Rublon

Secure Remote Access

By

Last updated on March 27, 2024

Multi-Factor Authentication (MFA) is a concept that revolutionized authentication security. Nowadays, it is hard to think about account safety without MFA. Unfortunately, MFA still is not as ubiquitous as it should be. This article describes the most important aspects of Multi-Factor Authentication, from its meaning through examples of MFA in practice to MFA benefits.

What is Multi-Factor Authentication: MFA Meaning & Definition

Multi-Factor Authentication (MFA) is a type of authentication that uses at least two distinct authentication factors to decide if a person is who they say they are.

Venn diagram portraying relation between MFA, 2FA, and 3FA

The strength of MFA lies in the fact that it requires at least two distinct factors to confirm the user’s identity. Even if a malicious actor compromises one authentication factor, they still need to compromise all other authentication factors to gain access. The more authentication factors, the more security. If you use the same factor twice, then it is two-step authentication but not two-factor authentication.

Why Username and Password Are Not Enough?

During Single-Factor Authentication, a user has to provide only one proof of their identity. While Single-Factor Authentication may involve any of the three authentication factors, most single-factor systems assert the user’s identity by asking for a password. Passwords are an example of the Knowledge Factor which is the least secure of all authentication factors.

Passwords are easy to use. After the user enters the correct password, they gain access to the service. Unfortunately, a username and password is not a secure authentication method. Passwords can be stolen, cracked, or guessed. For this reason, Single-Factor Authentication based on passwords comes with a huge security risk.

Sequence diagram depicting a hacker compromising a Single-Factor Authentication system using a password from a data leak

Many password-based types of attacks exist: from brute-force, dictionary, and rainbow table attacks, though keystroke logging, to social engineering attacks, such as phishing. A malicious actor who steals a user’s credentials also steals that user’s identity. In such a scenario, the malicious actor logs in to any service and acts as if they were the user. Then, the malicious actor conducts a series of fraudulent activities like infecting important company files with ransomware or stealing confidential data.

Sometimes the malicious actor does not even have to conduct an attack. Data leaks are quite common. All the malicious actor has to do is find somebody’s password inside huge files with leaked passwords.

How Does MFA Work?

Single-factor security systems are not secure enough and need additional security. MFA brings an extra layer of security to the table. MFA requires the user to present at least two distinct authentication factors.

To gain access, a user has to provide two independent proofs of their identity. The first factor may still be a password (but does not have to). If the password provided by the user is correct, then the MFA system asks for at least one other proof based on possession or inherence.

The second factor may be either:

  • something you have (a mobile device, a smartphone, a FIDO2 security token, or a hardware OTP)
  • something you are (a fingerprint or facial recognition)

MFA With Two Factors: Two-Factor Authentication (2FA)

Let’s first look at MFA based on something you know and something you have. In the following example, Bob attempts to log in to an application they need for work. The application is protected with Two-Factor Authentication (2FA). As a result, Bob will have to present two factors to prove their identity.

Diagram showing successful Two-Factor Authentication (2FA)
  1. Bob wants to sign in to an application protected with MFA.
  2. Bob provides their username and password (Knowledge Factor).
  3. The security system checks Bob’s password and asserts that the password is correct (Knowledge Factor checked).
  4. The security system challenges Bob to choose one of the available second-factor authentication methods.
  5. Bob chooses the Push Notification authentication method. To use this method, you need to install an authenticator app on your mobile device. Let’s assume Bob did that beforehand.
  6. The security system sends a push notification to Bob’s smartphone. This smartphone is Bob’s personal physical device.
  7. Bob receives a push notification on their physical device (Possession Factor).
  8. Bob taps accept on the push notification and therefore shows possession of this device (Possession Factor checked).
  9. The security system logs Bob into their application.

In this example, Bob’s personal phone was used as the Possession Factor. The security system challenged Bob to prove that Bob has the device the system previously knew as Bob’s. After the system asserted Bob indeed has access to this device, Bob was given access to their account. If a malicious actor only had Bob’s password, they would not be able to accept the Push Notification that came to Bob’s phone. For that, the malicious actor would also have to steal Bob’s phone.

