What Multi-Factor Authentication (MFA) Is
MFA is a secure way of verifying who the user is before allowing them to access the desired application or perform any other sensitive operation. It is mostly used during the login process. MFA provides increased security and is a core component of a strong identity and access management policy. It helps reduce risk of unauthorized access and ensures that the party initiating the sensitive operation is the right one. This usage of MFA is what is called transactional since it occurs outside the traditional authentication context.
How Multi-Factor Authentication (MFA) Works
MFA is a security mechanism that add an extra layer of protection so that the authentication is performed using at least two factors, for example, the username-password and the verification code. In context of the OAuth 2.0 flow, this security layer is applied when the resource owner is asked for an authorization grant by the client app via the authorization server (see rfc6749 section 1.2 and 1.3).
Try it now
Cloudentity comes with multi-tenant authorization server as a service that is capable of enforcing MFA to protect access to client applications and the resource server access scopes.
As part of this process, the authorization server must authenticate the resource owner and ask for their authorization. MFA can be applied at both of these stages (login and consent).
MFA requires multiple methods of authentication from independent categories of credentials. It combines two or more credentials, each corresponding to a different category (authentication factor). There are three most common authentication factors:
- Knowledge factor: what the user knows (for example, a password or PIN)
- Possession factor: what the user has (for example, a mobile phone, a security token, a mailbox)
- Inherence factor: what the user is (for example, biometric verification or voice recognition).
Authentication Factor Types
There are a number of MFA types:
- Mobile apps: MFA software’s mobile apps
- Software token: Offline tokens that enable users to use MFA mobile apps
- Push notifications: Sent to a user’s mobile device asking them to approve or deny the authentication request
- Hardware token: Pieces of hardware users carry with them to authenticate their identity, for example, USB devices
- One-time passwords (OTP): Authentication codes sent via via SMS, voice, or email
- Risk-based authentication (RBA) software: Intelligent or adaptive MFA uses real-time information about end users to evaluate their risk and prompt them to authenticate when needed.
- Passwordless authentication: Passwordless (invisible) authentication uses RBA factors (for example, location or IP address).
- Biometrics: Biometric authentication factors, for example, facial or fingerprint recognition
- MFA as a service: Using an MFA provider who offers a cloud-based MFA solution as a service
- On-premises MFA: On-premises MFA solutions run locally on your server.
- Offline-available MFA: Authentication using a mobile app with offline access to OTPs or one that uses a hardware-based U2F security key
- Enterprise solutions: Companies that manage MFA at a large scale for a number of users need software offering administrator consoles, endpoint visibility, and single sign-on (SSO)