BACKGROUND IMAGE: mattjeacock/iStock

Buyer's Handbook:

Multifactor authentication methods, use cases and products

Get started Bring yourself up to speed with our introductory content.

Exploring multifactor authentication benefits and technology

Take a look at multifactor authentication benefits and methods, as well as how the technologies have evolved from key fobs to smartphones, mobile devices and the cloud.

Multifactor authentication, or MFA, is an IT security technology method that requires an individual to provide two or more authentication factors to confirm his identity for online transactions or to gain access to corporate applications, networks and servers. Multifactor authentication benefits include tighter security and user identity protection to avoid phishing scams.

The goal of multifactor authentication methods is to increase the difficulty for an adversary to exploit the login process and roam freely around personal or corporate networks and compromise computers to steal confidential information -- or worse.

The three most commonly used authentication factors are:

  • the knowledge factor: Something only the user knows -- such as a username and password, a PIN or answers to security questions;
  • the possession factor: Something the user has -- such as a smartphone, one-time passcode or smart card; and
  • the inherence or biometric factor: Something unique to the user -- biometrics, such as a fingerprint, iris scan or voice recognition -- that proves the user's identity.

Multifactor authentication combines two or all of these factors.

MFA tokens: From key fobs to mobile apps

Hardware tokens, one of the oldest multifactor authentication methods, are still in use today. A hardware token often comes in the shape of a key fob that displays a randomly generated, one-time password.

When a user presses the button on the key fob, the screen displays a sequence of numbers, typically for 30 to 60 seconds. Users must then accurately type this transient passcode sequence into the application or resource they are attempting to access before it expires.

The passcode generated by the key fob checks against a server located on the enterprise network to ensure that they match. This server runs the identity management processes, sets up various security policies and connects the tokens with the user directory stores, such as Active Directory or RADIUS.

If the number sequence matches the generated passcode, the user is granted access. If not, he or she must start over by once again pressing the button on the key fob to generate a new passcode.

This technology has significant downsides, which is why traditional key fobs have fallen out of favor. Keeping track of hardware tokens is cumbersome, and a user may not have the required token on hand when out of the office. Companies also face the added burden of having to deactivate key fobs for ex-employees or for users who lost their key fobs.

What is the answer to these problems? Mobile tokens and biometric authentication.

Various mobile apps function like hardware tokens and generate one-time passwords, helping to alleviate the above issues.

Additional second factors enabled by smartphones and other mobile devices include using SMS texts, emails and cameras to scan QR codes that display on webpages when users are trying to sign into applications or perform transactions.

Now that many device makers have added fingerprint sensors and cameras sensitive enough to scan irises to their devices, organizations can choose biometrics as one of the factors for multifactor authentication. Biometric authentication relies on a user's unique biological characteristics, such as a fingerprint or iris scan, to grant access to an application or other resource. The biggest benefit of biometric authentication is that users don't have to spend time entering long passcodes or PINs.

However, biometrics does not have the ability to change codes like users can with a PIN or passcode. If compromised, there is no way to change biometrics, leaving the company and user vulnerable.

The growing appeal of multifactor authentication

As passwords have become more insecure, the use of multifactor tools has moved from just IT workers to just about everyone in the enterprise, especially those who have access to personal information.

In addition, with the proliferation of SaaS-based web services and the number of reused passwords, multifactor authentication methods have become more important, and they now appeal to small and midsize businesses, as well. Another of the multifactor authentication benefits is that the likes of Facebook, LinkedIn, Twitter, Google, Apple and numerous other vendors have adopted these tools to secure their own applications.

If enterprises haven't started using and supporting multifactor tools yet, they'll find it takes some effort to configure and deploy. The tools have many moving parts, and enterprises will need specialists from different parts of their IT organizations to coordinate and configure their infrastructures and get protected logins working properly.

The most important of the multifactor authentication benefits is that the tools are somewhat easier to manage. They still require some integration effort, however. To that point, some of these products include various software agents that can protect virtual private networks, SharePoint servers, the Outlook Web App and database servers, for example.

Finally, many providers have moved their traditional hardware-based, on-site multifactor servers into the cloud. Most multifactor authentication vendors offer both options, and many of their customers are choosing off-site deployments thanks to the flexibility the cloud offers in terms of support and management.

The cost of multifactor authentication

The typical cost to deploy a multifactor authentication platform is a few dollars per month, per token. However, this can add up to tens of thousands of dollars per year for companies that have a lot of users and tokens.

Complicating the picture is that each vendor calculates the bottom line price differently. Pricing options might include quantity discounts, multiyear price breaks and 24/7 support fees. Some vendors charge on a per-token basis -- with differing rates for hard or soft tokens -- while some charge on a per-user or per-server basis. Other vendors offer added components or integration layers for an addition price.

Overall, multifactor authentication tools are worth the hassle, especially as the number of password exploits continues to rise. Businesses need better ways to protect user login information beyond the simple username and password combination.

The combination of a robust multifactor authentication product landscape and user awareness of the importance of strong authentication means the time is right for enterprises to consider multifactor authentication and its benefits.

Linda Rosencrance contributed to this report.

This was last published in January 2019

Dig Deeper on Two-factor and multifactor authentication strategies

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What multifactor authentication method does your company utilize, and why?
It is time to make a step forward and leverage a Device identity model. The users collection of devices can provide the redundancy and security that is necessary. In addition, Most modern devices have a hardware token capability built-in with TPM or TEE.
The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password. Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.  We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.