Multi-factor Authentication (commonly referred to as MFA) is becoming more and more popular with different services. It has been around in some form or another since the 1960s, and more and more online services are adopting it. But what exactly is it?
What exactly is Multi-factor Authentication?
Multi-factor authentication is a mechanism to verify that you have the appropriate access rights to log into your account. It works by asking for two or more pieces of information that can be authenticated. Two-factor authentication (2FA) explicitly requires two authentication factors, which makes two-factor authentication a subset of multi-factor authentication, as is three-factor, four-factor, etc.
To simplify everything, I will just refer to them all as “multi-factor authentication”. Usually, providers will choose two methods, but it can be more and the same rules tend to apply.
Is there such a thing then as Single-factor Authentication?
Yes, and this is the most common method of user authentication on the web. While multi-factor authentication verifies your access rights using multiple pieces of information, single-factor authentication uses only one. The most dominant form of single-factor authentication is still a username and password, but with the increased adoption of multi-factor authentication, as well as the limitation of passwords and password technologies, this is likely to decrease in popularity.
In any authentication request, information is requested from the person trying to gain access to the account. This gets sent to the system, which it checks and validates. If everything matches correctly and it all checks out, your request for access is granted. If one thing doesn’t match, it fails entirely and you either have to try again or your account is locked.
The information you would need to give to access your account would typically fall into four broad categories:
Factor 1: “What We Know”
This refers to any authentication detail that you and only you would need to know or remember. These would include measures such as usernames, passwords, PINs, and answers to secret questions. This is probably the most common method of authentication and is often the only method of authentication used by some websites. A username and password combination is a common example of this.
Factor 2: “What We Have”
This refers to any authentication detail that we would have in our possession. It usually depends on a physical object that you and only you should have on your person. These would include mobile phones, ID cards, key fobs, and USB keys. A common example is an app on a phone that generates one-time passwords. Google Authenticator is one example of this.
Factor 3: “What We Are”
This is often referred to as “biometric data” and talks about something that you and only you would be able to provide via your body. This would include fingerprints, voiceprints, retinal scanning, and facial scanning. Face ID and Touch ID are common examples of biometric identification systems.
Factor 4: “Where We Are”
This is an uncommon type of verification. It uses GPS data or IP location data as a method of verifying your identity. You may well find it when accessing some government systems or hospital systems, where the building is surrounded by a geofence. In the wider world, you may just see it as a warning that the system has detected some suspicious activity for you to review rather than an authentication method like the other three.
How does it all work?
The theory is pretty simple. Each of the credentials that are asked for would likely be something that you and only you should be able to provide. The more factors that are requested and correctly provided, the more likely it is that it is actually you that is accessing your account.
The reason we use multiple factors is based on the idea that someone wanting to access your account may know one particular factor, but the odds of knowing or being able to access both are smaller. So you may know my username and password, but do you also have my ID card? Or you may have my phone and account details to call my bank, but good luck replicating my voiceprint for my password.
Why do we need it?
In short, security.
Many security experts argue that, in today’s world of sophisticated information systems, single-factor authentication just isn’t enough to keep your account truly safe. While single-factor authentication is still useable and offers some safety and assurance that it is you accessing the account, multiple factors offer greater security and provide that extra check that it is really you.
It is recommended that you have multiple, complex passwords for each account, but even secure passwords will only go so far. All it takes is one lucky brute force attack and your account would be compromised. Two authentication methods require two separate attacks, some of which are harder to exploit than others. Add into that the fact that the majority of Internet users share passwords across multiple accounts and suddenly the need for that secondary authentication method becomes increasingly important.
Why doesn’t everyone use it?
Multi-factor authentication is becoming more and more popular, but for it to reach the mainstream, others need to adopt it. And there are barriers to that. The biggest of the barriers is, put simply, us. We just cannot be bothered with all of the messing around and making things more complicated than they need to be.
There’s a reason people use simple passwords, like dates of birth, pet names, names of children, and so on – they’re easy to remember. It’s much easier to remember manchester or some variant of it as your password than it is to remember yEvm*L4&, even though the latter is shorter. Similarly, remembering just one password is much easier than remembering seven different ones. Sure, password managers can help with that, but that adds an extra layer to inputting passwords that some people see as unnecessary. Not only that, but you would need the password manager on your phone, your computer, your tablet, your work computer, your home desktop, so many different devices.
That’s just making one authentication method more secure. To then add another layer with an authenticator app or a USB key or something else just makes it even more complicated, especially when you consider that you would need to add each individual site or service that you use there, and then re-add them if you change your device. It’s too much work, too much complexity, and not enough reward.
Convincing people to adopt multi-factor authentication requires work, and sometimes it’s too much work than is necessary. It is an important method of account security and one I encourage all of my clients to at least consider. Making it more difficult for you to access your account also makes it much more complex for an attacker. Not only that, but authentication tools for multi-factor authentication are getting a lot simpler for you to use while still maintaining their security. With biometric input becoming more readily available and more accurate on mobile phones, some authentication apps are taking advantage of that.
Can I add it to my own site?
Yes. If your site uses a content management system like WordPress, you can download a number of plugins that will have multi-factor authentication built into it. Plugins like Wordfence or Defender from WPMU DEV are excellent security tools, and they both make activating multi-factor authentication easy. You can also force multi-factor authentication for certain roles, so you may want to force your admin and editors to use it, but not your subscribers and contributors. Other content systems will have something similar.
How are you finding multi-factor authentication? Do you use it on your sites? Do you think more sites should adopt it, or is it just too much like hard work? Head on down to the comments and let’s discuss.