Multi-Factor Authentication (MFA)

 What is Multi-Factor Authentication?

Multi-factor authentication describes, in full accordance with what the name suggests, authentication based on several factors. But what does authentication really mean, what factors can be used and reinforced, and why is it needed in the first place?

Authentication

Checking and confirming identity when logging in to computer systems is called authentication. This means that a user must show their authorization to access a system or user account. By far the most common way to do this is to enter your username and password. The combination of username and password is counted as a single authentication factor.

Heightening security through adding factors

Requiring only a username and password when logging in can be an insecure method, especially if the same username and password is used as authentication on several different platforms. This can make it quite easy for unauthorized people to figure out the login procedure and get into the system. With more authentication factors, it becomes more difficult for hackers to get into a system.

Authentication factors are usually divided into three different types:

Something you have: Bank card, mobile app, bank box.

Something you know: Passwords

Something you are: Personal (usually physical) traits, such as fingerprints, iris

Note that if the authorization requires two factors from the same of the above groups, this can not be fully considered as two separate factors. Requiring the user to have two things or know two things is not as secure as requiring them to have one thing and know one thing.

Two-Factor Authentication (2FA)

If two of the above authentication factors are required to be able to log in to a system, it is called two-factor authentication. Security is significantly increased when an additional authentication factor is added in this way during the login procedure. This can be, for example, the combination of bank card and PIN code in an ATM or password plus fingerprints to gain access to a system. Using only usernames and passwords in a login process is the lowest form of security in a system. For increased security in organizations, two-factor authentication is becoming an increasingly common security standard.

Practical use-case

  1. The user is required to provide an authentication factor to log in to a website or computer system.

  2. The user enters his username and password and thus gives the first authorization factor.

  3. Once the system has recognized the authorized user, it is prompted to take the second authentication step in the login process as an additional security measure. In this step, the user may be required to provide a one-time password obtained via a security box or text message. The extra authentication factor can also be, for example, scanning a QR code in a mobile app.

  4. Once the user has presented all the requested authentication factors, the user is allowed access to the system

Multi-Factor Authentication (MFA)

In environments with high security requirements, more than even two authentication factors may be required. Already with two factors (2FA) the system can be claimed to have MFA, and the terms are therefore often used synonymously, but with MFA can be referred to systems of indefinite number of factors. For example, if the login requires three different authentication factors, this can be called three-factor authentication (3FA) and so on.

Such security requirements may be needed at, for example, top-secret defense facilities. For example, extreme security checks may require a combination of passcard, password, QR code, fingerprint, and voice recognition.

Access Control Systems

In order to achieve satisfactory information security in an organization, one must have basic security measures when it comes to managing the permissions of different users in the different systems. You must make sure that only authorized users have access to the necessary information and are allowed to do approved activities in it. Some things to keep in mind in this context are, for example:

  • Users' identities must be identified and authenticated.

  • Access rights must be regulated.

  • What information should be available to everyone and what should the user be allowed to do with the information?

  • Routines must be created for authorization management and assignment or removal of authorization.

  • Users' activities may sometimes need to be logged, ie registered and saved so that digital activities can be tracked afterwards for control. Logging presupposes that users are informed that logging of the activities takes place.

 Do you need help with your organisation’s cyber security?