What is multi-factor authentication?

October 7, 2020

Multi-factor authentication has become the most significant front line of defense when it comes to protecting sensitive information. “Today’s identity best practice is to rely on multi-factor authentication falling into 3 main categories: something you have, something you know, and something you are” says Mitek Chief Technology Officer Stephen Ritter discussing digital identity proofing standards widely adopted and used by industry specialists.

Defined, authentication is the first step to providing customer access. Multi-factor authentication (MFA) is simply the process of using two or more factors to authenticate their identity. Although two-factor authentication has become the status quo, most businesses are adjusting their security measures to include three factors of authentication (or more). With hacking continually on the rise, it's more important than ever to implement extra layers of security for business, employees, and customers using two or three of these MFA factors:

  1. Knowledge – something you know
  2. Possession – something you have
  3. Inherence – something you are

We'll explain what each factor is, why it's important, and how it can be implemented to enhance security measures. Read on for more.

Why is multi-factor authentication necessary for my business?  

A password is a good start, but it's not nearly enough to protect stakeholders from scammers. Single passwords can be infiltrated in many ways, from brute force attacks to social engineering and pharming schemes. In fact, an audit of Microsoft's system found over 300 million daily fraudulent sign-in attempts.  

Hackers today desperately want to steal accounts, identities, and money, and have a lot of useful tools to do so like ‘deepfakes’ or ‘synthetic identities'. Multi-factor authentication provides optimal security for both organizations and customers. It can even reduce odds of being compromised up to 99%.

Businesses that use MFA stand apart from the countless others that only offer one layer of security. Although it may seem inconvenient, multi-factor authentication is a high-quality value add. And more often than not consumers don’t mind the extra friction, especially when recent data shows they increasingly want to interact with secure companies.

Important to understand verification vs. authentication in digital onboarding 

Verification - the process to determine whether or not a person is real or fake. For purposes of digital channels, it is the attempt to verify a user’s identity. Today, it is primarily used at the time of onboarding since it is important to prevent fraudsters from getting access to a platform and/or business at the outset. At the beginning of the verification stage, the identity of the individual is unknown and has to answer questions along the lines of “Who are you? Are you real?”

Authentication – though this word has varying definitions based on applications, in both digital onboarding and channels, it starts with the user already having gone through the verification step, they’ve already set up an account, and now they want to access a profile or service. This “request to access” results in the requirement to invoke one or more of the three MFA factors to establish a known identity.

What are the three factors included in multi-factor authentication?

1. Knowledge - something you know  

The first and most common authentication factor is knowledge – something you know. This can be a password, username, or PIN number. Most (if not all) security strategies include this basic factor. Important to note that despite its wide adoption, knowledge-based authentication is the easiest for hackers to figure out, steal, or even buy on the dark web.

Best practice for knowledge multi-factor authentication: use strong passwords and educate customers

A Verizon study found that 81% of hacking-related breaches used either stolen or weak passwords. For this reason, best practice is to encourage strong, unique passwords.  

Inform stakeholders to use a mix of upper case, lower case, numbers, and special characters. Passwords should be 15 characters or more and put into a context that is memorable for the user. Do not use words found in a dictionary, as several attackers use dictionary terms (in multiple languages) when scanning databases.  

Lastly, educate customers on avoiding a password spray attack. Approximately 73% of passwords are duplicates, which makes users vulnerable to being hacked across multiple platforms. Scammers could even breach entire companies by infiltrating a few duplicate passwords. And if customers are apprehensive or unwilling to adhere to security steps, recent data from PYMNTS + Mitek shows that explaining security efforts will make a customer more likely to follow through with the added security friction in onboarding.

A strong, long, and unique password will provide basic security against sensitive information being accessed without user authority. However, no matter how diligent businesses customers are, this first level of authentication can still be easily broken by criminals. This is where multi-factor authentication solutions come into play.  