MFA With Three Factors: Three-Factor Authentication (3FA)

Another popular type of MFA is the combination of something you know and something you are. In this example, Alice logs in to a file storage cloud app. This application is protected with MFA and will require Alice to present more than one factor. Alice chooses to be authenticated using a biometric token like YubiKey Bio. Note how, in this case, Alice demonstrates three (and not just two) factors.

Diagram portraying successful Three-Factor Authentication (3FA)
  1. Alice wants to sign in to an application protected with MFA.
  2. Alice provides their username and password (Knowledge Factor).
  3. The security system checks Alice’s password and asserts that the password is correct (Knowledge Factor checked).
  4. The security system challenges Alice to choose one of the available second-factor authentication methods.
  5. Alice chooses WebAuthn/U2F Security Key authentication. To use such a security key, Alice needs to enroll this biometric-based security key first. Let’s assume they have already done that before.
  6. The security system asks Alice to plug in the security key (Possession Factor).
  7. Alice plugs in the security key to the USB port of their computer (Possession Factor checked).
  8. The security system asks Alice to scan their fingerprint by using the fingerprint scanner on the security key (Inherence Factor).
  9. Alice touches the fingerprint scanner and the system asserts the fingerprint matches the fingerprint known to the system (Inherence Factor checked).
  10. Alice gets access to their application.

Examples of MFA in Practice

MFA is not just a theoretical concept. MFA is a real-life solution used to protect millions of accounts all around the world. Even if the idea of MFA systems is new to you, you most likely already used MFA in a real-life situation, possibly to authenticate to multiple accounts.

Image describing multiple examples of MFA in practice

MFA is often used by banks. The combination of your ATM card and the PIN number is also an example of Multi-Factor Authentication (MFA). Moreover, when a user wants to log in to their bank account, they have to provide their password. Then, the bank often sends the user an SMS message with a short passcode (or one-time password). The user has to enter this code into the bank’s log-in form to access their account.

Google Authenticator is a popular mobile app that generates codes that users can use for Two-Factor Authentication (2FA). You might have heard about this app before.

Rublon also offers a mobile app. A user who installed Rublon Authenticator on their mobile phone can use the TOTP code for verification (Mobile Passcode) as well as several other authentication methods, including Mobile Push. Facial recognition and fingerprinting are two biometric-based in-built features that make Multi-Factor Authentication even more powerful.

No matter how you log in to your account, MFA verification always involves more steps than just providing your username and password. This is what Multi-Factor Authentication is all about.

What Are The Benefits of MFA?

Multi-Factor Authentication comes with a wide variety of benefits. After a company deploys Multi-Factor Authentication in their workforce, MFA helps them to:

1. Reduce security risks

Using more factors significantly mitigates security risks. Multi-Factor Authentication expands identity verification beyond username and password. Many methods of attacks leading to unauthorized access are based on stealing user credentials. MFA makes such attacks less likely to succeed by requiring the user to use more secure credentials based on hardware (security tokens, a phone, an OTP code). Microsoft says that MFA can prevent up to 99.9% of account compromise attacks.

2. Increase authentication security

A Username and password are an insufficient way of authentication. Multi-Factor Authentication increases the security of authentication by adding methods based on stronger factors, such as solutions based on hardware tokens and personal phones.

3. Increase user trust

Users’ trust is very important. A company that uses Multi-Factor Authentication shows its users that it cares about their security. In the modern world, MFA is so ubiquitous that a company that does not use MFA for each login puts itself at risk; not only the risk stemming from likely attacks but also the risk of losing trust and respect in the industry.

4. Strengthen user identity

Multiple types of attacks involve stolen identities. Every user in a company has their own unique identity that needs protection. MFA helps to maintain and ensure the identities of users by making identity theft harder. Thanks to Multi-Factor Authentication, passwords are no longer the only line of defense against unauthorized access. It is much harder to gain access to an account if two independent factors were used to protect it. If MFA demands the user to present a mobile device, that is, a physical item separate from the computer they log in from, then even if the attacker gains access to the user’s computer remotely, they will not be able to access the user’s account.

