Sign in Subscribe
In Depth

In Depth: What Actually Is MFA?

[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.

Stephen Rees-Carter

Stephen Rees-Carter

20 min read
In Depth: What Actually Is MFA?

We're starting a new series about Authentication, and we might as well dive into the deep end. So... pick one:

  • Multi-Factor Authentication (MFA)
  • Two-Factor Authentication (2FA)
  • 2-Step Verification (2SV)
  • Dual-Factor Authentication (um... DFA ???)
  • Second-Factor Authentication (is this also 2FA ???)

I'm sure you've heard at least 2 of these before, most likely MFA and 2FA, and probably also 2SV if you're in the Google ecosystem. They get used pretty interchangeably across different apps and implementations, and all relate to authentication.

💡
Note that some of the terms above do mean slightly different things, and I'll explain the differences below. However for simplicity, I'll just use MFA to refer to the broad concept for the rest of the article.

It's easy to talk about Mulit-Factor Authentication and say it's important for "security reasons", but how much do we really know about MFA? How does it work? What does it protect us from? What different options are there? When should they be used?

There are a whole lot of questions around MFA, and today we're going to seek some answers!

First up, we'll define what MFA is and why it's so important, and then look at the various options and how they differ. By the end, you should have a good grasp on the different options, and when you should be implementing them in your apps.

💡
This will be a mostly theory and word-y article, as we set out the groundwork to understand MFA in it's different forms, looking at it mostly from a consumer point of view - as they are the ones we are using MFA to protect. We'll dig into implementations in the next article.

What Is Multi-Factor Authentication?

In a nutshell, MFA involves authenticating the user based on multiple authentication factors. This means that rather than just relying on a single factor (i.e. a password), the user needs to use multiple methods to prove they are who they claim to be (i.e. a password and fingerprint).

The theory being that stealing a single authentication factor, often a password, is a relative easy task for an attacker. By adding on additional factors, the attacker now needs to obtain multiple different things and present them all during authentication. The complexity has greatly increased, making it harder to compromise the account.

MFA is fantastic at preventing automated bot attacks, where brute-force password guessing or credential stuffing lists are in use. These attacks rely on attempting to access thousands of accounts with the hope of gaining access to a small number of them. These attackers don't waste time trying to complete MFA challenges, so they'll just move onto the next account if they find a valid password but hit MFA.

However, more targeted or sophisticated attacks, such as the phishing attack that hit Troy Hunt, are able to compromise weaker MFA methods. We'll talk about the different MFA methods below, including their strengths and weaknesses.

💡
A credential stuffing list is a list of username-password pairs stolen from hacked websites, giving attacks a list of known working credentials. If the user uses their password across multiple sites, the attacker will be able to log into any of their other accounts.

Authentication Factors

MFA relies on different authentication factors, of which there are five:

Read more