additional account information.

MFA and 2FA require something you know and something you have to authenticate, and are considered even when it comes to security. However, information like answers to a secret question, is easier for attackers to discover or guess, thanks to the Internet of Things, social media and other potential sources of data leaks, so 2FA is considered more secure. But the bigger question to ask when deciding whether to use 2FA or MFA is which is more easily supported by your applications and infrastructure? If the applications you wish to protect only support one or the other then the answer is quite clear: use the one supported. If the applications can support both, 2FA would be the preferred method since the user only has to perform one authentication event. If the applications support neither, then it might be necessary to recode the application. Regardless of which method you choose, both will require some level of registration process changes, and of course the end users will need to be trained on how to use the new authentication method and how to seek help should they run into an issue logging in.

What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)

Next Steps

Check out the best way to secure cloud credentials and this buyer's guide to multifactor authentication products

This was last published in August 2015

Dig Deeper on Two-factor and multifactor authentication strategies

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization use MFA or 2FA?
Cancel
The problem with the term "Multi-Factor Authentication" is that it can be and was interpreted as a strong authentication method for compliance adherence. Since MFA was not clearly defined for regulatory compliance, it allowed such methods as secret questions to pass as strong authentication. True two-factor (strong) authentication by definition must use 2 out of 3 factors: what you know, what you have or what you are. Many organizations used the loose interpretation of MFA to deploy multiple challenges in a single factor category - what you know - where username, password and secret questions were deployed as "strong" authentication.
True two-factor authentication should be clearly defined as two of the three factors so that the intent of the regulations for strong authentication is not weakened by the loosely defined term "Multi-Factor Authentication".
Now that FIDO is available, it makes two factor authentication much less expensive and far more convenient for the users so there should be no excuses for companies who try to deploy the bare minimum to save money yet leave their most important business assets exposed to weak authentication methods.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close