What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is an authentication method in which a user is required to present two or more pieces of evidence (also known as factors) to authenticate. Factors
Knowledge: Something the user and only the user knows (ex: credentials like password and PIN)
Possession: Something the user and only the user has (ex: mobile device, token, credit card CVV)
Inherence: Something the user and only the user is (ex: fingerprint, face, and voice recognition)
What does MFA do?
The goal of MFA is to strengthen authentication mechanisms by adding another layer of security. MFA does not solely rely on credentials to identify someone (as these credentials could be compromised), but also asks for complementary information that only the user can provide at a given time.
There are different variants and subsets of MFA available, depending on the number and type of factors required (2FA for Two-Factor Authentication, Two-Step Verification, Two-Step Authentication, etc.), but they are all based on the same basic concepts.
Why do you need MFA?
Applied to mobility, Multi-Factor Authentication verifies that whoever is trying to access a corporate resource, on-premises or cloud-based, is in fact who they claim to be by validating their access (after a preliminary successful authentication), with a second (and eventually third) requirements.
There are dozens of examples of Multi-Factor Authentication in our daily life, for example when withdrawing money at an ATM. First, the user needs to own the credit card physically (or virtually, if using mobile device/watch) at that precise moment. Then, the user needs to know the PIN to unlock it and allow the transaction.
In the past, you might have used a token required to establish a secure VPN connection back to your company or customer network. If so, then you have already used MFA!
Of course things have evolved since then, and with mobility at the center of everything today, there are other options available to guarantee the highest level of security without having to carry an easy-to-lose piece of plastic everywhere that seems to always be left at home when you need it most.
But what is the one thing you would never leave at home? Correct, your mobile phone and wearable devices. MFA providers knows this, so they have built several options for users to make authentication as easy and smooth as possible. These include:
- Receive a token via a phone call or SMS on a trusted, previously- registered device
- Generate a One-Time Password (OTP) from an app on a trusted mobile device
- Validate access from an app on a trusted mobile device
You might have experienced the former examples already when setting up a new ID with service providers like Microsoft, Google, or Apple, but these methods are also available for your company to implement and benefit from.
Which MFA to choose?
Good news is you might not even have to choose, as this is already provided by most Identity Providers (IdP) like Microsoft, Google, or Apple. But if not, there are vendor-agnostic solutions available for you to integrate with your environment.
What you will definitely need to think about before deploying MFA is your own use case:
- What resources are end-users accessing the most?
- Where are they located (on-premises, cloud, or both)?
- What mobile devices are end-users using the most?
- Operating System (iOS, Android, etc.)
- Type (smartphone, tablet, desktop, etc.)?
- Personal-owned or corporate-owned?
- For corporate-owned, are they managed?
- Which factors do you want to use for user authentication?
- One-Time Password (OTP) generated from authenticator
- Token received via phone call or SMS
- One-click user validation on another device
- If using an authenticator, what type?
- Desktop/mobile app
- Physical dongle
Confirm with your Identity Providers which Multi-Factor Authentication options or variants they can provide and see what matches your expectations and needs.
(C) Rémi Frédéric Keusseyan, Mobility Expert/Master Trainer