Cybersecurity
Updated about 1 month ago | GitHub

Multi Factor Authentication

There are three categories of factors used for User Authentication.

  • Knowledge: something only the user knows
  • Ownership: something only the user has
  • Inherence: something only the user is

Multi-Factor Authentication (MFA) uses factors from more than one category for authentication. It does not mean using multiple factors from the same category—the categories must be different. It is also often referred to as Two-Factor Authentication (2FA) since typically only two out of the three categories are used.

A bank ATM is a classic example of MFA.

  • Something only the user has = ATM card
  • Something only the user knows = PIN number

Online Multi-Factor Authentication

Online MFA pairs a password (knowledge) with one of several “something the user has” factors. Common second factors today include:

  • Authenticator app (TOTP) — a time-based one-time password generated by an app such as Google Authenticator, Microsoft Authenticator, Authy, or 1Password. TOTP is defined by RFC 6238 and is widely supported.
  • Security key (FIDO2 / WebAuthn) and passkeys — a hardware token (YubiKey, Titan, etc.) or a platform authenticator that performs a public-key challenge over the Web Authentication API. OWASP describes passkeys as “a very secure form of MFA” that is “resistant to phishing attacks while also being frictionless,” because the private key never leaves the device and the browser checks the relying-party origin before signing.
  • Push notification — an approval prompt sent to a trusted mobile app.
  • SMS or voice call — a one-time code delivered over the phone network. NIST SP 800-63B classifies PSTN-based out-of-band authenticators as restricted because of SIM-swap, SS7 interception, and number-porting risks; it is still better than no second factor, but a stronger option should be offered when possible.
  • Email — a code or magic link sent to a verified address. Considered weak when the email account itself is only protected by a password.

Multi-Factor Authentication is more secure than traditional password authentication. An attacker must have more than a stolen or cracked password to gain access or make important changes. Phishing-resistant factors (security keys and passkeys) defend against credential phishing and adversary-in-the-middle proxies in a way that one-time-code factors cannot.

Because it increases security, Multi-Factor Authentication is becoming very common. Major websites like Facebook, Twitter, Google, LinkedIn, Amazon, eBay, GitHub, and Dropbox all either offer MFA as a user option or require its use. A list of the many companies which offer MFA is available at 2fa.directory.