Deconstructing MFA

Ultimate Guide to Multi-factor Authentication

1 - Make Sure Your Users Are Who They Say They Are

2 - Deconstructing MFA: Evolution, Authentication Factors & More

3 - Benefits of Adaptive MFA

4 - Use Cases for Adaptive MFA

5 - How Adaptive MFA Works

6 - Improve Security & Experience with Adaptive MFA

2 - Deconstructing MFA: Evolution, Authentication Factors and More

Not unlike the telephone’s evolution from rotary to wireless to cellular, multi-factor authentication has continually evolved to meet changing requirements. That means today’s MFA isn’t your father’s MFA—and that’s a very good thing.


The earliest form of MFA was two-factor authentication, or 2FA. As the name suggests, 2FA required that a user provide a second factor beyond a password to prove their identity. The idea was that while a password may be easily guessed or stolen, requiring a second factor could significantly mitigate the dangers of credential reuse. And it did, proving effective at thwarting opportunistic attempts by attackers who test known username and password combinations just to see what might work. 


But bad actors have gotten more sophisticated over time. And their attempts to steal credentials and compromise accounts have grown increasingly creative. Fortunately, multi-factor authentication has also advanced to address these evolving threats. But that also means that simply requiring an additional factor is no longer a sufficient defense. And just any factor won’t do either. There are newer and better ways to ensure identity now, providing not just a more secure experience, but a more user-friendly one, too.


Types of Authentication Factors

In their simplest form, authentication factors are additional means of proving identity. They fall into three categories:

  1. Something you know

  2. Something you are

  3. Something you have

Multi-factor authentication requires you to provide two or more of these factors from different categories to prove you are who you claim to be before granting you access to your desired resource or application.

The oft-used username and password combination falls into the something-you-know category. In an attempt to increase security, some organizations might require a second something-you-know factor, such as an answer to a security question. But this isn’t MFA. If fact, if a hacker were able to guess or steal your password, they could probably guess or steal the answer to your security question, too.


Instead, MFA requires that you provide factors from different categories. The idea is that a hacker may be able to guess or steal something you know, but they’ll be far less likely to be able to also supply something you have, like a key card, or something you are, like a fingerprint. 


First Factor + Second Factor = Result
Username/password (“know”) Security question (“know”) No
Username/password (“know”) Mobile phone (“have”) Yes
Username/password (“know”) Fingerprint (“are”) Yes
PIN (“know”) Password (“know”) No
Face ID (“are”) Token (“have”) Yes


For example, your face (through the use of facial recognition on your phone) could be an additional something-you-are factor in a basic MFA flow that starts with a username and password (a something-you-know factor). It could also be something you have, like a smart card. But the use of biometrics is understandably more popular than physical tokens as it provides a convenient way to prove identity and eliminates costly and/or burdensome hardware. Both of these benefits translate to a better user experience, as well as stronger security. And because biometrics, unlike a code or physical token, aren’t easily intercepted or stolen, you gain a greater level of assurance that a user truly is who they claim to be.


Common Authentication Factors &

How to Choose Them

When it comes to authentication factors, there are a number of options to choose from, as well as considerations that apply to each. Here’s a brief overview of the most commonly used authentication factors:


Something You Know (Knowledge)

  1. Password/passphrase. The password is the most common example of a something-you-know authentication factor.

  2. PIN. Usually a string of 4-8 characters, the PIN (personal identification number) often requires some type of manual data entry into a smartphone, computer or other device.

  3. KBA (knowledge-based authentication). These typically take the form of security questions, such as “What is your mother's maiden name?” or “What was the make of your first car?”


Something You Have (Possession)

  1. Mobile phone. Mobile phones allow users to authenticate in multiple ways, including via a mobile app or through pop-up notifications.

  2. Token. Physical security tokens generate unique codes that only the person possessing the token can access. 

  3. Key fob. Key fobs are typically recognized through insertion in or tapping on a device, such as being placed in a USB port or next to a mobile phone.

  4. Smart card. Smart cards contain an embedded smart chip and may be used for physical access (e.g., a room or building) or virtual access (e.g., the enterprise VPN).


Something You Are (Inheritance)

  1. Fingerprint. Fingerprints are a popular biometric authenticator. Nearly 200 million smartphone units shipped in 2019 were equipped with fingerprint sensors, and the number is expected to grow 3X to 600 million by 2023.

  2. Facial recognition. Apple’s FaceID feature was introduced with the iPhone X in 2017, making facial biometrics a practical, mainstream authentication option.

  3. Retinal scans and voice recognition. Not as widely adopted as fingerprinting or facial recognition, specialty authentication factors like retinal scans and voice recognition are found in less common use cases.


