MFA 101

In 2021, over 22 billion records were exposed to publicly disclosed data breaches. Once on the dark web, these records provide fraudsters with the details they need to attempt identity-based attacks on businesses.

Darktrace found that in the U.S. retail sector alone, credential theft, spoofing, and password stuffing attacks accounted for over 170% more of all observed cyber incidents in 2022 compared to 2021. According to Imperva, “Last year, Imperva recorded a staggering 148% increase in Account Takeover attacks, as reported in the 2022 Bad Bot Report.” Security.org found that 60% of account takeover victims used the same password as the compromised account across multiple accounts.

Multi-factor authentication (MFA) is a security approach that can help avoid weak employee and customer authentication that can lead to data breaches. MFA also protects against attacks on customer accounts resulting from exposed records.

Instead of requiring a single factor, such as a password, for authentication, MFA requires two or more factors to verify that the person trying to access sensitive data or an account is truly the employee or customer they claim to be.

What Is Multi-Factor Authentication?

Multi-factor authentication grants users access to online accounts, data, websites, applications, or platforms only after the user presents multiple factors – and after those factors have been authenticated. Users establish the factors they will use for access during the onboarding process after they have gone through the identity verification or proofing that confirms they are who they claim to be.

A common example of multi-factor authentication is when an employee attempts to access their work account using a password; after entering the password, the employee is then asked to confirm (authenticate) their login attempt using an authenticator application on their mobile phone, which they unlock using a fingerprint (biometric factor).

This example increases security by using several different types of factors:

• A password – something the user knows (known as KBA, or knowledge-based authentication).
• A mobile phone – something the user has (known as device- or possession-based authentication).
• A fingerprint – something the user is (known as a biometric factor or physical authentication).

Should I Get MFA?

Passwords are the weakest form of authentication today. They’re easily stolen in data breaches, too often incorporate personal details that fraudsters can easily figure out, reused across multiple accounts, and simple to compromise with automated tools.

The Verizon 2022 Data Breach Investigations Report found that 81% of hacking-related data breaches can be attributed to weak or stolen credentials. According to the NordPass Top 200 Most Common Passwords list, the three most commonly used passwords in 2022 could each be cracked in under one second. Google has found that 66% of Americans use the same password for more than one online account and that only 45% would change their password after an online data breach.

Multi-factor authentication strengthens security by creating layers of defense by adding other factors on top of passwords or bypassing them altogether. If one factor is compromised, the other factors can keep the fraudster from accessing the account or data.

In a September 2, 2021, press briefing, Anne Neuberger, the U.S. Deputy National Security Advisor for Cyber and Emerging Technologies, said, “Last week President Biden hosted key executives from technology companies…And a number of those executives pointed to multi-factor authentication as preventing 80 to 90 percent of cyberattacks.”

MFA Examples

By combining different types of credentials, multi-factor authentication creates a strong defense against fraud and offers a convenient user experience. Commonly used factors include:

Things Users Know

Known as KBA (knowledge-based authentication), this category encompasses passwords and answers to security questions, like “What is your mother’s maiden name?” or “What is the name of the street you lived on growing up?” These factors are based on the idea that the password or answers to security questions are things known only by the genuine user. But passwords are common targets of data breaches, and much personal information is readily available to hackers on the web, making knowledge-based factors the weakest types available.

Things Users Are

This category includes biometric factors like fingerprints, facial scans, voice prints, iris and retina scans, and user behavior, like keystrokes, typing speed, and gait. Because they are physical or behavioral traits intrinsic to the user, biometrics are very difficult to steal or duplicate. As hackers attempt to circumvent biometrics with deepfakes and other increasingly sophisticated presentation attack techniques, liveness detection, and other technologies are becoming more critical to holding the defensive line.

Things Users Have

Device- or possession-based factors include mobile phones, security keys, authenticator applications, Smart Cards, authentication hardware, and software tokens and certificates. The theory behind these types of factors is that the user and the fraudster cannot both possess any given factor. The rise in SIM swapping, a form of fraud where criminals convince phone providers (through social engineering) to move a customer’s number to a new phone that the criminal possesses, is eroding the security of MFA that integrates texts and emails.

Location

This form of device-based authentication uses the GPS features of smartphones to identify a user’s geographic location and to locate the user’s IP address. Users can either be blocked from authenticating based on this information or asked to provide an additional factor if their location seems unusual.

