What is Multi-Factor Authentication (MFA)?

Multifactor authentication is a security process where you require users to provide at least two or more verification factors to gain access to specific apps, networks, accounts, or services. You ask for multiple forms of evidence across different categories.

Some of them can be time-sensitive and this makes it harder for them to hijack or break in, thus your security is not compromised. 

These categories are:

• Something You Only Know (Knowledge) - PINs, passwords, and answers to security questions.
• Biometrics - These include fingerprint scans, retina scans, and facial recognition.
• Something You Only Have (Possession) - Like temporary passwords/codes/OTPs sent to you via SMS or authenticator apps or access badges.

Why MFA Matters in Modern Cybersecurity?

MFA matters in cyber security because it adds additional layers of verification and protection. It is a great way to prevent unauthorized access and can protect you against various cyber threats like credential stuffing, phishing, and brute-force attacks.

Attack surfaces are expanding as organizations scale up. MFA makes it much harder to exploit these surfaces, even with data volumes growing. With more users and accounts to keep track of, businesses need multiple authentication factors to keep their infrastructures safe.

Here are some of the benefits of Multi-Factor Authentication in cyber security:

• MFA combines passwords, biometrics, possession-based tokens, and creates layered defenses. If one factor is compromised, the others have got your back, which means hackers can't access resources
• MFA reduces the risk of compromised passwords across multiple accounts. It mitigates the risk of stolen passwords by requesting other authentication factors.
• MFA can adapt to different security trends and needs. Organizations can implement their own MFA setups for different infrastructures, risk profiles, user bases, and workflows.
• MFA is compatible with Single Sign-On (SSO) solutions. It is also scalable for changing user businesses and diverse business needs. MFA is great for remote and hybrid work models and can secure authentication for online transactions.

Many industries require MFA as part of their strict regulations. Standards like Payments Services Directive 2 (PSD2), Payment Card Industry Data Security Standard (PCI-DSS), and the Health Insurance Portability and Accountability Act (HIPAA), make MFA a necessary investment  for organizations to avoid costly compliance violations and legal fines.

Other reasons why you business may need MFA and why its adoption matters:

• 87% of the tech industry is already implementing MFA as we speak. MFA usage in mid-sized firms is 34% while smaller businesses are adopting MFA at a slower rate of 27%. 83% of businesses require MFA to verify their users.
• 67% of professionals in the UK are enabling MFA to commit to protecting their personal data.
• 50% of IT users are using one-time passwords for MFA. 1 in 4 companies are turning to MFA after experiencing a cyber data breach.

How MFA Differs from Single-Factor Authentication?

Single-factor authentication relies on just one verification method - typically a password. You enter your username and password, and you're in. MFA changes this by requiring at least two different verification factors before granting access.

Single-factor authentication creates a single point of failure. If someone steals your password, they own your account. MFA creates multiple security checkpoints that hackers must bypass.

Single-factor systems put all their trust in passwords. But passwords have major weaknesses. People reuse them across multiple accounts, choose weak combinations, or fall victim to phishing attacks.

How does multi-factor authentication work when compared to single-factor authentication? MFA addresses vulnerabilities by combining different authentication categories. Even if hackers crack your password, they still need your phone for SMS codes, your fingerprint for biometric scans, or your physical security keys.

MFA might need more time to pass through but it offers peace of mind via multiple layers. Smart MFA authentication solutions these days are overcoming frictional user experiences by adapting to user behaviors and different risk levels.

Types of Multi-Factor Authentication Methods

MFA uses multiple authentication factors or methods that are used for verification processes. They are suitable for varying security requirements and preferences of users and businesses. Below are the most common types of MFA methods out there:

Push-Based Authentication

Push notifications provide real-time authentication requests on your mobile device. When you access the site, a push notification is sent to your registered smart phone. You just click "approve" or "deny" to authorize authentication.

Push-based systems interact through dedicated authentication apps like Microsoft Authenticator, Duo Mobile, or Google Authenticator. The apps open a connection to user accounts and display login requests with contextual information, including the device's geographical position, device type, and time.

Push alerts also provide context on login attempts so you can easily notice strange activities. You immediately know someone is trying to use your account, if an unsolicited push alert pops up.