When it comes to selecting the right authentication factors for your MFA deployment, it really comes down to your particular users and what makes the most sense for their needs. Here are some examples of limitations that affect authentication:


  • Mobile push won’t work for employees who work in call centers or clean rooms where cell phones are not allowed.
  • Fingerprint authentication doesn’t make sense for workers who must wear gloves to do their jobs.
  • It’s completely unrealistic to expect your customers to carry around hardware tokens.


Thinking about your various users’ needs, behaviors and limitations will help you make strategic and sound decisions about which authentication methods to adopt. And being able to support multiple methods ensures you can serve changing and evolving use cases.



Adaptive Multi-factor Authentication

MFA as described thus far provides a greater level of assurance of user identity than simple username/password authentication. But it has its limitations, too. In its most basic form, MFA relies on a one-size-fits-all approach, requiring an additional factor regardless of situation. This can be cumbersome for users who are authenticating under typical, low-risk circumstances. 


While there’s no debate that MFA provides greater security than passwords alone, you can further strengthen security AND provide a more streamlined user experience with adaptive MFA. Adaptive MFA uses contextual factors and logic-based mechanisms—such as geolocation, time of day, IP address and device identifiers—to determine whether or not a user should be required to use an additional factor to authenticate.


Applying a risk-based approach to authentication requirements, adaptive authentication dynamically assesses the risk of a given operation based on:

  • The user’s current authentication status.

  • The risk associated with the resource in question.

  • The context of the request.  


This risk-based approach allows you to establish policies that require an additional factor only when necessary, as determined by risk and not by default.


For example, say an American banking customer uses a password to sign on to a banking site and then tries to transfer money. If that customer signs on from the United States, the MFA system might not require further action. But if they sign on from Uzbekistan, the system could require a second authentication factor to gain a greater level of assurance that the user is who they claim to be.


Simply put, adaptive MFA provides greater control and flexibility, allowing you to strike a just-right balance between security and experience. With adaptive MFA, you can:


  1. Customize authentication requirements based on risk.

  2. Step security measures up or down using adaptive, contextual policies.

  3. Improve productivity by minimizing authentication requirements in low-risk situations, like on trusted networks.

  4. Increase security by stepping up authentication requirements in high-risk situations, like unfamiliar geolocations or high-dollar financial transactions.

  5. Streamline user experience by eliminating extra steps and hardware.


Watch the video to learn more.


Modern MFA:

More than Just Adaptive Policies

Beyond adaptive policies, modern MFA provides more integrations and configurations, as well as providing more flexibility and control. With a modern MFA solution, you can:


  • Protect more channels, like single sign-on, VPN, remote desktop, SSH and more.

  • Provide support for more use cases, including password resets, self-enrollment, device authorization and management, transaction approvals and passwordless authentication.

  • Provide support for more authentication methods.

  • Lower costs by removing the need for traditional hardware tokens, SMS codes and voice calls. 

  • Reduce helpdesk support requirements by taking advantage of broad self-service capabilities.

See our Top 5 MFA Considerations Checklist for guidance on what to look for in an MFA solution.

Passwordless: The Future of Authentication

Passwordless authentication may seem like a radical concept, but it actually borrows from and builds upon the same principles as MFA. The basic premise remains that passwords alone aren’t enough. And passwordless promises a way to bypass passwords altogether.


The elimination of usernames and passwords is also the basis of Zero Trust. In a Zero Trust environment, users are recognized and authenticated based solely on the devices used to access applications and the context in which they’re attempting to access them. Sounds cool, right? But removing passwords entirely may also sound out of reach for your organization.


While going completely passwordless may not be realistic for you now, you can begin building the foundation for Zero Trust sooner than later. Reducing the use of passwords is the first step for many organizations.


You can start by leveraging adaptive MFA policies to step down authentication in low-risk scenarios. For example, you could combine a username only (no password) with a lower friction method of authentication—such as a device-based biometric (like a fingerprint) or a swipe—when a user is accessing non-sensitive resources in a typical manner (on a recognizable device and from a trusted network).


This removes friction from the end user experience, and is a good first step. But if you still require passwords in some situations, those passwords are still vulnerable to reuse, theft and subsequent use by a bad actor.


More advanced organizations are adopting standards such as FIDO2 which remove passwords altogether. Instead of passwords, FIDO2 leverages public key cryptography methods that require users to register a device and a domain (e.g., a corporate email) from which future access requests will originate.


While you may not feel ready for this, you may be more ready to start your journey to passwordless authentication than you realize.


learn more about passwordless authentication


Take the Next Step

See how Ping can help you stay ahead of the curve in a rapidly evolving digital world.