Multi-factor Authentication (MFA)
What Is MFA and Why Is It Important?
Multi-factor authentication (MFA) is a security measure that protects individuals and organizations by requiring users to provide two or more authentication factors to access an application, account, or virtual private network (VPN). This adds extra layers of security to combat more sophisticated cyberattacks, since credentials can be stolen, exposed, or sold by third parties.
Much like an organization might employ various layers of physical security, such as a fence with a gate, a guard station, an ID scanner, and locks on the doors, an organization can also use MFA to provide multiple layers of virtual security to make sure anyone accessing the system, whether onsite or remotely, is both authorized and authenticated.
How Does MFA Work?
A user is first prompted for their username and password, standard credentials used to log in, but then they are required to verify their identity by some other means. The most common is to enter a code sent by email, Short Message Service (SMS), via a mobile authentication app, or to a secondary device, but other forms may be hardware that scans biometrics or prearranged security questions.
This second or even third factor in the authentication process serves to verify the user request is genuine and has not been compromised.
Examples of Authentication Factors
MFA uses three common authentication methods to verify a user’s identity.
- Knowledge: This is the factor users are most familiar with. The user is prompted to supply information they know, such as a password, personal identification number (PIN), security key, or the answer to a security question.
- Possession: This factor verifies the user’s identity using something they possess. For example, by sending a code to a mobile phone.
- Inherence: This factor verifies the person by some unique personal attribute, such as biometric authentication or voice recognition.
In addition to the foregoing, a location factor and/or a time factor can provide further layers of protection in specific environments.
MFA and Two-factor Authentication (2FA)
Two-factor authentication (2FA) is a subset of MFA, both increasingly being employed to increase security beyond the level provided by passwords alone. 2FA, as its name implies, requires users to authenticate their identity using two steps that serve to validate their access. Most often, 2FA uses the “possession” factor as the second level of security.
After a user enters their credentials, which the system recognizes as valid for network access or for logging in to an application, the server would then request an additional credential, such as a temporary code or password sent to a mobile device. Since a cyber criminal would most likely not have the user’s mobile device in their possession, this makes it difficult for them to steal a user’s identity or account.
Additionally, 2FA protects the organization, even in situations where a user’s primary credentials have been stolen, since the second layer is still inaccessible to the thief. Each additional security layer added beyond 2FA protects the user and the organization even further, demonstrating the value of MFA.
MFA and Single Sign-on (SSO)
SSO, also called a unified login, is a method of identification allowing users to sign in to multiple websites and applications with a single set of unique credentials. While MFA may be included in the first login experience, SSO then authorizes the user to access all sites and applications to which they have been granted permission.
This provides a better user experience since the user would not have to submit to the MFA process each time they need to access something within the system. The fact that MFA provides layered security at the outset, authenticating the original login, helps to protect the organization from having the SSO exploited by malicious third parties.
Benefits of Multi-factor Authentication
MFA provides protection for both the organization and individual users. For the organization, security benefits may be:
- Increased protection: Security breaches result in loss of resources, especially data, time, and money. MFA helps to protect these valuable assets.
- Safe remote work environment: Employees with fluid access to all the systems and data they need for the job are more productive. Companies employing MFA help keep the remote work environment flexible and agile.
- Defense in depth: Multiple layers of security are employed so that if one layer of defense is intentionally or accidentally compromised, secondary and tertiary layers (and so on) provide a backup, making sure that an organization is protected to the degree possible.
For users, the security benefits may include:
- Identity protection: Even if some user data is compromised, either accidentally or intentionally, the overall identity of the user is still protected from access.
- Remote work environment safety: The flexibility of access and agility of processes increase productivity and provide a user-friendly environment.
- Data protection: Users who access an organization for work or business are assured any of their personal data stored or processed is secure from cyber threats.
There are multiple security risks if MFA is not implemented. The cyber threats from malicious third parties are continuously evolving to become more complex and destructive, so organizations must provide extra layers of security to protect themselves and others.
Challenges of Multi-factor Authentication
In spite of the overwhelming benefits of MFA, there are challenges to implementing it and mitigating threats when a layer is compromised.
- Implementation costs: Costs include purchasing and replacing tokens, purchasing and renewing software, etc.
- Options when a token/smartphone is lost: The loss of a “hardware” layer of MFA means an alternate option needs to be in place. In 2FA, there often is no backup other than replacing the hardware.
- Usability issues: When different types of MFA are used across different systems, there may be a loss of agility for end-users. Loss of productivity is a consequence unless SSO solutions complement the implementation of MFA.
However, even acknowledging such challenges, if organizations want to protect their network, users, and employees, the benefits of implementing an MFA solution as part of an access management strategy clearly outweigh the challenges.
- MFA strengthens security, providing layers of protection against cyber threats and peace of mind regarding data protection.
- Marrying MFA and SSO solutions simplify the login process, increasing both security and productivity.
- MFA helps organizations meet compliance standards, assuring the right environment for users and adequate protection of personal data.
Technology Needed To Support MFA
Certain technologies must be adopted and implemented to support MFA, including:
- Biometrics: Fingerprint readers, retinal scanners, facial recognition software, etc.
- Security tokens: Hardware distributed to users, including portable Universal Serial Bus (USB) authenticators, keychain tokens, and embedded ID cards.
- Soft tokens: Examples are software tokens, push tokens, and QR tokens.
- SMS tokens: Temporary codes sent by SMS to a mobile device.
How Fortinet Can Help?
Malware, ransomware, and phishing attacks are increasingly used by hackers to compromise user credentials and gain access to organizations’ networks. Enhancing network security with MFA solutions helps increase data-center security, boost cloud security for a safer remote working environment, and minimize cybersecurity threats.
Fortinet identity and access management (IAM) solutions—including FortiAuthenticator, FortiToken, and FortiToken Cloud—provide the solution organizations and their users need. Fortinet IAM provides authentication policies, technologies, and processes designed to confirm the identity and access privileges of individual users. This is done by assigning specific roles to users and then ensuring their credentials qualify them for certain sections of the network. MFA is built into FortiToken Cloud, strengthening cloud security by necessitating an extra layer of verification and authorization.