What is multifactor authentication and how does it work?

What is multi-factor authentication or MFA? 

When you connect to one of your online accounts (bank, social networks, e-commerce sites, etc.), you go through an authentication system.

In other words, you prove to the service you are trying to access that you are the person you say you are.

Classically, this process is carried out with an identifier and password couple.

However, this authentication process has proven its limits over the past few years with increasingly frequent hacks and password thefts.

Passwords represent a veritable gold mine for hackers who then resell them on the dark web.
One of the last companies to have been the target of these hackers is the American company LastPass.
This American password manager with 33 million users was targeted by a second cyberattack (the second in four months).
The hacker managed to break into the LastPass development environment after hacking into the account of one of the company's IT developers.

In addition, nearly 60% of Internet users use the same password across all the applications they use every day, as shown by a Lab42 study for LastPass, which further facilitates the work of cybercriminals.

It is for this reason that now, a large number of online services have added security parameters during the authentication process: multi-factor authentication.

This ranges from banks (Caisse d’Épargne, BNP Paribas, Crédit du Nord), to social networks (Facebook, Instagram, YouTube), to B2B SaaS software (Salesforce, HubSpot, etc.).    

2FA vs. MFA, what are the differences? 

Multi-factor authentication is becoming more and more democratized, whether through SaaS applications in a professional field (human resources, finance, marketing, etc.) or by using different services on the web (bank, shopping sites, etc.). 

It is no longer sufficient to have a strong password to access certain applications, and many companies are requiring additional verification to ensure the identity of their users.

Multi-factor authentication is one of the main components of identity and access management on the Internet (or IAM, for Identity and Access Management).

Rather than just asking for a username and password, multi-factor authentication adds other additional verification factors.

When there is only one additional factor, then it is called 2FA and not MFA.

2FA is a subcategory of MFA, which, as its name suggests, consists of applying two identity verifications to the user.

How does multi-factor authentication work? 

As mentioned, multi-factor authentication consists of adding two or more factors in order to verify the identity of a person online.

One of the most common factors is OTP (One-Time Password), which is a code comprising between 4 and 8 digits, generally received on a device in your possession (by SMS on your mobile phone, by email, or via a dedicated application like Google Authenticator for example).

With OTPs, a new code is generated each time the user requests authentication from a service provider.

But multi-factor authentication is not limited to sending a code to a mobile phone.

Multi-factor authentication is based on 3 types of information: 

• the things you know: a secret question, a code
• the things you own: a smartphone, a tablet, a badge, a bank card, etc.
• things inherent to you: fingerprints, voice, facial recognition

Thanks to multi-factor authentication, an individual with your username and password will not be able to connect to your account (bank account, betting sites, streaming platforms, etc.).

Indeed, if multi-factor authentication is activated, the user will be prompted to enter a second authentication factor.

If the user does not have the code dynamically generated by this software, he will be stuck on the login screen.

There are many password generation solutions, the best known being Google Authenticator, Microsoft Authenticator, Free OTP, Duo Security, Yubico, Authy…  

Why is MFA important? 

If we go back a few years, multi-factor authentication did not exist, and very often passwords had no restriction in terms of security, and were even stored in the clear in user databases (like Facebook, until 2019).

The problem then is that authentication relies on a single factor. If this single factor is compromised, then a malicious person could access your various online accounts and exploit the data.

As a study by CyberNews points out, there are currently more than 8 billion stolen passwords available for sale on the dark web, which represents a real financial windfall for cybercriminals and a real danger in terms of security and of business for companies.

Multi-factor authentication therefore makes it possible to strengthen the security of access to your various accounts.

This makes life more difficult for cybercriminals, because without access to your second or third authentication factor, it will be impossible for them to access your account.

Since 2019, multi-factor authentication has become an obligation for certain financial institutions such as banks or payment providers in the context of sensitive operations (addition of a beneficiary, change of address, initiation of a bank transfer, etc.). 

An effective, but not infallible solution

Multi-factor authentication has many advantages. 

First, it allows a reduction in fraud and identity theft by phishing attacks because having a password is no longer enough.

Secondly, for companies, it demonstrates a priority given to security and data processing, which helps to gain credibility and seriousness with customers.

By coupling MFA with Single Sign On, you can save your employees from having to create a new password for all the software they use on a daily basis to do their work.

These two authentication technologies combined greatly facilitate the user experience by facilitating the login procedure, which in turn has a very clear impact on employee productivity.

Finally, one of the advantages of the MFA is also to adapt to new ways of working, in particular with the arrival of teleworking following the pandemic.

In this context, it is necessary for employees to be able to securely access the various company resources. SSO and MFA provide this flexibility and security.

However, the use of MFA is not foolproof either, as revealed by the recent phishing attack that affected one of Uber's employees.

Indeed, cybercriminals are more and more gifted, they could for example send you a link to a fictitious website, similar to a website that you use frequently in order to recover your login credentials.

If your multi-factor authentication is based on your phone, there are also limits: losing your phone, running out of battery, etc., no Internet network, etc.

The challenges of MFA authentication

The purpose of multi-factor authentication is to allow users to log in securely, without creating too much friction.

One of the challenges of MFA authentication in the years to come will therefore be to be ever more robust in the face of ever more efficient cybercriminals, all without generating too much complexity for the end user who simply wishes to access his service by line.

To simplify multi-factor authentication, there are 3 distinct approaches:

• Adaptive MFA 

Thanks to adaptive MFA, the triggering of MFA is conditioned by knowledge held by the company: location of the employee, internal rules, device used, etc.

For example, a corporate VPN knows when an employee connects from home because it knows the type of device and the location of the employee, so there will be no MFA in this case.

On the other hand, if the employee connects to the same VPN from a coffee shop, the VPN will not recognize this location and will therefore ask the employee to proceed with the MFA.

To summarize, adaptive MFA is therefore based on knowledge of users and their habits.

• Single Sign On 

This authentication solution allows users to connect to a single system, allowing them to subsequently access a wide range of applications. Single Sign On authentication stores a user's identity in a single system, which then shares that identity with other applications that need that identity.

Since the user has a single set of username and password to access multiple applications, it is much easier to apply a strong password.

If the password is compromised, it is enough to change it in the source system so that it is changed on all the applications.

This mode of authentication is increasingly popular with large companies for security and user experience reasons.

• Push authentication

Push authentication is a mobile authentication technique, where an app's security system automatically issues a one-time passcode to the user's mobile phone.

Once the username and password have been entered, a code is received on the user's mobile, who simply needs to enter it.

For the end user, this technique has the advantage of not needing to remember a code or an answer to a secret question, because the received code is generated on the fly. In addition, thanks to the autofill feature available on a large number of smartphones, the user experience remains very fluid.

Authentication, a security issue, and a business issue

The practice of logging into an application using a username and password has long been the standard practice. 

Nowadays, new authentication solutions offer a higher level of security, while guaranteeing the smoothest possible user experience.

At Cryptr, we offer a large catalog of authentication solutions to allow you to offer the best authentication experience to your users depending on the context:

• passwordless authentication: to connect without having to create a password, thanks to a connection link sent instantly to the mailbox
• single sign on authentication: to connect to SaaS software with your corporate credentials
• multi-factor authentication: to further secure your login / password connections with an overlay of security (OTP via SMS, QR code, etc.)
• directory synchronization: to automatically provision and deprovision users
• traditional login / password connection  

For more information on our different authentication products, do not hesitate to follow us on LinkedIn, Twitter, YouTube and Instagram.