what is the most secure mfa method

What Is The Most Secure MFA Method?

Breaches of passwords account for 77% of all cloud account breaches. No matter how much companies stress the need for employees to adopt good password habits, it doesn’t always happen.

The problem is that people have too many passwords to remember, so they have a hard time keeping track of challenging, unique passwords for all their accounts.

This leads to passwords being reused across multiple accounts (personal and work) and weak passwords that are easy to hack.

Credential compromise and the resulting insider attacks have become a significant cybersecurity threat. Insider attacks have risen 47% over the past two years, and many of these are perpetrated by a hacker that has gained system access through legitimate user login.

What’s the best way to secure account passwords and stop unauthorised access? By enabling multi-factor authentication (MFA). MFA can block as many as 100% of fraudulent sign-in attempts, depending upon the method you use.

Hackers are relentlessly trying to crack your systems and steal your data. And the penalties for losing customer data recently rose with the introduction of the general data protection regulation (GDPR). Companies can now be fined enormous sums for not taking adequate care of sensitive data. 

Let’s start with a disclaimer. It’s reported that as many as 85% of Microsoft Office 365 tenants don’t have any MFA enabled – and any MFA is better than none.

If your organisation doesn’t have MFA in place, make plans now to get it helped. Most cloud services providers will offer basic MFA free of charge.

All Datcom customers are already in the top 15% of businesses regarding protection online and have some form of MFA enabled. Any online account that has MFA enabled will mitigate against 99% of charge hacking attempts.

For those businesses in the 15% bracket, the vast majority will have SMS MFA enabled.

When you attempt to log on to an online-based service with your username and password, you will receive a time-limited, one-time password used to verify that you are indeed the authorised user for that account.

The 15% are already security-aware, whether they are kept informed by their IT service provider or have reacted to a previous security breach.

SMS MFA is an excellent first step, but it’s not the end game for account and data protection and is not infallible (no security solution is.)

What Is Multifactor Authentication?

Multi-Factor Authentication (MFA) is a security technology that requires multiple authentication methods from independent categories of credentials to verify a user's identity for a login or other transaction.

Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.

The goal of MFA is to create a layered defence that makes it more difficult for an unauthorised person to access a target, such as a physical location, computing device, network or database.

If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.

In the past, MFA systems typically relied on two-factor authentication (2FA). Increasingly, vendors are using the label multifactor to describe any authentication scheme that requires two or more identity credentials to decrease the possibility of a cyber-attack. Multifactor authentication is a core component of an identity and access management framework.

How Does Multi-factor Authentication Work?

why do we need access control systems

Multi-factor authentication (MFA) uses multiple technologies to authenticate a user's identity. In contrast, single-factor authentication (or simply “authentication”) uses a single technology to prove the user’s authenticity. With MFA, users must combine verification technologies from at least two different groups or authentication factors. 

These factors fall into three categories: something you know, something you have, and something you are. This is why using a PIN with a password (both from the “something you know” category) would not be considered multi-factor authentication, while using a PIN with facial recognition (from the “something you are” category) would be.

Note that a password is not required to qualify for MFA. An MFA solution can be entirely passwordless.

It is also acceptable to use more than two authentication methods. However, most users want frictionless authentication (the ability to be verified without performing verification).

What Authentication Factors are Used in MFA?

Following are the three main categories:

  • Something you know (knowledge factor)

This is typically a password, PIN, or passphrase, or a set of security questions and their corresponding answers known only to the individual. To use a knowledge factor for MFA, the end-user must correctly enter information matching details previously stored in the online application.

  • Something you have (possession factor)

Before smartphones, users carried tokens or smartcards that generated a one-time password or passcode (OTP) that could be entered into the online application. Today, most users install an authenticator app on their smartphones to generate OTP security keys.

  • Something you are (inherence factor)

Biometric data about an individual range from fingerprints, retina scans, facial recognition, and voice recognition to behaviours (such as how hard or fast the person types or swipes on a screen).

To achieve multi-factor authentication, at least two different technologies from two other technology groups must be used for the authentication process.

As a result, using a PIN coupled with a password would not be considered multi-factor authentication, while using a PIN with facial recognition as a second factor would be. It is also acceptable to use more than two forms of authentication.

However, most users increasingly want frictionless authentication (the ability to be verified without the need to perform verification)

MFA Authentication Methods

An authentication factor is a category of credentials used for identity verification. For MFA, each additional element is intended to assure that an entity involved in some communication or requesting access to a system is who -- or what -- it says it is. The use of multiple forms of authentication can help make a hacker's job more difficult.

