Different Types of MFA [What you need to know]

Thu 23 Dec 2021
Home 9 Industry News 9 Different Types of MFA [What you need to know]

From my previous entries we’ve covered the importance of MFA against hacking, building strong foundation for zero trust architecture, and the enduring strength of OTP. Now let’s take a step back and look across the various types of multi-factor authentication (MFA).

Quick Recap on MFA

Authentication typically works with a few factors:
  • Something you know: Password, security questions, PINs
  • Something you have: Things in the users’ possession, e.g., smartphones, hardware tokens
  • Something you are: Usually biometric factors (Fingerprint, iris, Face ID, etc)

Multi-factor authentication means that whatever application or service you’re logging in to is double-checking that the request is really coming from you and not a hacker, by confirming the login with you through a separate venue, or factor.

MFA is essential to digital security because it immediately neutralizes the risks associated with compromised passwords. More than 2/3rds of people continue to use the same passwords across multiple accounts. If a password is hacked, guessed, or even phished, that’s no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.

Different Types of MFA

types of mfa

Phone callbacks

Phone callbacks are one of the less popular versions of 2FA, but they’re an effective – if time-consuming – way to implement a second factor. In a phone callback setup, once a user logs in, they receive an automated phone call that prompts them to approve or deny the access request.

SMS based OTP

Usually consist of a short string of numbers sent to a smartphone. Passcodes definitely count as 2FA. Since they rely on phone lines, however – which can be compromised – they represent the least secure method. Passcodes aren’t a real hit with users, either: each code must be manually entered, which can be a nuisance.

One Time Passcode (OTP) Tokens

Many web security teams opt to arm their users with tokens. These typically are small keychain fobs that generate codes for users to enter as their second factor. Tokens are more secure than cellular-delivered passcodes, as they don’t rely on phone lines, but they don’t address the annoyance of entering codes. Tokens are attractive because they are affordable and don’t require system administrators to collect phone numbers – but they’re battery-operated, and batteries die. Using tokens will mean dealing with the headache of timing replacements to avoid users losing access to crucial systems.

Authenticator Apps

Authenticator apps are exactly what they sound like: smartphone apps that handle the second-factor approval process as standard notifications. Authenticator apps require internet connectivity to deliver login approval requests, which is more secure than using phone lines.

Universal Second-Factor (U2F) devices

They’re small physical devices used exclusively to verify logins. Most commonly this covers FIDO security keys and smart card (CAC/PIV) technologies that built on Public Key Infrastructure (PKI). They typically requires to be connected via USB, NFC, Bluetooth, or dedicated reader devices. When a user enters their password on a computer with a U2F device plugged in, they’re prompted to tap the physical U2F device to gain access. U2F devices are popular because they’re so easy to use – a simple tap and you’re done. Recently, as FIDO technology measures, more and more providers implements a seamless passwordpress experience by combining FIDO2+biometric using something like FEITIAN’s Biopass series

It is worth noting that U2F technologies such as security key is proven to be the best-in-class MFA methods when it comes to combatting account takeover incidents, according to this research by Google.

account takeover prevention rates, by challenge type
Source: Google security blog 2019

Keep in mind that in most cases, system administrators opt for a variety of approaches and typically give users a few options to best fit the given need. So, for example, if your work laptop has a U2F device attached, you could use that as your second factor throughout the day. Logging in to an application off-hours from your smartphone, however, might require that you use an authentication app and while this kind of flexibility may not seem like a big deal, your users will definitely appreciate it, making them stronger allies of your security efforts.

Conclusion

In the post-password world, strong cyber security relies on a dynamic approach built from a variety of tools and policies. It’s important to never rely on any single method for comprehensive protection. That means MFA is an essential security tool, but it becomes even more effective when it’s used as part of a coordinated strategy of security applications and policies.

Related Posts

Understanding the Escalating Critical Infrastructure Digital Threat Landscape

Understanding the Escalating Critical Infrastructure Digital Threat Landscape

In recent years, the cybersecurity landscape has undergone significant transformation, with ...
Unlocking Next-Level Security: Transitioning from OTP to FIDO Keys

Unlocking Next-Level Security: Transitioning from OTP to FIDO Keys

Safeguarding sensitive data has never been more critical, yet relying solely on traditional ...

Empowering Enterprises with Passwordless Authentication

In today's digital age, cybersecurity threats continue to evolve, making traditional ...
Enterprise Security

Stay in the know

Join our community of security-conscious individuals and organizations who prioritize safeguarding their sensitive data. Stay informed about the latest advancements in cyber-physical technology and discover how FEITIAN can empower you to take control of your digital security.

"*" indicates required fields

Full Name*
Share This