Physical Tokens and Security Devices

Physical security devices are the most secure type of MFA security. Physical security keys like YubiKey or RSA SecurID tokens generate a one-time code or use cryptography-based techniques to prove your identity. The USB keys are also able to provide support for the FIDO2 and WebAuthn standards. They are also supported on large platforms including Google, Microsoft, Facebook, and many others. You just plug it in your PC or touch it on your Android phone's NFC reader.

Hardware tokens are immune to phishing because they check the authenticity of the site first before they respond. Even if you type your password on an imitated site, the security key will not activate, securing your account.

Biometric Verification

Biometric techniques employ distinct physiological attributes to provide verification. Voice pattern verification, examination of fingerprints, facial verification systems, and iris scanning are included under biometric measures.

Modern smartphones also have different biometric options. The addition of iPhones' Touch ID and Face ID, Androids' fingerprint scanners, and facial recognition through Windows Hello illustrate the widespread acceptability of biometric technology.

Biometric validation allows for excellent user experience - no passwords to keep in mind or codes to type. Your face or your fingertip is your secret key. Your biometric data, however, must be properly secured because your fingerprints are irreversible and can't be modified as passwords are.

Passkeys and Passwordless Sign-in

Passkeys are the newest creation of MFA technology. They do away with passwords entirely and rely on securely stored on-device cryptographic key pairs. When you create a passkey, your phone generates two keys: a private key stored on your phone and a public key that sites hold. When you log in, your phone proves it has the private key without actually ever moving it.

Passkeys are also synced across your devices through platform-centric ecosystems like iCloud Keychain, Google Password Manager, or third-party password managers. You authenticate with biometrics or device PINs, and it's both convenient and secure.

Large technology companies are pushing passkey adoption. Apple, Google, and Microsoft are collaborating on passkey standards, and platforms like PayPal, eBay, and GitHub do accept passkeys.

Which MFA Methods Are Secure and Which Are Not?

So, you want to know which MFA methods are secure and which ones are not. Here’s a complete breakdown of all of them below: Let’s start with the strong MFA methods below:

Strong MFA (Phishing-Resistant)

Phishing-resistant MFA techniques do not allow attackers to steal or capture your authentication credentials, even if people are successful with a social engineering attack. These techniques check for the legitimacy of both the service and the user before finalizing the authentication.

Hardware security keys (FIDO2, WebAuthn)

Hardware security keys are currently the most secure type of MFA. Physical devices use public-key cryptography to generate one-time digital codes on each login. The private key is sealed within the hardware and never communicates over networks susceptible to any interception.

The Interoperability standard of FIDO2 and WebAuthn makes your security keys to be platform- and service-agnostic. Major organizations have not encountered any single successful phishing attack on employees using hardware keys. Google implemented security keys for all employees and ended account takeovers within its workforce.

A single hardware key can be used for multiple accounts and services. The keys open connections using USB, NFC, or Bluetooth, so they are also good to use with computers, smartphones, and tablets. The major constraint is dependence on the physical device; the key needs to be there to authenticate.

Passkeys

Passkeys replace passwords entirely and offer the same hardware-level cryptography as hardware keys. They are also synced across a variety of hardware using platform-level systems such as Apple's iCloud Keychain or Google's Password Manager, and they remove the inconvenience issue of physical keys.

Their early deployments by enterprises yielded great results. Sign-in time was cut by 24% and 88% of the users enrolled successfully by Sony. Amazon cites 175 million passkeys generated since it introduced the feature.

Device-bound biometrics

Device-bound biometrics are unique and can’t just be copied or cracked. Your genetic code and fingerprint data is yours alone. Examples of device-bound biometrics include Touch ID, Face ID, and Windows Hello.

You can't forget or lose biometric auth factors, so they're highly user-friendly. But backup procedures are needed for failed sensors. You also need to be wary of temporary alterations of your appearance due to illness or injury, which is why you need your backups on those occasions.

Weak MFA

These are some weak forms of MFA which are vulnerable to attacks:

SMS codes (SIM swap risk)

SMS-based MFA also has its own grave security flaws, brought about primarily through SIM-swap crimes in which criminals steal your telephone number. Criminals trick communications carriers to transfer your number to a SIM card they possess and intercept all your incoming text messages, including security codes.