Risk Assessment

Also called adaptive authentication, this factor calculates the risk associated with the attempted access using known customer/employee behavior, context, and the customer/employee risk profile. If the customer/employee is trying to gain access at an unusual time, from an unusual location, or using an unknown device or network, the authentication adapts to the situation. It can ask for additional factors during authentication attempts it deems high-risk while allowing access more easily for attempts it identifies as “normal.”

When layered together, factors that may not provide strong enough security on their own become part of an innovative protection system that better defends against fraud. When biometrics are leveraged as part of MFA authentication methods, customers and employees can experience the most secure form of authentication available for a modern digital identity management strategy.

Multi-Factor Authentication (MFA) vs. Two-Factor Authentication (2FA)

As terms, multi-factor authentication and two-factor authentication are often used interchangeably. Simply put, 2FA is a subset of MFA, and while both offer more security than single-factor authentication, there are differences between the two.

Factors Used

Two-factor authentication relies on only two types of authentication factors. Today, 2FA typically consists of a user entering a password and then being asked to enter a one-time password (OTP) – usually a four to eight-digit number – that has been sent via text or email to a user’s mobile phone. This does offer more security than a password alone, but as discussed above, fraudsters are finding ways to compromise emails and texts sent to mobile phones.

MFA uses more factors (at least two, but possibly more, depending on an organization’s strategy), and those factors are usually stronger than those used in 2FA. MFA factors include physical biometrics, behavioral biometrics, KBA, and location or device-based factors. It also allows the authentication system to adapt to the situation, prompting the user to present additional factors for riskier login attempts or the opposite in situations that are deemed “safe” by the system.

Security Level

For both 2FA and MFA, the security level depends in part on the factors used. So, a 2FA approach that requires a password and a biometric could, in theory, be more secure than an MFA approach that relies on passwords and OTPs. But as they are used today, MFA typically uses stronger factors and, by using more of them, makes it harder for fraudsters to steal credentials, pose as employees or customers, and take over accounts.

User Friction

Most people working, shopping, and accessing accounts online are familiar with the two steps of entering a password and then checking their phone for an OTP. Many are also familiar with unlocking their phone using a fingerprint or facial recognition and confirming their login with an authentication app. So, while it seems like adding factors would increase user friction, using factors that people are already using and are comfortable with allows increased security without significant friction.

Also, some MFA factors, such as behavioral biometrics, can run in the background. This enables a security layer to be added without any increase in friction in a way that is invisible to customers. Implementing such robust security measures as MFA or 2FA can provide your users with an extra layer of protection, ensuring their data and transactions remain secure.

Benefits of MFA

Multi-factor authentication can secure businesses, their employees, and their customers against the exponential growth of cybercriminal attacks. It can offer protection without frustrating users, ensure regulatory compliance, and improve customer relationships and business reputation.

Increased Security

According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), “Users who enable MFA are significantly less likely to get hacked.” If hackers get around one factor, the additional factors reduce the likelihood of their ultimate success.

Regulatory Compliance

An increasing number of jurisdictions have regulated the protection of customer data, from the EU-wide GDPR to individual U.S. states, like California’s CCPA – and even cities. Industries, such as financial services and healthcare, also have rules around data protection. KYC/eKYC and AML regulations are a constant stipulation in the former industry, while FHIR protocols are a concern of the latter. Implementing MFA enables businesses to ensure compliance with these rules and regulations and avoid hefty fines for non-compliance as well as potential damage to reputation and erosion of customer trust.

Single Sign-On Compatibility

Integrating MFA into single sign-on (SSO) solutions simplifies the addition of security into the login process, particularly for employees. There’s no need to remember multiple, complex passwords, and it reduces the calls or emails to the IT department for help.

Customer trust

Customers want their data protected, but they also want easy access to their accounts. From the moment a customer onboards, using MFA allows a business to show them that the company takes data protection seriously. Yet, because it can use factors that already seem easy for the customer or that run in the background, it can build customer trust without creating a frustrating experience.

Improve Security with MFA

In 2021, $11.4 billion was lost in the U.S. through account takeovers. IBM reported that the average cost of a data breach in 2022 was $9.44 million in the U.S. and $4.35 million globally. Authentication is clearly a point of focus for criminals trying to gain access to data and accounts. Multi-factor authentication gives businesses more power to stop fraudsters and to avoid becoming a statistic.

See how Daon can help you protect your business, employees, and customers with MFA.