What is multi-factor authentication (MFA) - and why is it so important?
by Tina Siering
Why a simple password is no longer sufficient
The number of cyber attacks has increased significantly in recent years. In particular, hackers exploit the vulnerability of access data by phishing or social engineering with above-average frequency. It is not only weak passwords that end up in the hands of cybercriminals. Rather, any password on any page on the web, in your email program, or even in the supposedly secure environment of your banking app can fall into the wrong hands. According to the latest Data Breach Investigations Report, stolen credentials are used in more than 60 percent of all security incidents. Stolen credentials are sold at high margins in relevant forums - so grabbing passwords is doubly profitable for hackers.
What is multi-factor authentication?
Multi-factor authentication (MFA) requires two or more credentials to gain access to a system as a user or to verify a transaction. The factors used can be based on either a physical entity (such as cell phones or smart cards), biometric characteristics, or even "secret" knowledge. The characteristic feature of the factors is that they always function independently of each other. The following combinations, among others, are currently common and are queried as part of an MFA:
- Password + passcode, sent to the smartphone
- PIN + proof of identity, for example via a chip card
- Password + security question
- Identity card + iris scan
The most popular type of MFA: two-factor authentication
The combination of two credentials in two-factor authentication is probably the best-known form of authentication, especially in the private sector. 2FA, as the procedure is abbreviated, is used for online banking, logging on to Web services, accessing networks, and also for access authorization in sensitive areas. With 2FA, authentication is performed using a combination of password and push TAN, PIN and identification card, or password and security question. The widespread use of 2FA is due to its good usability, which secures logging into protected areas without requiring too much additional effort.
Why does multi-factor authentication work so reliably?
Passwords can be tapped quite easily. The situation is different with credentials that are either purely physically in the user's possession, that only the user knows, or that are even part of the user's biometrics. Multi-factor authentication adds factors to the login process that can be described as follows:
Secret factors
The simplest protection in the area of MFA is "secret knowledge", which can only be known to the user. Personal questions (e.g., "What is your mother's maiden name?") are used to ensure that the person requesting access to a protected area is actually authorized to do so. The "secret factors" are considered the least secure factors - as they can be guessed or compromised by attackers.
Physical factors
These factors are comparatively difficult to compromise because they consist of items that only the user has in their possession. Physical factors can be, for example, smartcards, smartphones or key fobs with a chip.
Biometric factors
The most secure factor category is physical identifiers that can be assigned to exactly one person. Well-known here is the fingerprint scan or the scan of the iris. Voice or facial recognition is also used.
The more options that are combined, the more secure the logon procedure.
MFA without agents or proxies: Unified Identity Protection makes it possible.
For reliable protection across all resources, in both multi-cloud and on-premises environments, a novel approach is used that fundamentally changes the traditional multi-factor authentication architecture. Whereas with conventional MFA, the agent for verification resides directly on devices, the Unified Identity Protection solution uses direct communication - known as identity and access management. As soon as a user requests access to a resource, he or she is verified in a real-time quick check. After successful authentication, the user's access request is forwarded to the Unified Protection platform. Here, an AI-based risk engine analyzes the context of the access request and automatically sorts it into a predefined access policy. If the risk is suspected to be high, the AI increases the authentication requirements - and prompts the user for an MFA, for example. If the user can solve the MFA correctly, access to the resource is allowed by Unified Identity Protection. If, on the other hand, the MFA task has not been solved, access for the corresponding user can be completely blocked immediately. The advantage of the new procedure is that MFA can be easily extended to all resources that are linked to identity and access management.
The advantages and disadvantages of multi-factor authentication
MFA reliably stops one of the biggest cyber threat scenarios - the theft of passwords and thus identities. Even if cyber criminals get hold of a password (and this is easier today than ever before), that password is useless without additional authentication. With MFA, it is comparatively easy to protect even those applications that are regularly used by people who are not very tech-savvy - think of online banking, e-mails or logging into personal areas of online stores. MFA also increases security in the corporate environment. If sensitive areas within a company are protected by multiple factors, unauthorized access is made even more difficult.
As helpful as multi-factor authentication is, it does not come without its drawbacks. This is because the added security represents a noticeable restriction in usability. Particularly when multiple factors have to be used to gain access to a protected area, the login process becomes more time-consuming for the user. In addition, if even one of the factors is lost (for example, if a smartphone is misplaced or the identity card is defective), access is no longer possible.
Conclusion on the subject of multi-factor authentication
The days when a simple password was enough for reliable protection on the Net are definitely over. Hackers worldwide are targeting identity theft, and the trade in stolen passwords is flourishing in relevant forums. Multi-factor authentication puts a reliable stop to password theft. The combination of two or more individual factors for an access authorization may seem impractical, but it significantly increases cybersecurity and the protection of personal data. Whether it's security questions, biometric features or physical factors like a smartphone, there are a few ways to increase security. MFA is complemented by the novel Unified Identity Protection - a security solution that is extremely scalable and also suitable for multi-cloud areas.