2. Possession - something you have  

Possession is the second type of authentication. This factor includes anything that is generated by a business and provided to the user for security reasons. There are a few common types of possession authentication:

Identity document – most online users today have a government issued identity-document. In fact, this is one of the most secure MFA factors given the tools and expertise required to make a fraudulent document that passes both eye and artificial intelligence examinations. 

“Government issued identity documents are the gold-standard in physical identity verification and strong authentication,” says Mitek’s Ritter. “When you transition this trusted 'something you have' method into a digital channel and combine it with a strong 'something you are' method using facial biometrics, companies can onboard more good customers with higher assurance.”

Smart cards - Smart cards or ID cards are embedded with a certificate to identify the user. Most smart cards have the same shape and texture as credit cards, so they are easy to store and carry around. Users can simply scan the card through a reader to authenticate their identity. Smart cards are often paired with PIN numbers, which layers in the first factor of authentication. 

One-time password tokens - Tokens are devices that display a number that is then synchronized with a server. The number on the token changes frequently and the server is always aware of the current number. If the correct number is input, the server will grant access to the user.  

One-time passwords can also be provided through smartphone apps. A code is sent to the user's device and can only be used once to authenticate their identity. Most one-time password methods are typically paired with another factor, such as a password or username.  

Authentication codes - Similar to one-time passwords, authentication (or verification codes) are sent through SMS or email to provide multiple layers of security. Tools like Google Authenticator are commonly used for two-factor authentication, pairing a knowledge factor with an instant code.  

Best practice for possession multi-factor authentication: use near field communication technology

Near-field communication (NFC) is a short-range wireless connectivity technology that lets NFC-enabled devices communicate and share encrypted data with each other, securely.

Similar to smart-cards, NFC technology is becoming widely adopted in areas like retail point of sales systems and mobile payments, where users can transfer information between devices quickly and easily with a single touch of a mobile device. 

In more secure applications, governments have begun to issue identity-documents embedded with chips that can be used with NFC technology in order to thwart fakes and fraudulent IDs. How it works: the ID chip contains all of the data from an ID document like address, identity characteristics, and the identity photo. When scanned with an NFC-enabled device, technology pairings like artificial intelligence and computer vision can be used for comparative purposes - AI cross-references the data on the chip data, and flags any inconsistencies or issues between the data and what's on the physical document.

The benefits? In a mobile and contactless world, companies adding NFC technology can lower costs for onboarding and reverification, in turn creating scalability needed for large scale adoption by users that want, think and act “mobile first.” By adding a possession-based authentication factor to security standards like NFC, companies build an extra wall between stakeholders and fraudsters in digital and physical worlds. 

3. Inherence - something you are  

Inherence is the third and most up-and-coming authentication factor. This method uses biometrics to identify users. Common uses include fingerprints, hand geometry, retinal or iris scans, palm vein scans, handwriting, and voice analysis.

Fingerprints have become the most popular inherence method because they are unique to each individual. From smartphones to laptops and even USB drives, fingerprints provide an easy and convenient way for users to access their information.  

Best practice for inherence multi-factor authentication: always pair with other factors  

Some experts have pointed out the possible downfalls of biometrics. Fingerprints can easily be lifted from random objects and since all forms of biometrics are difficult (or impossible) to change, they are vulnerable once breached

For this reason, inherence should be paired with at least two other authentication factors. Once the biometric data is received by the server, it will attempt to match it with the stored data from another factor, like a password or smart card scan. 

Mitek has written about the advantages and disadvantages of biometrics – read this blog to learn more!

Make multi-factor authentication the standard  

Many professionals believe that three-factor authentication should be the standard for businesses that hold large amounts of sensitive information. It's even likely that up to four or five factors could become the norm as hackers develop their skills.  

The current best practice is to ensure security protocols include all three levels of multi-factor authentication: Something users know (like a password or PIN); something users have (like a hand-held token or card); and something users are identified by based on their biological makeup.  

With an increasing number of authentication factors in the market, it's easier for businesses to create a seamless user experience that quickly verifies and authenticates users while fighting fraud. And the final best practice? Creating an environment of trust and loyalty for all parties involved is always good for business.