The Many Factors Of Multi-Factor Authentication


Passwords are often considered the ultimate step in keeping data secure. 

However, passwords are no longer as secure as they once were.

While passwords can stop someone casually trying to access sensitive information, they do little to prevent cyberattacks from experienced hackers.

This is where multifactor authentication comes in. 


What Is Multifactor Authentication?

Now that business data can be accessed anywhere, your business should require your employees to use multifactor authentication (MFA). 

Multi-factor authentication, or MFA, is another layer of security on top of the username & password that helps protect people and devices from succumbing to a cybersecurity breach.

MFA requires more than just a password to ensure the user logging in is the person that’s supposed to be there, especially with the prevalence of social engineering attacks.

Also known as two-factor authentication (2FA), MFA consists of five main parts. 

Any combination of these authentication methods can help keep data safe from cyberattack. 

Let’s take a closer look at the five factors of authentication methods and examples of what they look like.


Factor 1: What You Know

You may know your password.  

While it’s not the most secure factor, it’s the first line of defense. 

However, our passwords are often weak and common among other people, so they’re easy to crack and allow hackers to gain access.

Create a strong password by creating a passphrase from an acronym that is unique to you. 

Passphrases should include capital letters, numbers, and symbols to prevent the average person from getting into sensitive data. 

Knowledge-based information is the crucial first step every business should use to keep their data and their clients’ data safe.


Factor 2: What You Have

You have the security question you selected when creating your account with a particular service. 

Banking sites are a great example of requiring security questions. 

They ask you things like what your mother’s maiden name was or the name of your early childhood pet. 

The question asked shouldn’t be commonly known amongst your colleagues or peers, and should not be easily cross-referenced with other public information, such as street address. 

Other examples of this type of authentication include:

  1. Authentication apps, such as Google Authenticator or Authy
  2. Time-based, one-time passwords (OTP) that show up in text messages or emails and are only valid for minutes at a time
  3. Push notifications from an app. 

One drawback to MFA is the phenomenon known as MFA fatigue.

"Also known as 'push bombing,' writes the CISA (PDF), MFA fatigue "occurs when a cyber threat actor bombards a user with mobile application push notifications until the user either approves the request by accident or out of annoyance with the nonstop notifications."

To combat MFA fatigue, we typically recommend number matching. 

Number matching is the process of the primary platform displaying a number that the user must enter to approve the authentication request. 


Factor 3: Who You Are

You can use your biometrics to aid in the authentication process. 

This means that some part of your physical being is needed for the authentication process—fingerprints or facial identification are two great examples of this for a mobile device. 

While biometric authentication is incredibly safe and makes it hard for someone hard to break into your account, implementing these types of authenticators for some protections may be cost-prohibitive. 


Factor 4: Where You Are

You—and your device—are always somewhere.

Some products and services track the most common login points for information and send a warning if a login attempt is performed from a different place. 

This is most common with tech services such as Google, warning its users when their email has been logged into from a new device. 

This is an excellent service for businesses to use, especially if they give their employees work devices to use and as more companies have implemented a remote workforce. 

If someone has logged into an account from a device that was not logged by the company, it could be an instant giveaway that the login may not be legitimate.


Factor 5: What You Do

This is a lesser-used form of authentication but serves as another secure step. 

When you log in to a product or service, this factor requires you to perform a tactile movement. 

It could also be a series of swipes or taps in a pattern known only to you, similar to the lock screen on some mobile phones. 

The biggest downside with this is that, like with passwords, most users pick repeated patterns that make it easier for hackers to figure out. 

A business looking to use this feature should give their employees specific, randomized motions to make it safer.

Overall, multifactor authentication is required in some industries, while in others, implementation is optional.

As cybersecurity incidents increase each year, MFA is a common recommendation we make regardless of the industry you’re in. 

Enabling MFA is a strong defense against your personal or business information bubbling up in a breach.

Integrity helps organizations in healthcare and financial services stay secure and compliant. Learn more about our range of managed security services!

Plus, how secure is your data? Multifactor authentication is just one of the 20 ways we suggest businesses use to protect sensitive information. Download this free data security checklist today to see how well you're doing!

New Call-to-action

Read On