MFA - Multi Factor Authentication
What is it?
MFA, or Multi-Factor Authentication, is a security process that requires users to provide two or more verification factors to gain access to a system, application, or account. It adds an extra layer of protection beyond just a username and password, making it significantly harder for unauthorised users to gain access – even if they have stolen login credentials.
Here's how it works:
MFA is based on the idea of combining different types of authentication factors. These typically fall into three categories:
Something you know
- A password, PIN, or answer to a security question.
Something you have
- A smartphone, security token, smart card, or hardware key (like a YubiKey).
Something you are
- Biometrics such as fingerprints, facial recognition, or voice patterns.
To authenticate, a user must present at least two of these factors. For example, logging in with a password (something you know) and then entering a code sent to your phone (something you have).
Benefits of MFA:
- Stronger security: Even if a password is compromised, the attacker still needs the second factor.
- Reduces identity theft: Makes it harder for cybercriminals to impersonate users.
- Protects sensitive data: Especially important for financial, healthcare, and enterprise systems.
- Compliance: Helps organisations meet regulatory requirements like GDPR, HIPAA, and PCI-DSS.
Common MFA methods:
- SMS or email codes: A one-time code sent to your phone or email.
- Authenticator apps: Apps like Google Authenticator or Microsoft Authenticator generate time-based codes.
- Push notifications: A prompt sent to your mobile device asking you to approve or deny a login attempt.
- Biometric verification: Fingerprint or facial recognition used on smartphones or secure systems.
- Hardware tokens: Physical devices that generate or store authentication codes.
Challenges and considerations:
- User convenience: MFA can add friction to the login process, which may frustrate users if not implemented smoothly.
- Device dependency: Losing access to your phone or token can lock you out of your account.
- Phishing risks: Sophisticated phishing attacks can still trick users into revealing MFA codes.
- Cost and complexity: Implementing MFA across an organisation may require investment in tools and training.