Network reliability brings on extra challenges. Outages of your service, delayed messages, or problems with international roaming can keep you from getting your security codes when you most need them.

Email OTPs

Email one-time passwords pose security hazards because email accounts become the single points of failure. When attackers breach your email using password reuses, data leaks, or phishing, they also obtain a way to access all services authenticated using your email.

Email does not ensure real-time delivery confirmation.

Spam filters, server problems, or network failures might delay or deny verification messages. People typically access email on various hardware and software platforms, expanding the attack surface for potential compromises.

Push notifications (MFA fatigue)

Push notification MFA seemed convenient initially, but attackers exploit human psychology through MFA fatigue attacks. They overwhelm users with repeated authentication requests until victims approve them to stop the notifications.

The Lapsus$ collective infiltrated Okta by relentlessly overwhelming an employee with incessant push notifications until access was granted. Similar assaults affected Cisco and Uber, where perpetrators merged social engineering techniques with a deluge of push notification spam.

Microsoft research discovered 1% of users simply accept the first MFA push they are asked for. Push also doesn't provide any context - you can't readily check if requests originate from good login attempts or phishing efforts.

How to Enable MFA for Your Organization?

There are various ways you can turn on multi-factor authentication for your organization. But mostly it will depend on your identity provider like Okta or if you are using Microsoft Entra ID. For businesses that use Microsoft 365, they can enable MFA by trying their security defaults.

They can also look at their conditional access policies which will let them add MFA for more granular control based on different conditions like locations, devices, and user roles.

You can enable MFA for individual users by using the per-user MFA legacy feature. There are other general steps you can take to enable MFA in your organization. The first is following a structured plan such as phased rollouts and deployments.

You can configure your MFA policies and also decide to exclude emergency access accounts. Many identity protection tools like SentinelOne can also help you enforce MFA automatically throughout your organization.

Common Challenges & How to Overcome Them

MFA is not perfect and it does come with its various challenges. Some of your employees may find them to be inconvenient or too time-consuming because you add extra steps to your verification workflow. When it comes to social engineering attacks, users might get spammed with repeated authentication requests which can lead to MFA fatigue.

Many users also don't know how to set up and use MFA which means they lack training. You will have to offer them multiple training sessions and sit down live with them. Some MFA methods can be a bit inaccessible for people with disabilities and those who are not very tech savvy. The solution to this is you can accommodate different MFA methods like push notifications, security keys, and biometrics instead of being fixed to one method.

Depending on what MFA app or tool you use, it can be a bit clunky or hard to use. Sometimes you may find that enforcing MFA can lower your team's productivity.

There are also other challenges such as with legacy system integrations, using weak authentication techniques like SMS-based codes, and dealing with users who have lost or damaged their MFA devices which means they get locked out of their accounts.

You will need to focus on your backup and recovery processes to deal with this and also provide users with backup access codes. Incomplete MFA coverage is another issue many organizations face.

Best Practices for MFA Implementation

Here are some the leading Multi-Factor Authentication best practices to implement for organizations:

• Enable MFA/2FA for all users in your organization. You can use MFA apps and encourage your employees to use them. The apps can be installed on their devices and work offline, too.
• You should use contextual and adaptive MFA controls to decide on the level of authentication needed. When done right, MFA can provide users with seamless user experiences.
• Passwordless authentication solutions are gaining traction in the MFA world. These solutions use biometrics and hardware tokens, eliminating the risks of phishing and credentials stuffing.

Monitoring & Measuring MFA Success

Here are some key metrics and KPIs you want to track to measure MFA success in your organization:

• MFA adoption: MFA adoption rates will tell you if your MFA rollout plan is on track or if you have any gaps in your coverage.
• MFA enrollment: You want to take a look at your MFA enrollment rate and measure the number of users who are currently enrolled in your plan. Your goal should be to go for 100% MFA adoption, especially for high-risk and high-privilege accounts. You want 100% MFA coverage for all admin accounts as well.
• MFA bypass: You want to look for signs of bypass techniques and note the number of MFA bypass attempts. This will help you aptly detect and respond to various MFA threats and anomalies.
• MFA recovery time: When it comes to your MFA recovery time, this is about how long a user takes to regain access to their account once a device is lost or becomes inaccessible. Keep this metric low to prevent productivity losses. Your IAM solution and help desk can also help you log the time from when a user reports losing their device versus until they have access again.

