Multi-factor Authentication symbolized by the two factors password in the browser and SMS on the smartphone.

Multi-Factor Authentication (MFA) (often called Two-Factor Authentication)

What is Multi-factor Authentication?

Authentication with username and password is generally a very secure way to log in to an application, if done correctly. However, due to weak chosen passwords by the user as well as re-used or shared passwords, millions of user accounts have been hacked and passwords breached. Using more than just a password for authentication but rather additional authentication factors increases the security level of your user account tremendously.

The advantage of multi-factor (two-factor) authentication: the user usually only has to identify themselves with multiple factors the first time they log in. From the second time onwards, the user's smartphone or computer is remembered and only one authentication factor is required. Hereby, the application provider is relatively free and flexible to deciding which first and second authentication factor they want to choose. Hence, implementing the multi-factor authentication method (often also called two-factor authentication method) is easy, user-friendly and lets you sleep much better due to an increased level of security .

Since September 14, 2019 the European Union has required the payment and banking industry to protect their users with at least a two-factor authentication for most electronic payments. More and more other online application providers with sensitive user data have followed suit to best protect their customers' data. When will you implement multi-factor authentication?

Combining Factors Increases Security

What are the 4 Different Authentication Factors?


There are many different methods to authenticate and also multiple authentication factors which can be combined to increase access security of an application. It is very important to choose at least two different factors instead of choosing one factor multiple times.

    Something you are

    The inherence factor is based on unique physical (biometric) characteristics of the user. The most common ones are fingerprint or palm print, signature, facial or iris, voice recognition among others. But behavioral biometrics e.g. keystroke dynamics can also be used.
    A businessman pressing his finger on a virtual fingerprint reader as well as looking into a facial recognition screen while different IT icons (e.g. computer) flying around in the image; having an headline text 'Biometric Security'.

    Something you have

    Another authentication factor is based on possession or something only the user has. This authentication method has been known for centuries and is still used today in form of keys and a corresponding lock. Nowadays, other forms as smartcards, smartphones or security tokens haven taken over as authentication factors in the modern digital world.

    Nowadays, the most common versions are TOTP (Time-based one-time password, mostly used by authenticator apps – see below), DUO or YubiKey sticks.

    Man holding a RSA token above a notebook and entering the token code with the second hand to log in.

    Something you know

    Knowledge verification is a popular type of authentication. Here, the user must prove knowledge of a secret in order to log in. A secret can be a password consisting of a secret word, a passphrase, or a strong of characters. Alternatively, a pin code can be used. The secret is supposed to be memorized and not written down or communicated to a third party in order to ensure the authentication and login process to be secure.
    Man sitting in front of a notebook and holding a smartphone in one hand with a virtual login screen in front of it showing the username and password fields.

    Somewhere the user is

    Recently, a fourth authentication factor has become increasingly popular, especially in large corporations. When a user is connected to the corporate network at an office location, the system only requires a password or pin to log in. Hence, the location is the second factor. When leaving the corporate network and office, an additional authentication factor is required.
    IT servers in a headquarter connected to different on-field work stations and offices.
    Screenshot of an app icon from the Authenticator Authentication App to be used as part of a multi-factor authentication process.

    Multi-Factor Authentication using an Authentication App (Authenticator)

    A third-party authenticator app (e.g. Apple's integrated Authenticator, Authy, Google Authenticator, Lastpass, Microsoft Authenticator) increases the security level of an application by providing a second authentication factor. After having installed the authentication app on their device, end-users can easily authenticate themselves with a second (multiple) factor in a user-friendly way. The good thing is, that end-users only need one third-party authenticator app and can use it for multiple applications. Usually, the authenticator app shows a randomly generated code which is constantly updated for security reasons. The most commonly supported technology here is TOTP (Time-based one-time password).

    Enterprise Multi-Factor Authentication (MFA)

    A broad variety of methods exists in the Enterprise Multi-Factor Authentication space. Most of the time physical smart cards or dedicated hardware tokens are implemented. However, companies also often use own hardened smartphones combined with biometrics or dedicated apps.
    User is sitting in front of his notebook with a smartphone in his one hand and pressing the palm of his second hand on a virtual login screen to log in his enterprise account via a two (multiple) factor verification process.
    Notebook with login screen displayed and a hand holding a smartphone with SMS code on it in front of it performing a multi-factor authentication using username, password and SMS code.

    Multi-Factor Authentication via SMS at Engity

    When logging in using a SMS-based multi-factor authentication, the service will send the user a SMS with a text message to their mobile phone. This only happens when the first authentication factor (generally the password) was entered successfully. The text message contains a one-time code which allows the user to finally sign-in with the second factor. For security reasons, the code is usually valid only for a limited time (e.g. 30min). Even if the user did not start the sign-in process themselves, the SMS notification warns them about a potential misuse of their account by another person. However, the third-party cannot access their account without the SMS from the user's smartphone (the second factor).

    Multi-Factor Authentication using WebAuthn

    WebAuthn is an application protocol interface (API) which is available on nearly all current devices (e.g. smartphones, PCs, Macs) that enables application providers to offer direct authentication to their end-users using public-key cryptography. It was introduced by the World Wide Web Consortium (W3C) to support secure and reliable authentication. This protocol interface allows factors like fingerprints, face-ids, hardware tokens and much more supported by these devices to be used as a second or also first factor alongside a regular password. The application provider can access an authenticator app using a WebAuthn compatible web browser.
    Businessman clicking on a virtual concept screen with an API (Application Programming Interface) node in the middle connecting server, Internet, smartphone and cloud computing (icons).

    Secure Your Application with Multi-Factor Authentication?

    Do you operate a service or product with sensitive customer data? Do you want to offer your customers a secure but easy to use and user-friendly authentication method? Engity's multi-factor authentication solutions support you rolling out such a service. Let us know how we can help!
    Contact Us Call Us