Skip to main content
purple hex pattern

How do you know someone is who they say they are? In short, that’s the question authentication sets out to answer.

Here’s the problem: Confirming identity is tougher than ever before. Usernames and passwords don’t suffice, which is why many enterprises turn to multi-factor authentication (MFA).

Not familiar with MFA? Curious how it can protect your business? Read on to learn everything you need to know about MFA and why it’s an essential part of your cybersecurity posture.

What is MFA?

According to the National Institute of Standards and Technology (NIST), MFA is an authentication method that requires more than one distinct “authentication factor” to use a website, application, or system.

An authentication factor is a security credential that verifies a user's identity when they try to access a particular resource. For example, when someone logs into an email account, they typically submit a username and password. These credentials are a form of identification, indicating that the access request comes from a legitimate individual — not an imposter.

MFA aims to make this process more secure by requiring at least one additional factor — hence the name “multi-factor authentication.” Why? Because, when hackers compromise login credentials, they can gain unauthorized access to key resources and sensitive information.

Let’s say cybercriminals crack an account belonging to a privileged user (e.g., someone with permission to access critical IT systems and perform activities that standard users are not permitted to do). They can exfiltrate hoards of confidential data, like Social Security numbers, financial information, and more. A data breach could lead to employee and/or customer identity theft and have significant business impacts, costing $4.45 million on average.

In short, that’s where MFA solutions come into play. With the right system, organizations can protect workforce, consumer, and citizen identities through layers of strong authentication.

What’s the difference between MFA and two-factor authentication (2FA)?

MFA and 2FA are extremely similar concepts, but not strictly the same.

Simply put, 2FA is an authentication method that requires exactly two identifiers — no more, no less. Thus, it’s a subset of MFA, which requires two factors at a minimum.

In theory, MFA is typically more secure than 2FA because it can encompass as many authenticators as you want for any specific use case. Each additional factor makes unauthorized access more difficult, squeezing another layer of protection between hackers and sensitive information.

That said, 2FA isn’t insecure by default. It’s still significantly better than relying on single factor authentication, as traditional password protections are much too vulnerable to modern cyber threats.

MFA examples

How do organizations use MFA solutions? Here are two of the most common use cases:

  1. Remote access for employees: In the United States alone, a third of remote-capable employees are working from home on a regular basis. As hybrid work increases worldwide, companies must give users secure remote access to critical resources. MFA solutions allow them to identify and protect workforce identities while accommodating the convenience of work-from-anywhere.
  2. On-site system access: Likewise, on-premises systems, such as in hospitals, are vital stores of protected information. With the right MFA solution, employees can use proximity badges alongside credentials to access patient databases quickly and securely.

How does MFA work?

The process depends on the exact MFA method in use. However, regardless of specifics, the workflow generally works like this:

  • User login: The user enters their username and password.
  • Authentication request: If the primary login is successful, the system asks for an additional factor.
  • MFA verification: The user provides the second authentication factor, such as a one-time passcode (OTP) generated by an authenticator app.
    • Optional third factor: An MFA solution may invoke more authentication requests if configured to do so.
  • Successful authentication: If all factors are verified, the user gains access to the system.

This process typically takes just moments to complete and has little impact on the user experience. Ultimately, it depends on how many MFA factors you require, which fall into three categories: knowledge, possession, and inherence.

1. Knowledge factor

The knowledge factor refers to something only the user would know, like a password or PIN. MFA systems have added more knowledge factors over time, the most common example being the answer to a secret question (e.g., your mother’s maiden name, high school mascot, etc.).

However, this is the weakest of any MFA factor because it can be easily guessed. For instance, it doesn’t take much effort for hackers to obtain secret question answers from social media profiles, as they often are based on personal information. Likewise, they’re also susceptible to phishing attacks.

2. Possession factor

The possession factor includes something only the user would have. Today, there are several advanced types of possession-based verification, such as:

  • OTP: One-time passcodes delivered via email or SMS.
  • Push notification: Alerts sent to the user’s mobile device requesting confirmation of their access request — the idea being only the owner would have the device. 
  • Hardware token: FIDO2 keys, and other physical devices that users plug into a desktop. They contain encrypted information, which authenticates the user’s identity.
  • Grid card: Paper-based cards printed from PDF files contain a grid of rows and columns consisting of numbers and characters. Users must provide the correct information in the corresponding cells from the unique card they possess.

3. Inherence factor

The inherence factor includes information that is inherent to the specific user. Compared to the other two factors — something you know and something you have — it’s easiest to consider inherence something you are. Thus, it’s also referred to as biometric authentication, leveraging MFA methods like:

  • Fingerprinting
  • Retina scanning
  • Voice recognition
  • Facial recognition

Because biometric authentication is innately difficult to bypass, inherence-based factors are among the most secure options available.

