Multifactor authentication (MFA) is a log-in process that incorporates several steps for identity verification. Traditionally, a password is the primary form of authentication with additional MFA methods for an additional layer of security.
But you shouldn’t just incorporate the first MFA solution you find and cross your fingers that it works. Before implementing multiple forms of authentication, weigh which MFA method is best for your business. We’ll break down common types of MFA — and their pros and cons — to help you refine your user authentication process.
Reduce your attack surface in a few clicks
Looking for more ways to improve your security posture? Try PDQ Connect, and remediate vulnerabilities in seconds.
Knowledge
Knowledge factor MFA asks the user for something they know. Passwords fall into this category, but they’re not the only options.
Pattern-based authentication
Pattern-based authentication (PBA) involves drawing a personal identification pattern (PIP) on a grid. Each block of the grid contains random characters. Selecting the predetermined PIP effectively produces a time-based one-time password (TOTP).
Users may love PBA because it’s easy to remember a PIP. That said, to be secure, the pattern must be difficult to guess — no tic-tac-toe-style nonsense.
Security question
With this authentication factor, users preselect one or more questions and input their answers. After entering their login credentials, users are then prompted to answer at least one of these questions correctly.
While security questions are usually easy for users, they’re also quite easy for hackers. Threat actors can often guess answers or just find them on those handy getting-to-know-you surveys all over social media. So if you’re looking to only slightly inconvenience cybercriminals, this is the MFA method for you.
Possession
A possession factor relies on something the user has physical access to in order to confirm their identity.
SMS
SMS-based MFA sends a text with a time-based one-time password to the user’s phone. By entering the TOTP, the user is essentially confirming that they are in possession of the phone associated with the account, thereby verifying their identity.
Most of us are always within arm’s length of our phones, so SMS authentication is incredibly convenient for users. However, SIM swapping, SIM hacking, and lost or stolen devices pose significant cybersecurity risks. In addition, social engineering attempts may convince users to just hand over their TOTP codes. And if any of your users pay per incoming SMS (apparently that’s still a thing), they might get pretty annoyed with the constant charges.
Phone call or email
Just as you can receive TOTPs via SMS, you can also get them the old-fashioned way: by phone call or email. While these options are generally considered more secure than SMS, they still have their drawbacks. Phone-based TOTPs for MFA can fall victim to SIM swapping (and incur call charges for your users), while email account compromise could also allow cybercriminals to intercept TOTPs.
And, as always, social engineering poses a threat, especially to your most gullible users.
Authentication app
Once an authentication app is linked to an account and installed on the user’s mobile device, they receive a push notification or a time-based one-time password when they attempt to log in.
Common authentication apps include the following:
Google Authenticator
Microsoft Authenticator
Duo Security
While authenticator apps are generally considered more secure than most other TOTP options, such as SMS, phone calls, or emails, they still have their drawbacks. For instance, you should remind users to save their recovery codes during setup to prevent headaches if they ever lose app access.
Hardware token
Hardware tokens are devices used specifically for authentication. These security tokens often popular in the most high-security settings, such as financial institutions and government agencies.
Smart card
A smart card is a physical token in the form of a card with an embedded chip that stores cryptographic keys. The company issues a smart card linked to the user’s identity, which they then scan via a card reader to access a workstation.
While this MFA method is generally considered highly secure, it’s usually reserved for organizations needing next-level security. The cost of issuing and maintaining smart cards, smart card readers, and the associated software is usually too steep for most businesses.
Key fob
Key fobs are small devices that fit on a keychain. They have a small screen that generates a time-based one-time password when you press a button. While convenient and portable, they serve the single purpose of generating TOTPs. No multitasking here. Plus, some key fobs rely on replaceable batteries, so you may have to perform ongoing maintenance.
USB token
USB tokens store private keys and digital certificates. A user typically connects a USB token to a computer’s USB port and enters a pin to authenticate.
The main drawback is that not all devices have a USB port. That means that users who rely on USB tokens for authentication may be out of luck if a device lacks a port. The risk of loss or theft is also higher than some MFA types. Plus, the associated costs can add up.
Inherence
Inherence-based MFA relies on the user’s personal traits to confirm their identity.
Biometric authentication
Biometric authentication relies on the user’s unique biological traits. This type of authentication can take several forms:
Fingerprint scan
Facial recognition
Voice recognition
Iris scan
Retina scan
Palm or finger vein pattern recognition
Some users embrace biometric authentication for one simple reason: It’s easy. But others may push back at the thought of their company tracking their biometric data, which can come across as an invasion of privacy teetering on Orwellian. Additionally, biometrics are historically biased toward white males since this is the demographic traditionally used for programming. Other demographics may experience reduced identification accuracy for voice and facial recognition.
And while biometrics are challenging to replicate or steal, they’re not impossible to compromise. That said, biometrics are often considered more secure than passwords, so they may be worthwhile for MFA if you have the budget and user buy-in.
Behavioral analysis
Behavior analysis uses machine learning to create user profiles based on established patterns, such as keystrokes, mouse movements, typing speed, and swiping habits. Basically, it’s a form of adaptive authentication (more on that fun term later). Once the system knows the user’s behavior, it can continuously monitor behavior against the established profile to grant access if it verifies the user’s identity.
Because users don’t have to keep authenticating, they save time. However, behavioral analysis is also quite secure since the authentication is continuous and a user’s behavior is hard to replicate. That said, users may lose access to resources if their patterns change (e.g., they sustain a life-threatening paper cut). Additionally, some folks are pretty creeped out by their employer documenting their behaviors in excruciating detail.
MFA FAQs
What is MFA?
MFA is an authentication method that prompts users to input at least one extra form of authentication in addition to their password. The idea is that passwords are frequently compromised. Additional authentication methods are much harder for cybercriminals to hack, keeping your sensitive information that much more secure and making MFA one of the standard security best practices.
What’s the difference between MFA vs. 2FA?
While MFA incorporates two or more authentication factors, two-factor authentication (2FA) includes one additional factor beyond login credentials, for a total of exactly two. However, both MFA and 2FA use multiple factors and add an extra layer of protection over single factor authentication.
How do I choose the best type of MFA?
Choose the MFA method based on your business needs. For each platform for which you use MFA, consider the following:
Security risks
Convenience
Compliance
Cost
Scalability
Reliability
Your technical capabilities
What is adaptive authentication?
Adaptive authentication dynamically adjusts requirements based on context. For instance, if a user’s typing speed increases significantly overnight, adaptive authentication may require more forms of MFA authentication than usual to verify that it’s really them and not a nimble-fingered imposter.
The following MFA factors may influence authentication methods for adaptive MFA:
User location
IP address
Device trustworthiness
Day of the week
Time of day
User behavior
Anomaly detection
What is an MFA fatigue attack?
An MFA fatigue attack — sometimes referred to as MFA bombing, MFA spamming, or an MFA abuse attack — are a type of social engineering in which the threat actor attempts to log in with stolen credentials, then inundates the target with MFA push notifications until they confirm the authentication attempt. The idea is that the target will become desensitized and just authenticate to get the notifications to go away, giving cybercriminals access to sensitive data.
MFA and patch management may not seem like closely related topics. And that’s because they aren’t. But they are distant cousins twice removed that both enhance your security posture. So while implementing MFA is critical to protecting your environment, don’t overlook its better-looking cousin, patch management. Effective patch management keeps machines up to date and less susceptible to the latest vulnerabilities.
And with PDQ, patch management can be one of the easiest parts of your job. (Not counting those rare moments alone in the breakroom with only your thoughts and a fridge full of coworkers’ lunches.) Sign up for a free trial and savor the taste of success.