The three most common categories, or authentication factors, are often described as something you know, or the knowledge factor; something you have, the possession factor; and something you are, or the inherence factor. MFA works by combining two or more factors from these categories.

Knowledge Factor.

Knowledge-based authentication typically requires the user to answer a personal security question. Knowledge factor technologies generally include passwords, four-digit unique identification numbers (PINs) and one-time passwords (OTPs). Typical user scenarios include the following:

  • swiping a debit card and entering a PIN at the grocery checkout;
  • downloading a virtual private network client with a valid digital certificate and logging in to the VPN before gaining access to a network; and
  • We provide information, such as the mother's maiden name or previous address, to gain system access.

Possession Factor. 

Users must have something specific in their possession to log in, such as a badge, token, key fob or phone subscriber identity module (SIM) card. For mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app.

Possession factor technologies include the following:

  • Security tokens are small hardware devices that store a user's personal information and authenticate that person's identity electronically. The device may be a smart card, an embedded chip in an object, such as a Universal Serial Bus (USB) drive, or a wireless tag.
  • A software-based security token application generates a single-use login PIN. Soft tokens are often used for mobile multi-factor authentication, in which the device itself -- such as a smartphone -- provides possession factor authentication.

Typical possession factor user scenarios include the following:

  • mobile authentication, where users receive a code via their smartphone to gain or grant access -- variations include text messages and phone calls sent to a user as an out-of-band method, smartphone OTP apps, SIM cards and smart cards with stored authentication data; and
  • It is attaching a USB hardware token to a desktop that generates an OTP and using it to log in to a VPN client.

Inherence Factor. 

Any biological traits the user has that are confirmed for login. Inherence factor technologies include the following Biometric verification methods:

  • retina or iris scan
  • fingerprint scan
  • Voice authentication
  • hand geometry
  • digital signature scanners
  • facial recognition
  • earlobe geometry

Biometric device components include a reader, a database and software to convert the scanned biometric data into a standardised digital format and to compare match points of the observed data with stored data.

Typical inherence factor scenarios include the following:

  • using a fingerprint or facial recognition to access a smartphone;
  • providing a digital signature at a retail checkout; and
  • identifying a criminal using earlobe geometry.

User location is often suggested as the fourth factor for authentication. Again, the ubiquity of smartphones can help ease the authentication burden: Users typically carry their phones, and all essential smartphones have Global Positioning System tracking, providing credible confirmation of the login location.

Time-based authentication is also used to prove a person's identity by detecting presence at a specific time of day and granting access to a particular system or location.

For example, bank customers cannot physically use their ATM card 15 minutes later. These types of logical locks can be used to help prevent many cases of online bank fraud.

What Are The Different Types Of MFA?

what is the most secure mfa method (2)

Multi-factor authentication is the process of requiring a second authentication method in addition to a username and password entry. This puts up a barrier for hackers because even if they have the password, they can’t gain account access.

When MFA is enabled, the user takes an extra step after their password is accepted. They must retrieve a code that is sent to a physical device. This code is then entered into the web form to complete the login and gain access.

This system is mainly effective at blocking fraudulent sign-in attempts because, in most cases, a hacker won’t physically possess the device used to receive the MFA code.

They also don’t have enough time to hack that code because codes are unique for each login and only active for approximately 5-10 minutes.

There are three ways that you can receive the code:

  • Via SMS to a mobile number
  • Via on-device prompt through an authentication app
  • Via a security key that is plugged into a device

Does it matter which method you use?

While all provide significant protection against account takeovers, there are some security differences between them. We’ll go through those next.

What Are The Different Types Of Multi-factor Authentication Technologies?

Following are standard MFA technologies:

Biometric Authentication

Biometric technologies are a form of authentication that accurately and securely authenticate users through their mobile devices. The most common biometric modalities are fingerprint scans and face recognition.

Biometric authentication also includes behavioural biometrics, which provides an invisible layer of security by continuously authenticating an individual based on the unique ways they interact with their computer or mobile device: keystrokes, swipe pattern, mouse movements, and more.

Hardware Tokens

Hardware authenticators are small, easy-to-use devices that an owner carries to authorise access to a network service. By supporting strong authentication with one-time passcodes (OTPs), the physical tokens provide a possession factor for multi-factor authentication while enabling enhanced security for banks and application providers that need to secure multiple applications with a single device.