Additional MFA factors

Aside from the three primary identifiers, cutting-edge solutions may use three emerging MFA factors:

  • Time: This evaluates the access attempt against expected usage times. If a request happens during off-hours, the solution may require an additional factor. 
  • Location: MFA solutions may validate requests based on geographic location or IP address, ensuring they originate from an authorized position.
  • Behavior: This factor analyzes user patterns, like keystroke dynamics, to confirm identity based on historical or habitual actions.

Together, these factors strengthen classic MFA with more sophisticated security mechanisms. Critically, they also enable adaptive MFA — but more on that later.

Want to learn more? Download our latest eBook and discover the power of Entrust Identity.

Why is MFA important?

Hackers are targeting identities at an unrelenting pace. In 2023, over 8.2 billion records were stolen in credential-based attacks, including 3.4 billion in a single data breach. Of course, the impacts can be devastating: fraud, identity theft, compliance violations, monetary losses, reputational damage — the list goes on.

Unfortunately, many businesses are underprepared for identity-based threats. According to a 2023 study, 61% of organizations said securing digital identity is a top three priority. Yet, only 49% of them had a full MFA implementation. Had they an effective MFA solution, they’d have reduced their likelihood of hacking by 99%.

MFA and Zero Trust

Indeed, MFA is an adequate answer to cyber threats past and present — but critically, it’s also vital to the cyber-resilient future. In other words, it’s a must-have component of Zero Trust security.

Zero Trust is a modern security framework that emphasizes strong authentication, not just once, but continuously throughout a session. With a robust MFA system, as part of an identity and access management (IAM) platform, enterprises can implement one of the framework’s three pillars in one fell swoop. The result? Far less exposure to unauthorized access and identity-based attacks.

MFA benefits and challenges

Why bother with MFA? For starters, it brings numerous advantages to the table: 

  • Enhanced data security: MFA protects against password fatigue, phishing attacks, and other credential-based threats, reducing the risk of account takeovers.
  • Improved compliance: It also helps organizations meet various regulatory requirements and industry standards. By using MFA, organizations can demonstrate their commitment to safeguarding data.
  • Stronger trust: When customers know that an organization is using robust security measures like MFA, their confidence in the safety of their personal and financial data increases.
  • Reduced costs: MFA helps organizations avoid the substantial expenses associated with incident response, legal fees, regulatory fines, and reputational damage. Additionally, MFA can decrease the need for password resets and other support-related costs, as users are less likely to experience account compromises.

However, it’s worth noting MFA does have its challenges. These include: 

  • Inconvenience: Additional factors can lead to a poor user experience, which frustrates employees and customers.
  • Potential vulnerabilities: MFA is a great security mechanism, but it isn’t impervious to attack. Certain threat vectors, like prompt bombing or SIM swapping, are making it clearer that organizations need the support of a fully featured IAM platform in addition to MFA.

What is adaptive authentication?

Adaptive authentication, also known as adaptive MFA or risk-based authentication, is a type of step-up verification. It analyzes contextual information to determine the risk level of whichever user profile is requesting access to a resource, increasing or decreasing security requirements accordingly.

More simply, adaptive MFA requires additional factors when there’s a greater chance the request is illegitimate. The greater the risk, the stronger its challenges will be.

For example, adaptive authentication evaluates the following:

  • Number of failed login attempts
  • Source IP address or geographic location
  • Device reputation
  • Day and time of attempt
  • Operating system
  • User role

If the access request is suspicious, it may prompt users to confirm their identity using an OTP or push notification. Likewise, if everything is normal, it may not issue any challenges whatsoever, thus offering a seamless user experience.

MFA implementation best practices

Worried about implementing your MFA solution? Look for a robust IAM system that not only includes adaptive authentication, but also ways to augment its capabilities. Here are some additional security measures to keep in mind:

  1. Single sign-on (SSO) enables users to access multiple applications with just one set of login credentials. As part of an IAM portfolio, SSO mitigates the risk of poor user experience while still leveraging the security of adaptive MFA. 
  2. Passwordless authentication reduces the risk of weak password hygiene. Instead of passwords, it uses biometric authentication and credential-based methods like digital certificates to validate identities.
  3. Mobile push authentication is a type of passwordless authentication method that sends a push notification to the user’s mobile device. This allows them to swipe or touch a button to approve transactions, access apps, or log in to enterprise applications.

Gain high-assurance MFA with Entrust Identity

Entrust Identity is our portfolio of identity and access management capabilities. With one IAM platform, you can leverage an entire suite of MFA tools and authenticators to protect your workforce, consumers, or citizens from today’s evolving threat landscape.

From adaptive MFA to passwordless authentication and more, we have all the security measures you need to succeed.

Entrust Authentication Suite infographic

Want to learn more? Download our latest eBook and discover the power of Entrust Identity.