Multifactor Authentication [MFA]

What is it?

If you are confused with 2FA/3FA/MFA (2-Factor, 3-Factor, Multi-Factor Authentication) for logins, you are not alone.

What is a factor? The traditional definition of a factor is: 

1. Something you know (a password, a username) 

2. Something you have (a smartphone, a hardware token, or a device that generates a one-time password (OTP)) 

3. Something you are (your fingerprint, face scan, or another biometric identifier) 

So, if you use two of these factors, you have 2FA. If you use all 3, then you have 3FA. Fairly straightforward. 

An example of 2FA is your login credentials (username/password) plus a one-time-password (OTP) sent to your phone as a text message that you have to type on your browser. Your username and password are something you know plus OTP is something you have.

An example of 3FA is your login credentials, followed by a push login notification you get on your phone that you authenticate using your fingerprint or FaceID on your phone. Your username and password are something you know, your phone is something you have and your FaceID or fingerprint is something you are. You are using all of the 3 factors.

So now that we understand 2FA and 3FA what is MFA (Multifactor Authentication)?

Before we dive into what is MFA, we should have a brief discussion of the strength of the factors. Let’s assume one of the factors is whether you have Money or not, let's call it the “Money Factor”. My bank account may have one dollar in it, but your account may have a million dollars. According to the Money Factor, we both qualify as we both have money in our accounts. But there is a huge difference between the buying power of a million dollars and one dollar. Financially speaking, you are a million times stronger than me, but as per the Money Factor – we are equal. Does this seem right to you? It doesn’t to me.

And here comes Multifactor Authentication, MFA. We can test for multiple things, which may all be considered as one factor in the traditional sense.

When I invented MFA, Mobile Push Login and QR Login, and described MFA in my 2012 patent application (US 8677116), in our first products, I looked at over 30 factors. Your username (or QR Code) and over 30 attributes of your smartphone that can not be tampered with. It is still considered 2FA, but obviously, it is a much more secure authentication, than a one-time-password sent to your phone via SMS. That’s the difference between 2FA and MFA.

When I invented MFA, I referred to it as FonePrint Authentication. It was different than 2FA and 3FA and broke the restricted traditional definition of a factor, to provide a much more secure authentication. Unfortunately, people who did not understand what a traditional factor is, thought Multifactor Authentication (MFA) is a catchier term and MFA caught on.

MFA can be a 2-Factor MFA, or a 3-Factor MFA. Let me explain with an example: 

Let’s say you login to a website with your username and password, then get a mobile push notification on your phone – which shows a screen message of “Is it you that’s logging in?”, with Yes and No buttons. If you click on the Yes button, you are in. This is 2-Factor MFA. You used something you know and many things unique to your phone. 

But if you first had to use your Face ID or fingerprint to authenticate before the clicking on the Yes/No buttons, you have added another factor, your biometrics – something you are. Now this becomes a 3-Factor MFA.

Any 3-Factor authentication, whether it is Multi-Factor or just plain 3FA, is more secure than any 2FA authentication. The Multifactor (MFA) part just makes it even more secure. And a 2-Factor MFA is much more secure than a plain 2FA. Also, a 3-Factor MFA is much more secure than a plain 3FA.

As for assessing which login methods are more secure, an understanding of the most common login processes gives us a better perspective. There are 4 common types of 2FA/3FA.

1. OTP: One-Time-Password, sent via SMS, eMail, or generated by an app on the phone (like Authy). Last-generation cybersecurity, but most common. The 6-8 digits to be typed by the user is error-prone and undesirable user experience. In addition, the 6-digit codes, which are based on the less secure SHA1 algorithm, are not very secure and NIST recommended not using them. 

2. Hardware Tokens: Last-generation cybersecurity, not commonly used. Typically, a USB device is attached to your computer with a security certificate or a device that generates OTPs. 

3. Mobile Push Login: The new standard in authentication. After entering your username, you get a Push Notification on your phone. Confirm and you’re logged in.

4. QR Login: The cutting edge in authentication. The website displays a QR code, you launch an authentication app on your phone, scan the QR code, and login.

Of these four login types, the QR Login is the most secure. There is nothing for users to type, no passwords to remember, no place for attack vectors to hack into a website from the login page. It is typically MFA and can be implemented as 2-Factor MFA  or 3-Factor MFA . 

The Mobile Push Login is a close second, that is growing significantly in adoption. Also MFA, and can be implemented as 2-Factor MFA or 3-Factor MFA. 

OTP and Hardware Tokens are passe, previous generation authentication, which typically do not extend beyond plain 2FA. 

In security products, there is always a compromise between higher security and ease of use. The more secure, the more difficult it is to use, or the easier it is to use, the less secure a product is. QR Login and Mobile Push Login provide the best combination of high security and ease of use. And as a bonus, they can also eliminate passwords, which will protect you from about 80% of hacking attempts. Although the ability to eliminate passwords has been around for 10+ years, their adoption has been slow. 

If you have the choice to use either Mobile Push Login or QR Login, that would be the safest.