What is Multifactor Authentication?

Quick Answer: Multi-factor authentication is a digital security mechanism that proves your identity through several methods at once. Generally, multifactor authentication includes a password in addition to a token (such as a text or email code) or biometrics. 

From Keepass to Windows Authenticator, “MFA,” or Multi-Factor Authentication, is increasingly intruding on our daily lives. What is this, and, more importantly, how does it work? 

To understand why MFA is such a big buzzword, you have to understand the development of security a bit more deeply. The point of authentication is generally the act of proving that you are supposed to have access to a place or thing or, more strictly, that you are who you say you are. 

Multifactor authentication is a digital evolution of authentication. 

What is MFA and How Does It Work? 

Multi-factor authentication uses at least two different methods to verify, or authenticate, someone's identity. For example, if you log into your banking account using face ID, the bank knows you have your phone (a physical item) and verifies your identity with biometrics (your face.) 

Using two forms of authentication increases security—and reduces the chances that someone might get into your bank account without your knowledge. 

Most of the time, these are proved at the same time, or you simply don’t see the authorization portion of the equation. (802.1X Networks do it transparently to the user; for example, it’s all on the “Back End.”) Security and authentication generally come in a few typical flavors.

•  Something you have (token)

•  Something you know (password)

•  Something you are (biometrics)

• Less often, somewhere you are (temporal or location)

So Why Use Multifactor Authentication?

The simple answer is “math.” Passwords are easy to steal—people leave them on sticky notes, under keyboards, or on their desks. A huge issue is also complexity versus usability. Almost everyone will reuse the same password or versions of it across platforms, which obviously undermines their security. 

After twenty or thirty years of trying to encourage people to use unique passwords and failing to change human behavior, people started to look for other options. (The CompTIA CBT Nuggets Security+ goes into the history and application a bit more.) 

If you can’t make someone use the ideal password but also want to make it harder to fake something, we obviously need more than the “something you know” to pair with it. The odds of someone stealing your token and knowing your password are much lower. The odds of them doing both and faking your biometrics means that it’s statistically improbable unless you’re in the most desirable and sensitive environments.

Examples of Multi-Factor Authentication

Interestingly, some of the first uses of this were actually in the gaming space. Famously, the World of Warcraft and Blizzard games used a temporal key generator token that was synced up with a database to prevent people from stealing accounts just based on usernames and passwords. 

The best example of MFA goes back to the humble key. It’s something you have—it proves, more or less, to your house or car that you have the device that ostensibly shows you’re the designated user for that lock or car. This is always something physical. In the governmental space or offices, these are often keycards, which are also keyed to a specific identity. 

Other common examples in the workplace include phone-based tokens like Duo or Microsoft Authenticator that provide you with a unique code, often from your cell phone. 

Knowledge-Based Factors

The standard password or those irritating “What’s your favorite X” questions are examples of the 'what you know' portion of MFA. This should ideally be something that only you know—the fun thing is that this is sometimes implicit in security as well. 

Think about knowing the correct cloud portal site for an application or a speakeasy in American Prohibition—if you need to know how, you know both where and how. (Fingerprinting is the threat actor version of this; for more on threats and threat surface, check out CBT Nuggets White Hat Hacking.)

Biometric Factors

This MFA factor is something physical about you, such as your face or your fingerprint. It is much harder to fake than the other two. Movies made this popular with iris scans and cool-looking lasers. These days, “biometrics” is the proper word, and it’s used incredibly often; think about using your face or fingerprint to open your phone.

Location-based Factors

The last portion, some type of geofencing, is used somewhat implicitly. It can be as simple as allowing only specific computers (like the one in your office building) to access an application or as complex as disallowing IP ranges registered to a country or using a GPS fix to allow or deny the first step of a process.

Disadvantages of MFA

MFA is an excellent security tool, but it should be noted that not everything requires the same level of security. There’s always a tradeoff between usability and security. The more secure something is, the harder it is to use. 

MFA should typically only be used as a gate and should have a term set where you do not need to re-authorize. If your security is too burdensome, the users will attempt to disable it, or circumvent it, which can lead to larger security holes. 

Accessing every file, for example, should not bring up a new prompt; only access and recurring checks. If more individualized permissions are required, consider using passwords for specific files or using an RBAC (Role-based access control) instead.  

How is MFA Managed?

Typically, MFA is more imperceptible to the user than we think. As mentioned previously, it can even be implicit in some cases. A common way to do this is to gate some things locally before accessing the next challenge. 

A good example here is how companies and the government do it: You have to insert your card into some manner of reader before you do anything. In this case, you’re submitting your token (something you have) before the local device allows you to carry on to the actual thing you’re entering your password to. This may or may not pass on more complex data from said token along with your password. 

The simplicity of these systems treats it like a gate—the computer or entry device determines whether the credential is valid without reaching out or allowing any access whatsoever. This keeps it distinct from the rest of the systems and reduces the attack surface for a malicious actor. 

Another option is validating them at the same time; 802.1X often does this. Your device itself will somewhat autonomously submit the credentials for who it is while you submit your password or token, etc. This can be a MAC address, a stored certificate, etc. 

It is all behind the scenes and not modifiable by you. (For more about 802.1X, consider the CBT Nuggets Wireless Security course.)  The computer itself is acting as a token. 802.1X passes this on to an authenticator system that will compare both (or multiple) of these to a data store, and if all do not match both the “correct” values and the correct identity for these values, it will return a failure. 

Conclusion

MFA is increasingly part of public life, whether at a bank, at work or while playing video games. It behooves us to learn to work with and not against it, and for IT and networking folks, how to support it. Knowing how it’s structured and how to support MFA is becoming less of an option and more of a responsibility. 

Keep in mind that there is always a trade-off. The more secure your system is, the harder it is to use. Too burdensome, and you won’t see adoption; too easy, and your threat surface is much too large. Use it wisely!

Want to learn more about online security? Check out CBT Nuggets cybersecurity training courses.