Mobile Authentication

Mobile authentication is the process of verifying a user via their Android or iOS device or verifying the device itself. This technology allows users to log in to secure locations and access resources from anywhere with enhanced security.

Out-of-band Authentication

This authentication type requires a secondary verification method through a separate communication channel, typically the person’s Internet connection and the wireless network their mobile phone operates. These are examples of out-of-band technologies:

Creator Code

This colour QR-like code can authenticate or authorise a financial transaction. The individual sees this colour QR-like code displayed through their web browser. Only the person’s registered device can read and decrypt the code. It contains transaction details that the user can verify before completing the transaction, which is very secure.

Push Notification

Push notifications deliver an authentication code or one-time passcode on the user’s mobile device. Unlike an SMS message, the information appears on the lock screen of the device.

Sms Text Message Or Voice Message

One-time passcodes are delivered to the user’s mobile device through an SMS text message or a voice message.

Soft Token

Software authenticators or “app-based tokens” generate a one-time login PIN. Often these software tokens are used for MFA use cases where the user’s device – a smartphone – provides the possession factor.

The Five Most Common Multi-factor Authentication (Mfa) Methods

Multi-factor authentication (MFA) became a mainstay of the mobile device industry over the past decade. If you’ve ever had to enter an authentication code, receive an SMS, or scan some hardware, you’ve interacted with an MFA-enabled system. 

While MFA is ubiquitous, it’s far from perfect – whether you’re the business or the end-user. Here are the five most common MFA methods and where each of them falls short. 

Hardware Otp (One-time Password) Tokens 

Hardware-based devices generate one-time codes based on a cryptographic key stored inside the machine. The same cryptographic key is also held by a server -- which can cause the same OTP to verify that the value provided by the user is correct.

User interfaces (UIs) can vary: common types include a physical token that presents a one-time password on a built-in screen or a device with a keypad that requires a user to enter a PIN code before a one-time password is displayed.

Common issues: 

  • Poor user experience (UX) – users restricted in executing operations/verifying identity on the go, which is incompatible with today’s always-on lifestyle 
  • High maintenance and operating costs – businesses require a large staff to handle support questions and an increased budget for the deployment, maintenance and upgrade costs for tokens.
  • Tokens are vulnerable to theft or social engineering attacks (e.g. impersonation).

Standalone Otp Mobile Applications 

In a word: authenticator apps.

Common issues: 

  • Poor user experience (UX) – users must constantly switch between apps to authenticate identity/transaction; user loses access with every change/loss/upgrade of their smartphone; no secure backup options 
  • Lack of support for businesses relying on third-party apps
  • Potential for maliciously-built apps to produce and then steal OTPs and impersonate their users.

 Soft Token Software Development Kits (Sdks)

This software can be embedded into mobile apps and utilises cryptographic operations to authenticate the user and device. These solutions usually provide a smoother UX; there’s no need to switch between apps or rely on a hardware device. From a security perspective, there are significant advantages, as soft-token SDKs support advanced cryptography, e.g. digital signatures. 

Common issues: 

  • Poor user experience (UX) – users must constantly switch between apps to authenticate identity/transaction; user loses access with every change/loss/upgrade of their smartphone; no secure backup options 
  • Lack of support for businesses relying on third-party apps.

Sms-based Otps

This is a user-friendly method that does not require users to install any app. Instead, to authenticate, a one-time password is sent by SMS to the user’s registered phone, which is used to establish them.

Common issues:

  • UX issues – OTPs often have a time limit, and limited mobile carrier reception can cause users in remote areas. 
  • Vulnerable to malware, SS7, and SIM-swapping attacks.

Smartcards And Cryptographic Hardware Tokens

Physical devices can perform cryptographic operations like decryption and signing while providing solid physical protection of the keys inside a fully isolated, secure enclave. They can be used for logon to PCs (e.g. via Windows Smart Card Logon) and digitally sign transactions to verify that the authentic user indeed authorised this specific transaction. 

Smartcards require a dedicated reader or maybe contactless; cryptographic hardware tokens are typically connected via USB.

Common issues: 

  • Operational headaches for businesses – the high cost of deployment, maintenance, upgrade, and replacement
  • Similar UX issues as OTP hardware tokens.

While each MFA method has its flaws, what you can see above is one single trend: a trade-off between security and usability. 

There is hope, however – with cutting-edge cryptographic key storage and management methods built for enterprises.


Scroll to Top