multifactor authentication (MFA)

Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. Multifactor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification).

The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. In the past, MFA systems typically relied upon two-factor authentication. Increasingly, vendors are using the label "multifactor" to describe any authentication scheme that requires more than one identity credential.


One of the biggest problems with traditional user ID and password login is the need to maintain a password database. Whether encrypted or not, if the database is captured it provides an attacker with a source to verify his guesses at speeds limited only by his hardware resources. Given enough time, a captured password database will fall.

As processing speeds of CPUs  have increased, brute force attacks have become a real threat. Further developments like GPGPU password cracking and rainbow tables have provided similar advantages for attackers. GPGPU cracking, for example, can produce more than 500,000,000 passwords per second, even on lower end gaming hardware. Depending on the particular software, rainbow tables can be used to crack 14-character alphanumeric passwords in about 160 seconds. Now purpose-built FPGA cards, like those used by security agencies, offer ten times that performance at a minuscule fraction of GPU power draw. A password database alone doesn't stand a chance against such methods when it is a real target of interest.

Authentication factors

An authentication factor is a category of credential used for identity verification. For MFA, each additional factor is intended to increase the assurance that an entity involved in some kind of communication or requesting access to some system is who, or what, they are declared to be. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor) and something you are (the inherence factor).

Multifactor authentication

Knowledge factors – this type of knowledge-based authentication (KBA) typically requires the user to provide the answer to a secret question. 

Possession factors - a user must have something specific in their possession in order to log in, such as a security token, a key fob, or a phone’s SIM card. For mobile authentication, a smartphone often provides the possession factor, in conjunction with an OTP app.

Inherence factors - any biological traits the user has that are confirmed for login. This category includes the scope of biometric authentication methods, including the following:

Location factors – the user’s current location is often suggested as a fourth factor for authentication. Again, the ubiquity of smartphones can help ease the authentication burden here: Users typically carry their phones and most smartphones have a GPS device, enabling reasonable surety confirmation of the login location.

Time factors – Current time is also sometimes considered a fourth factor for authentication or alternatively a fifth factor. Verification of employee IDs against work schedules could prevent some kinds of user account hijacking attacks. A bank customer can't physically use their ATM card in America, for example, and then in Russia 15 minutes later. These kinds of logical locks could prevent many cases of online bank fraud.

Multifactor authentication technologies:

Typical MFA scenarios include:

  • Swiping a card and entering a PIN.
  • Logging into a website and being requested to enter an additional one-time password (OTP) that the website's authentication server sends to the requester's phone or email address.
  • Downloading a VPN client with a valid digital certificate and logging into the VPN before being granted access to a network.
  • Swiping a card, scanning a fingerprint and answering a security question.
  • Attaching a USB hardware token to a desktop that generates a one-time passcode and using the one-time passcode to log into a VPN client.

The technologies required to support these scenarios include the following:

Security tokens: Small hardware devices that the owner carries to authorize access to a network service. The device may be in the form of a smart card or may be embedded in an easily-carried object such as a key fob or USB drive. Hardware tokens provide the possession factor for multifactor authentication. Software-based tokens are becoming more common than hardware devices.

Soft tokens: Software-based security token applications that generate a single-use login PIN. Soft tokens are often used for multifactor mobile authentication, in which the device itself – such as a smartphone – provides the possession factor.

Mobile authentication: Variations include: SMS messages and phone calls sent to a user as an out-of-band method, smartphone OTP apps, SIM cards and smartcards with stored authentication data.

Biometrics: Components of biometric devices include a reader, a database and software to convert the scanned biometric data into a standardized digital format and to compare match points of the observed data with stored data.

GPS: Smartphone apps with GPS can provide location an authentication factor.

The past, present and future of multifactor authentication

In the United States, interest in multifactor authentication has been driven by regulations such as the Federal Financial Institutions Examination Council (FFIEC) directive calling for multifactor authentication for Internet banking transactions.

This was last updated in March 2015

Next Steps

Learn more about the benefits of multifactor authentication in the enterprise and read this comparison of the latest multifactor authentication methods.

When it comes to MFA technology, it's important to determine which deployment methods and second factors will best suit your organization. This Photo Story outlines your options.

Continue Reading About multifactor authentication (MFA)

Dig Deeper on Two-factor and multifactor authentication strategies

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”. Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether. Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.
Very interesting response. From what I gather your example of the iphone is suggesting how you have access to both a biometric and a knowledge factor. In this case the probability of being hacked has increased since the two are working in parallel instead of in series. 
What are some of the drawbacks of multifactor authentication?
Implementing such a system is quite expensive and I guess not many institutions are ready to undertake such change. Today, most banking customers access their banks using mobile phones which makes it even more difficult for banks. For instance, if I needed to access my bank account, I would be required to submit some kind of security token. There is also a risk of vulnerability from unwanted programs that could actually pose more security issues.
The biggest issue to me is having to deal with the fact that I may not have mp phone with me at all times. Dealing with multi-factor authentication at that point can become tedious. It's interesting to see biometric devices becoming prevalent finally (I worked on a touch sensor for identification purposes twelve years ago, and they have come a long way since then.
Business need
Identifying proper business instance and need for MFA. Not all authentication instances would need MFA
Identifying appropriate factor (tokens, cards, bio-metrics), one size does not fit all.
Is the additional cost incurred adding value to the business? Important question to answer while planning for MFA 
I recently ran into a situation where my phone was damaged and would not turn on. The warranty service required that I create an account, which made use of multifactor authentication by sending a text message containing a verification code to my phone. We can all see where this is going…
MFA authentication can be achieved using an office 365 compliant hardware token such as the SafeID token that ensure a low cost physical device is present on the user when the users goes through their authentication process.  A hardware token such as this can be attached to a keyring, and being low power consumption, the batteries will last for years.

You could also consider using a biometric authentication solution to enhance security (although these tend to work out more expensive).

Thanks for sharing your insights margaret, I will add up. The easiest way to implement 2fa is to use SMS, which receives text with an access code every time you try to sign in to a secure account. While certainly better than nothing, getting your 2FA from text messages has many potential drawbacks.

Sometimes it also becomes difficult to use cell phone while you are travelling somewhere or even more difficult when you don't have any access to your cellphone. 

It is a method of authentication through which access to the computer system is granted after the successful verification of two or more factors/ steps. Generally, the Multifactor Authentication mechanism consists of two or three-factor authentication.