5. Meet regulatory compliances

While in the past, most industry regulations only suggested the use of MFA, nowadays, MFA is downright required. For example, most cyber insurance companies are now requiring MFA. A company that does not use MFA will most likely not get cyber insurance.

Furthermore, each company in a given industry must comply with a set of this industry’s regulations, such as PCI DSS, ISO/IEC 27001, NYDFS, or NAIC. For example, healthcare must conform to The Health Insurance Portability and Accountability Act (HIPAA). MFA helps companies conform to these requirements by offering a selection of authentication methods, delivering more than one distinct factor, and supporting out-of-band authentication (OOBA).

It is up to each MFA provider to ensure their product conforms to the norms of each industry, e.g., Rublon delivers an MFA solution that empowers each industry. As a result, companies must no longer worry whether their security policy conforms to all these requirements, as MFA providers do that for their customers by offering industry-compliant MFA products.

6. Provide flexibility

All modern MFA solutions should be flexible enough to easily integrate with Single Sign-On (SSO) and Adaptive Authentication (Risked-Based Authentication). Best MFA providers offer all of these solutions in one pack. For example, Rublon comes with SSO and Access Policies (the latter being our solution to the challenge of Adaptive Authentication).

What Types of Attacks Does MFA Prevent?

MFA prevents some of the most popular and severe types of attacks.

1. Phishing

Phishing involves a malicious actor sending a fraudulent message to users and trying to trick them to reveal sensitive information such as their passwords or other data. Hackers use many ways of phishing. One example is sending fraudulent links through popular services, email messages, or SMS messages. Such links often redirect users to a copy of a popular website, such as a bank login page. Users may think they access a legitimate website and try to enter their credentials to log in. In reality, they provide their password to the fake site. A malicious script on that site sends the credentials to hackers who then access the user’s data on the legitimate website. Examples of preventing and mitigating phishing include user training, spreading awareness, and deploying MFA. MFA ensures that even if a hacker succeeds in obtaining a user’s password, the second step of authentication will thwart them.

2. Keystroke Logging

Keystroke logging malware is a kind of malicious software that reads a user’s keystrokes and then sends this data to a hacker. Users who have their computers infected with keylogging malware are at risk of losing or exposing their data. Usually, users get their computers infected with malware by clicking a phishing link. MFA solutions protect against keystroke logging in two ways. Firstly, MFA reduces the risk of infecting your computer with keylogging malware. Secondly, if you have, e.g., a security token, then even if your computer is already infected and your password gets stolen, hackers cannot get in without having your physical token (or your personal smartphone).

3. Password Attacks

While some malicious actors just use stolen or guessed credentials, other hackers try to break passwords. If you have deployed one of the many available MFA solutions, then a broken password will not compromise your account.

4. Man-in-the-Middle (MITM) Attacks

MFA systems that support Out-of-Band Authentication (OOBA) are examples of highly effective shields against MITM. The MITM attack involves a malicious party inserting itself in the middle of a communication between two other unsuspecting parties and then impersonating one of the sides. One of the legitimate participants sends data to the other side, but the data ends up in the hands of a malicious actor. MFA strengthened with OOBA requires credentials supplied from two distinct channels. Even if the malicious party successfully intercepts one set of credentials (login and password), they cannot intercept other credentials that travel through another channel and arrive at another device. Rublon’s Mobile Push is a good example of MFA with OOBA that prevents MITM.

5. Ransomware Attacks

While MFA cannot save your data if your network or computer is already infected with ransomware, MFA safeguards your network, services, and systems to prevent such incidents from ever happening.

Get Rublon MFA Today

Multi-Factor Authentication (MFA) is a vitally important part of any company’s workforce security. Authentication is something you do every day. And there is no doubt that you will never stop authenticating. Meanwhile, the bad guys will never stop trying to get access to your systems and services. That is why making sure your users’ authentication is as safe as possible should be the number one goal in your company.

It is never too late before it is too late. Do not hesitate. Get Rublon MFA today to always be one step ahead of the bad guys. With Rublon, you get both peace of mind and a cutting-edge Multi-Factor Authentication solution for just $2 per user per month.

To get on the MFA train, start a 30-day Free Trial of Rublon.

Learn More