What Is Multi-Factor Authentication?
What is Authentication?
Access control in cyber security is a 3-step process of identification, authentication and authorization. In this process, after a subject identifies itself with the claim of an identity, it needs to be authenticated, that is, the subject needs to prove who it claims to be. This proof of identity is achieved through providing credentials to the access control mechanism. Passwords, PINs, digitals signatures, biometrics data are some of the credentials that can be used to prove identities in such a system.
Authentication Mechanisms (Factors)

The credentials being used for authentication can be categorized in six different groups, that are also called authentication methods or factors. In short they are:
- Something you know, (also known as Type 1 authentication factor) such as a password, personal identification number (PIN) or passphrase.
- Something you have, (also known as Type 2 authentication factor) such as a smart card, memory card or a token.
- Something you are (biometrics) (also known as Type 3 authentication factor), such as a finger print, palm topology, hand geometry, iris/retina scan or phase recognition.
- Something you do (behavioral biometrics) (also known as Type 3 authentication factor), such as a typing pattern (keystroke dynamics), signature pattern (signature dynamics) or voice pattern.
- Somewhere you are (also known as Type 4 authentication factor), such as a location or IP address with which authentication is conducted.
- Sometime you do (also known as Type 5 authentication factor), such as a time window of opportunity in which authentication is expected to take place.
What Is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is proving who the claimed identity is by using 2 or more authentication factors/methods in an authentication mechanism. In other terms, if an authentication system requires at least two different credentials that are in different authentication categories, this is called multi-factor authentication. For instance, using both a password (something you know) and a finger print (something you are) for authentication is considered as multi-factor authentication.
Another example would be using your debit card for shopping, i.e., you own the card (something you have) and enter a PIN (something you know) to complete a transaction. Note that, using both a password and a PIN is not considered multi-factor authentication (since both passwords and PINs belong to the same authentication category (something you know).

If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different.
Bruce Schneier
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
Difference Between 2FA and MFA
As a subset of MFA, 2 Factor Authentication (2FA) is the application of only 2 factors (rather than 3 or 4) in an authentication mechanism. State it differently, it is a method of confirming a subject’s identity through a combination of only 2 authentication factors, such as something you know and something you have or something you have and something you do.
Difference Between 2SA and MFA
As mentioned briefly above, asking a subject to provide credentials multiple types using only one of the authentication factors is called Multi-Step Authentication (not to be confused with MFA). As a subset of this definition, 2 Step Authentication (2SA) is providing only 2 credentials, both of which are in the same authentication factor category. Using a password with an additional authentication step of a passphrase or PIN is an example of 2 step authentication, since only what you know is employed as an authentication mechanism in this case.
Why Should We Use It?
Depending on only usernames and passwords for authentication is just too risky, since passwords offer weak security though more friendly to use. They could be hacked via password attacks due to bad user practices such as choosing weak passwords, writing down passwords on notes or using the same or similar passwords on multiple accounts. Passwords could also be captured through social engineering or phishing attacks or through malware.
The fundamental rationale for multi-factor authentication is the application of defense in depth principle for authentication. The more are there defense or protection layers, the harder is it for the attackers to break in to systems. Additionally, multi-factor authentication requires these layered defenses differ significantly from each other to make it harder for the attackers to bypass them.
To give an analogy, using one guard after another to control entrance to a building will not prevent an attacker who knows how to trick a guard into allowing him in. Basically the attacker will use the same trick to pass through the second guard.
Similarly, you might be tempted to think that using both a password and a passphrase shall increase your authentication security. However, using the same attack method that could compromise one of these, an attacker could also compromise the other. For instance, if there is a key logger installed in your system, both the password and the passphrase will be stolen by an attacker using the same attack method of key logger installation.
To sum up, multi-factor authentication provides increased security over a single-factor authentication process, such as using static passwords. Additionally, multi-factor authentication can help organizations comply with industry regulations (such as PCI DSS) where increased authentication security is mandated.
Multi-Factor Authentication Technologies
- Hardware Tokens (Something You Have): As being one of the most secure methods, a small hardware device that users carry with them can be used as an additional authentication mechanism. Such devices usually produce one-time passwords (OTP), that should be provided into an authentication mechanism. Another popular use case for hardware tokens is plugging them on to a device on which authentication process is conducted.
- Smart Cards (Something You Have): Similar to hardware tokens, users might be expected to swipe a card before logging into a system.
- Software Tokens (Something You Have): Similar to the hardware tokens, software or application-based tokens could be used to produce OTPs. In practice, software tokens are usually installed on mobile phones. Google Authenticator application could be an example that is used widely.
- SMS Text Message Verification (Something You Have): SMS text messages delivered to users’ mobile phones is one of the most frequently used MFA technology today. However, due to security concerns, SMS text message use for MFA is decreasing significantly.
- Email Verification (Something You Have): This method is identical to SMS verification, but the code is sent via email.
- Push Notification (Something You Have): Similar to the SMS text messages, push notifications deliver the authentication codes or OTPs on devices that users have, such as mobile phones. However, they are regarded as more secure compared to SMS text messages.
- Biometrics (Something You Are): Biometrics uses biologically unique traits of users to authenticate them. To name a few, finger print, palm topology, hand geometry, iris/retina scan or phase recognition are some of the most commonly used examples. Due to being comparatively costly to install, less user friendly and difficult to maintain compared to other technologies, they are generally used in critical infrastructures.
- Behavioral Biometrics (Something You Do): Though the initial technical writings about behavioral biometrics date back to 1975, only recently this technology finds practical usage in information systems, due to the technological developments in this field. Typing patterns (keystroke dynamics), signature patterns (signature dynamics) or voice patterns constitute some practical behavioral biometrics use cases.
- Location Factors (Somewhere You Are): A user’s current location can also be very critical in establishing a secure authentication process. Especially, the ubiquity of mobile phones can be very useful for this purpose. In addition to checking physical location, IP based location controls could also be employed to approve or disapprove an authentication request. For instance, authentication could be restricted only to local IPs or banned to black listed IPs.
- Time Factors (Sometime You Do): Time based authentication control is another technology that is being used, especially to restricts users from singing in to systems outside the office hours.
To learn more about the authentication mechanisms, you could also read our articles What Is Identification, Authentication and Authorization? or What Is Adaptive and Continuous Authentication?