Multi-factor authentication is used to ensure that digital users are who they say they are by requiring that they provide at least two pieces of evidence to prove their identity. Each piece of evidence must come from a different category: something they know, something they have or something they are. If one of the factors has been compromised by a hacker or unauthorized user, the chances of another factor also being compromised are low, so requiring multiple authentication factors provides a higher level of assurance about the user’s identity. There are two types of Multi-factor authentication (MFA):
- Device MFA: An authentication process that implements MFA directly at the point of login to a system.
- Application MFA: An authentication process that implements MFA upon attempting to gain access to one or more applications.
Multi-factor authentication works in roughly the same manner for both types. As the user attempts to gain access to a particular resource, they are challenged to input multiple authentication factors rather than just one. The user credentials are then verified by a core identity provider (IdP) or directory services platform. Once authenticated, the user gains access to the requested resource.
Now more than ever, major data breaches are occurring at an alarming rate, affecting millions of people. The information that’s compromised includes usernames and passwords that could allow cybercriminals access to user confidential accounts. In addition, passwords alone can frequently be easily guessed or compromised through phishing or hacking. As more personal information finds its way to online applications, privacy and the threat of identity theft is increasingly a concern. Multi-factor authentication should be used whenever possible because it immediately neutralizes the risks associated with compromised passwords by adding an additional layer of security to protect highly sensitive personal information. If a password is hacked, guessed, or phished, a hacker would still need the required second factor on the account, making the stolen password alone useless.