Explainer: Multi-factor authentication
Multi-factor authentication (MFA) is a layer of security that ensures a person provides two or more pieces of information to complete an authentication check that grants further access to a digital service or application. With the mass popularization of online services that cover deeply personal and vital data such as identity and banking, MFA has become a necessary protection against third-party intruders and malicious actors. Important recent developments supporting MFA adoption include the passage of regulations like the European Union’s Payment Services Directive (PSD2) in 2018, and the emergence of the FIDO Alliance. MFA typically encompasses three factors: knowledge, possession, and inherence.
Knowledge factors rely on what the user knows. Passwords or passcode only the user would know, or answers to questions about personal history are common knowledge factors used in authentication. Variants on passwords include passphrases, formed from multiple words, and personal identification numbers (PIN), typically shorter and purely numerical.
Possession factors provide security by granting access with something only the user has. This method is commonly found as tokens that are disconnected, connected or software. A disconnected token has no connection directly to the main device and usually has a built-in screen that displays a randomly generating password that is input in by the user, like RSA’s SecurID. A connected token directly links to the main device to transmit data to unlock access, very similar to the traditional lock and key. USB tokens, card readers and wireless tags are common examples. Software tokens are stored on a general-purpose device, such as a smartphone and computer, that authorizes access to the main device and can be duplicated.
Inherence factors are data that only the user possesses, or biometrics. Face, fingerprint, and voice biometrics are often deployed as inherence factors. Biometrics in MFA are growing in prevalence with the mass adoption of smartphones and laptops that can be used as data capture devices.
PSD2 was implemented as a means of updating the EU’s digital payments system, protecting customer security and fostering competition. One major change is the requirement for strong customer authentication for all digital transactions, which would necessitate the use of at least two or more forms of MFA. Effectively, any business with a digital footprint operating in the EU now must comply with PSD2 via MFA.
The FIDO Alliance is an industry body launched in 2013 with members including PayPal, Apple, Google, Amazon, American Express, Meta, and Microsoft that aims to promote “authentication standards to help reduce the world’s over-reliance on passwords.” The FIDO protocol works by registering a user’s device (say, a smartphone) which creates a connected pair of a private and public key. The private key held on the device is authenticated by providing MFA, including biometric data such as a fingerprint and voice, or knowledge and possession factors, which will signal to the public key to grant access.
Click here for more explainers on concepts in biometrics.