We can think of Multi-Factor Authentication (MFA) as one or more additional steps required when authenticating against a system, after entering the first factor (e.g., after entering the username and password), and before being granted access to the system.

Referring to online accounts, imagine that somehow your credentials were compromised - that is, someone managed to discover them. If you don't have MFA enabled, the attacker will be able to access your account without any difficulty. However, with MFA active, after entering the username-password combination, the attacker will be confronted with a second authentication step using a different factor.

The goal is for only the user, the true account holder, to have access to the additional factor(s) required to access the system in question. This way, in a situation like this, the account will be protected, as it will be much harder for the attacker to bypass these other factors. However, bear in mind that harder does not mean impossible.

Authentication factors

There are three primary authentication factors. They are:

• Something you know, which can be a password, a passphrase, a PIN, the answer to security questions, etc.

• Something you have, which refers to physical devices in the user's possession that can help with authentication, such as a mobile phone, a smart card, a hardware token, a memory card, a USB drive, etc.

• Something you are, which refers to physical characteristics of a person, such as fingerprints, facial features, retina patterns, iris patterns, hand geometry, etc.

In addition to the three primary factors, attributes such as the following can be added:

• Where you are, based on a device, geographic location, a phone number, etc.

• Contextual authentication, where, for example, you can set working hours, not allowing access to the account outside of those hours. It can also include location and device type.

• Something you do, which can refer, for example, to gestures used on mobile devices to unlock them by connecting points (pattern), or image passwords, supported by Windows 10, where the user moves their fingers on the screen over an image.

Something you know

This factor is also known as knowledge-based authentication or type 1 authentication factor.

It means that the user provides something they know to authenticate themselves to a system.

In the case of passwords, they can be simple or complex, where:

• Incorrectly, people tend to use simple passwords, often related to personal information, because they are easier to remember. When this happens, passwords are easily guessed.

• When using complex passwords, people often end up writing them down somewhere, whether on post-it notes stuck to the monitor, in a notebook, or even in a text file on their computer’s desktop. In these cases, the password becomes visible to others, or even if it is not in plain sight, it can be found relatively easily.

The solution to these problems lies in Password Managers, which organize your credentials, store them securely, and, best of all, you only need to remember one password - the master password, which is used to log in to the Password Manager. This master password should be long (at least 14 characters) and, to make it easier, you can create a passphrase.

Passphrases are passwords based on phrases, making them easier to remember, and they address the complexity issue, especially when mixed with uppercase and lowercase letters, numbers, and special characters.

Regarding security questions, their security also increases if the user uses complex strings instead of the actual answer to the questions. The true answers are often so obvious to those who know the user even slightly (and with all the information shared on social media these days, this can be relatively easy), making them easy to compromise.

Something you have

This factor is also known as possession-based authentication or type 2 authentication factor.

Perhaps the most common method is One-Time Passwords (OTP), which, as the name suggests, are codes that can only be used once and expire if not used within a certain period of time. They can be generated via:

• Software (soft tokens), such as the popular Authenticator apps like Google Authenticator, Microsoft Authenticator, Cisco DUO, etc.

• Hardware (hard tokens), which are dedicated hardware devices, such as the RSA SecurID.

In addition to the type of device where they are generated, OTPs can be:

• Synchronous OTP, which is the most common and least complex. It can be time-based or counter-based. Time-based OTPs are generated every 30 or 60 seconds, while counter-based OTPs increment a number with each use.

• Asynchronous OTP, which, although less common and more complex, provides a more robust layer of security.

Smart cards, on the other hand, are so named because they contain an embedded integrated circuit that can perform calculations and generate unique authentication data for each transaction. They can be:

• Contact Smart Cards, where the chip on the card needs to make contact with the reader to receive power and allow the transaction to be completed.

• Contactless Smart Cards, where the reader sends signals that are strong enough to power the chips and communicate with them, allowing the card to perform the necessary calculations and respond to the reader.

Memory cards contain a type of memory that is embedded in a magnetic strip, usually on the back of the card, from which the same data is read during each transaction.

Something you are

Also known as biometric authentication or type 3 authentication factor.

It is divided into:

• Physiological characteristics, which can include fingerprints, hand geometry, facial features, eye characteristics (such as iris and retina), etc.

• Behavioral characteristics, which can include how a person writes, walks, speaks, presses the keys on a keyboard, etc.

Where you are

Location can be obtained based on the IP address or through geolocation.

This type of system can prevent access by users who are not in the location where they typically connect - where you are not. In fact, a basic rule is that a user should not be able to log in to their account outside of their workplace, or, if they wish to do so, they must request permission. Although this control can be easily bypassed using a VPN, it still serves as a protection that makes sense.

Single-Factor Authentication and Two-Factor Authentication

There is some confusion regarding what is considered the use of authentication factors.

For example, if a system uses more than one type of authentication, but all are from the same factor, it is not Multi-Factor Authentication, but rather Single-Factor Authentication. Examples where, despite using different types of authentication, Multi-Factor Authentication does not occur:

• The use of username/password and the answer to security questions - both mechanisms belong to the something you know factor.

• The use of a token generated by Google Authenticator and another generated by RSA SecurID - both mechanisms belong to the something you have factor.

• The use of a fingerprint reader and a retina reader - both mechanisms belong to the something you are factor.

The combination of two factors, such as something you know and something you have, can be called Two-Factor Authentication.

The difference between Two-Factor Authentication and Multi-Factor Authentication is that the former refers to the use of two factors, while the latter refers to the use of two or more factors.

It is important to note that using different types of authentication from the same factor typically does not add security, as the same type of attack can compromise them. In other words, using a password and a PIN does not guarantee that you are more secure than if you only used a password, as the same attacks that can be performed to discover the password can also discover the PIN. In contrast, when using different factors, such as a password and an OTP from a hard token, it would be necessary to both discover the password and physically steal the hard token in order to successfully access the account.

Weak and Strong Multi-Factor Authentication