The Different Types of Multi-Factor Authentication
September 28th, 2021

There is no doubt that online users are the weakest link in IT security due to easily compromised credentials and human imperfection.

Credential data, such as passwords, are involved in 61% of all security breaches and are responsible for  increasing the cost of security breaches by over 23%. 

Multi-factor authentication (MFA) is an IT team’s first defense against data breaches, and it’s the best option for companies with minimal security frameworks in place. By implementing MFA, IT administrators can effectively eliminate these risks and keep data safe.

MFA prevents data breaches by asking online users for further proof of identity. Even if a malicious party or hacker gets their hands on a password, they can’t access an online account because it’s protected by an additional layer of security. To learn more about the difference between single sign-on and multi-factor authentication, follow the link. 

There are three primary methods of authentication used in MFA after a user has successfully entered their username and password. 

Something the User Knows

Knowledge-based authentication (KBA) involves something online users already know, such as passwords, a personal identification number, or an answer to a security question. 

Security Question Authentication

Typically, security questions and their fixed answers are set-up when a user creates an  online account. They’re also regularly used in account recovery to verify a user’s identity if they can’t remember their password. 

It is important to note that dynamic KBA is more secure than static KBA. When using a dynamic approach, security questions are set in realtime and based on data records that are frequently updated, such as credit transactions. This makes it difficult for cyber attackers to find the answer to the security question because they would have to access the system where the security question is generated. With static KBA, the cyber attacker only needs to find out your friend’s or your pet’s name.

Something the Online User Has

The second type of MFA deploys authentication using something that the online user has. This includes objects, such as a smart card or a key, that let the account user into a physical location. 

Digital accounts involve tokens that are generated as one-time passwords (OTPs). There are three types of token authentication that are widely used, and each has its own advantages and disadvantages:

SMS Token Authentication

SMS authentication occurs when a company sends a personal identity number (PIN) to an account user through a text message. The account user then enters the PIN as a OTP to access their account. This is useful for companies whose employees access their accounts through a mobile phone because they work remotely or travel as part of their role. 

Account users can also receive SMS tokens through their laptop or their desktop. This authentication method is easy to implement, but the user must have their phone to verify their identity. Cyber attackers use powerful mobile phone tracking software to tap into phones, track mobile phone activity, and even divert text messages to themselves—without you ever knowing. 

Email Authentication

Email token authentication works similarly to SMS authentication except that the personal identification number is sent to an email address instead of only to a mobile device. This authentication approach offers better protection than SMS authentication because the user has to log into their email account to view the one-time password. It might take a user longer to access their online account, but account users can also access their one-time passcode using any mobile device that can receive emails.

Software Authentication

Software authentication requires the online user to verify their identity through an application on a tablet or smartphone. When prompted to enter a one-time passcode, the user needs to open an authenticator app, which gives them a time-restricted PIN to verify their identity. Most authenticator applications generate a new OTP every minute, so it's far more difficult for a malicious actor or hacker to retrieve this information. 

The only disadvantage of this MFA method is that it relies heavily on online users having smart devices to install authenticator apps. But personal devices usually have little to no security measures in place, presenting risks to businesses should the mobile device be lost, hacked, or stolen. It is possible to get around this obstacle by making sure employees access their accounts only through company-issued mobile devices, but this could be an expensive solution, especially for small businesses.

Something the User Is

This last type of MFA deploys biometrics, such as facial recognition, fingerprints, retina scans, and voice recognition. It is the most secure authentication approach because biometrics are the most difficult type of data to hack.

Biometric Token Authentication

To use biometric token authentication, the user must own a smartphone or computer that allows biometric scanning such as facial or voice recognition or fingerprint scanning. Most people with modern smartphones are familiar with this technology and use built-in features to scan their fingerprint to unlock their mobile phone. Even those not familiar with this technology probably use their biometrics to sign in without realizing it.

Biometric token authentication is faster than having to wait for a system-generated OTP to be sent via SMS or email, and users don’t need to remember any pesky passwords. However, just like software authentication, a user must have up-to-date smart devices with this technology built-in or download a biometric authenticator application. 

Final Thoughts

Each type of MFA has its own advantages, and some are more ideal for certain industries than others. For instance, SMS authentication works perfectly with every type of user and is easy to roll out, but it isn’t as secure as biometric token authentication. Biometric token authentication is the most secure type of MFA, but it requires companies to have strict security measures in place to protect their employees’ vulnerable information. 

It is important to consider the data risks facing your business and use this information in a decision about the type of MFA that best protects your systems. 

For more information, check out this article about Best Practices for MFA Implementation.