Regulatory & Compliance Requirements for MFA

MFA is needed by several industries and if you don't stay in the loop you can be at risk of huge penalties and fines. Some MFA compliance standards you want to be aware of are:

• Digital Operational Resilience Act (DORA): This enforces strict MFA for financial institutions in Europe.
• Network and Information Security Directive 2 (NIS2): The Network and Information Security Directive 2 requires critical sectors in the EU to enable MFA
• Payment Card Industry Data Security Standard (PCI-DSS): This mandates MFA for remote access to cardholder data. It is required for those that deal with non-console administrative accesses. 

There are also other standards like the Cybersecurity Maturity Model Certification (CMMC 2.0) for federal contractors, General Data Protection Regulation (GDPR) for protecting personal data, and Microsoft's MFA requirement for cloud apps like Azure Active Directory.

MFA Examples & Case Studies

Yubikey is a well-known hardware token used in the real-world to make highly secure MFA solutions. It generates one-time passwords and secure authentication data when physical devices connect to mobile devices via USB or near-field communication (NFC). It's highly resistant to MFA-based phishing attacks and malware.

Location-based authentication is another MFA method used by many businesses. It's great for protecting against unauthorized access attempts.

Time-based One-Time Passwords (TOTP) generated via the Google Authenticator app and Authy is another real-world example of MFA. These sync with services you try to access and offer a secret key via a QR code. You can generate a new code every 30 seconds and without these codes, you can't complete the login process.

SuperTokens is an open-source developer-friendly authentication platform that can simplify MFA setup and scalability. It uses plug-and-play authentication flows and can be customized to suit advanced use cases. You can add MFA to your CLI and offer your users a smooth integration experience.

How SentinelOne Helps with MFA

Singularity™ Identity can protect your organization against identity-based attacks. You can use it to close the inherent gaps in Active Directory and Entra ID that attackers exploit most.

With Identity Threat Detection and Response, you can detect in-progress identity attacks targeting domain controllers and endpoints from any managed or unmanaged device running any OS and obstruct the adversary’s progress before they gain elevated privileges.

Singularity Network Discovery uses built-in agent technology to actively and passively map networks. It can deliver information about your asset inventories and any rogue devices. Users can investigate how managed and unmanaged devices interact with critical assets and use device controls from a unified interface to control IoT and suspicious or unmanaged devices.

Singularity Cloud Security is SentinelOne’s integrated, agentless CNAPP that delivers holistic, resilient cloud security to enterprises. It includes the #1 ranked Cloud Workload Protection Platform, which secures containers, Kubernetes, virtual machines, physical servers, and serverless environments.

SentinelOne’s AI Security Posture Management can help you discover AI pipelines and models and fix anomalies. It can configure checks on your AI services. Verified Exploit Paths with SentinelOne’s Offensive Security can predict attacks before they happen. It’s a great way to fight against zero-days, malware, ransomware, phishing, advanced persistent threats (APTs), and known and unknown threats.

There are also features included with CNAPP that make it suitable for enforcing multi-factor authentication in your organization and establishing a zero-trust security architecture.  Some of them are secrets detection (can detect 750+ types), Github/GitLab code repos scanning, IaC scanning, shift-left security features, External Attack and Surface Management (EASM), full-forensic telemetry, graph-based asset inventory management, and Kubernetes and container security posture management. SentinelOne also ensures that your enterprises don’t fall out of compliance and helps you adhere to the strictest and latest regulatory standards like HIPAA, CIS Benchmark, NIST, ISO 27001, SOC 2, and other frameworks.

Conclusion

So now you know how multi-factor authentication works. You have an understanding of different multi-factor authentication methods and standards. You should also be aware about the benefits of multi-factor authentication and how you can enable multi-factor authentication in general.

If you need advice on what types of multi-factor authentication to enable in your organization, or which ones to choose to match your business needs with, then you can reach out to the SentinelOne team. We have different products and workflows that can help you ensure a smooth and seamless MFA transition and implementation.