Staying Safe in Times of Cyber Uncertainty

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) uses multiple means of authenticating a user’s identity before providing access to a system or service. This makes account takeover attacks more difficult because an attacker needs to gain access to all required authentication factors to access a user’s account.

Request a Demo Learn More

What is Multi-Factor Authentication (MFA)?

The Importance of Multi-Factor Authentication (MFA)

Password security is a major challenge for many organizations. Employees and customers commonly use weak and reused passwords that are potentially guessable, and even strong passwords can be compromised by malware or phishing attacks. With access to a user’s password, an attacker has legitimate access to all of a user’s accounts that use the same credentials.

Multi-Factor Authentication protects against these types of attacks by using multiple different means of authenticating the user’s identity. Even if the user’s password is compromised, the attacker also needs access to other authentication factors.

What are Authentication Factors?

As its name suggests, multi-factor authentication requires multiple authentication factors to gain access to a user’s account. Many different types of MFA exist, using a range of authentication factors. An authentication factor is a means of proving a user’s identity to a system. Most authentication factors fall into one of three categories:

  • Something You Know: Knowledge-based authentication factors like a password require the user to remember some secret that will be typed into the authentication page.
  • Something You Have: Possession-based authentication factors require the user to have possession of a particular object such as a smartphone, smartcard, or physical authentication token (like a Yubikey).
  • Something You Are: Inherence-based authentication factors identify a user based on unique attributes such as fingerprints, voiceprints, or facial recognition.

An MFA system should use a combination of two of these three categories. For example, the most common option is a combination of something you know (a password) and something you have (a device that generates/receives a one-time code).

Types of MFA Methods

MFA can be implemented with a wide range of factors. Some common examples include:

  • Password: A password is a knowledge-based factor and the most common form of user authentication. However, it also has significant security concerns due to password reuse and password strength.
  • SMS-Based or Email-based OTPs: A common second factor for MFA is a one-time password (OTP) sent via text message or email that the user will type into an authentication page. This is a possession-based factor because the user needs access to the phone or email account that receives the OTP.
  • Authenticator Apps: Authenticator apps like Authy and Google Authenticator are a possession-based factor that runs the same algorithm on a device and the server to generate a sequence of OTPs. When the user logs in, they provide the OTP shown on their device and the server validates that it matches the current OTP.
  • Physical Authentication Tokens: Physical authentication tokens like a smartcard, Yubikey, etc. provide possession-based authentication. These devices may generate an OTP or connect to a device via USB, Bluetooth, or NFC to provide a second authentication factor.
  • Push Notifications: Mobile devices may have support for possession-based authentication via push notifications. When a user tries to log into a supported account, a notification appears on their device asking them to confirm that the authentication attempt is valid.
  • Biometrics: TouchID, FaceID, and other fingerprint and facial recognition systems use biometrics for user authentication. The device has stored biometric data and compares the collected photo, fingerprint, etc. to authenticate the user.

Different authentication factors provide different levels of security and convenience. For example, passwords and SMS-based OTP are commonly regarded as insecure factors for MFA, but they are still in common use. Passwordless MFA refers to the use of a possession-based and inherence-based factor for MFA, eliminating insecure knowledge-based factors like the password.

What's the Difference between MFA and Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is a particular type of Multi-Factor Authentication. 2FA uses exactly two authentication factors, while MFA uses two or more. For highly sensitive systems or risky operations, MFA with three or more factors may be required to more strongly validate a user’s identity.

MFA with Check Point

Support for Multi-Factor Authentication is essential for account security as single-factor authentication runs the risk that factors may be guessed, stolen, or otherwise compromised. Check Point solutions offer strong account security with MFA, including:

  • Check Point Harmony Mobile and Harmony Endpoint prevent single-factor authentication to protect against account takeover attacks.
  • Remote Access VPN supports MFA and offers remote workers secure, seamless connectivity to corporate resources.
  • Infinity Portal enables centralized configuration and management of an organization’s IT infrastructure, including support for single sign-on (SSO) with MFA via an integration with SAML Identity Providers such as Okta and Duo.
  • Harmony Connect provides zero-trust network access (ZTNA), securing corporate resources and offering support for SSO, MFA, and device posture validation.

To learn more about integrating zero-trust security best practices and identity management into the distributed enterprise, check out this guide by ESG. Then, feel free to sign up for a free demo of Harmony Connect and see how to deploy ZTNA in five minutes or less.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK