Multi-factor authentication and what businesses need to know about it
If you’ve ever signed in to an app for the first time or from a new device, there’s a good chance you’ve encountered multi-factor authentication (MFA). Businesses use multi-factor authentication to verify a user’s digital identity for a few key reasons.
For one, they want to make sure you are you and not a bad actor attempting to breach an account. Second, protecting user accounts with usernames and passwords alone is highly susceptible to fraud. Fraudsters have hacking account credentials down to a science. It’s the number one cause of data breaches.
Even if you ask users to change their passwords regularly, experts agree that multi-factor authentication is the best line of defense for protecting accounts. Some even suggest multi-factor authentication could prevent up to 90% of cyberattacks.
“Multi-factor authentication is one of the best things a business can do to protect themselves and their customer accounts from malicious login activity,” said Sven Hindman, product manager at Kount.
Implementing MFA through an account takeover solution is a good place to start. But it’s important to understand the ins and outs of the technology too. Read on for answers to common questions about multi-factor authentication.
What is multi-factor authentication?
Multi-factor authentication uses two or more “factors” to authenticate a user’s digital identity before granting them access to an online account or other digital assets. Thus, MFA adds more layers of security to a sign-in process.
Because it often requires a user to provide just two factors for verification, MFA is sometimes called two-factor (2FA) or step-up authentication.
“The chances that a fraudster [will crack] more than one authentication factor is much lower because it requires greater sophistication and much more money,” remarked Mindle Hastings, a Kount product manager, on the benefits of MFA. “So this keeps consumers safer from fraud and reduces the high costs that fraud can have on a business.”
“Authentication” refers to the process by which someone signs in to an online account. Essentially, authentication confirms that users are who they say they are when they sign in to an account.
Until recent years, businesses used only one “factor” — typically, a username and password combination — to authenticate a user’s digital identity. While this is still the most common form of authentication, usernames and passwords are highly susceptible to fraud.
The rate at which users reveal private information on social media and reuse simple passwords makes credentials easy to crack and test across websites. Some commentators have suggested usernames and passwords alone are the “weakest link” in account protection.
Bad actors can also purchase vast lists of possible credentials on the dark web and test them on target websites. Once the bad actor validates a user’s credentials, they can almost always use the same credentials to access multiple accounts. That puts everything from online banking to coffee apps at risk.
Multi-factor authentication solutions add more layers of protection to the sign-in process. These layers of complexity deter fraudsters and protect businesses and customer accounts.
What are the types of multi-factor authentication?
A multi-factor authentication system can use a variety of methods to verify a user’s digital identity. There are five common MFA types.
1. One-time passcodes (OTPs): This type of multi-factor authentication typically uses numeric codes that a user must enter into an application within an allotted amount of time. Clickable browser links are another form of OTPs.
Users typically receive OTPs to their devices via SMS or email. When embedded into a device via a cryptographic key, OTPs take the form of a hardware token. Though the hardware version is rare, SMS or email OTPs are very common.
2. Mobile apps: This type of multi-factor authentication uses a standalone app. When prompted, users approve or deny authentication via push notification. Users must download an app to their devices and switch between the application and the digital asset they are trying to access.
3. Biometrics: This type of multi-factor authentication uses characteristics inherent to a user to authenticate them. Biometrics may include facial, retinal, voice, or typing behavior recognition.
4. Soft tokens: This type of multi-factor authentication uses software embedded into a device’s memory. OTPs, mobile applications, and biometrics are all examples of soft tokens. QR codes and website authenticators are also soft tokens.
Soft tokens are cost-effective and easy to distribute since users only need to download the soft token to their device. Soft tokens attempt to emulate the security of hard tokens.
5. Hard tokens: This type of multi-factor authentication uses physical objects that allow a user to authenticate their identity. Hard tokens may include smart cards, keycards, key fobs, USB drives, and traditional keys.
A user must have physical possession of the item to access an asset. This method is the most secure, but businesses usually reserve it for high-security situations. But due to its high cost, it’s not as common as soft token MFA types.
How does multi-factor authentication work?
Multi-factor authentication requires a user to present two or more factors before accessing an online account or asset. It’s common to think of “factors” as additional credentials.
MFA solutions deliver these credentials through one or more of the MFA types listed previously. MFA credentials can be grouped into three categories: knowledge, possession, and inherence.
- Knowledge: Something you know, such as a username, password, PIN, or answers to security questions.
- Possession: Something you have, such as a phone, computer, software token, or security key.
- Inherence (biometrics): Something inherent to you, such as your fingerprint, iris, voice, or typing behavior.
A user must present factors from two different categories for verification through a multi-factor authentication system. For example, asking users to enter a username and password is only asking them for two factors of something they know. The combination of factor categories will depend on the specific MFA solution.
More specifically, let’s say that you’re attempting to transfer money between bank accounts on a mobile app. So you enter your username and password. That’s knowledge verification. But your bank uses MFA.
So after you enter your username and password, the bank’s multi-factor authentication solution sends you a numeric passcode via SMS. That’s possession verification (i.e., they’re verifying you have the phone number associated with your account).
The added security layer of possession means a fraudster would need your username, password, and cell phone to access your account. The combination of these two factors is multi-factor authentication.
However, your bank may go one step further and analyze your fingerprint. That’s an inherence credential. For this factor, a bad actor would have to have your fingerprint — something they’re unlikely to have at any point. The combination of these three factors is also MFA.
Multi-factor authentication can also be passive or active. Passive verification happens when a user is not required to act during the verification process. And active verification requires a user to complete an action.
Knowledge authentication is almost always active, whereas possession and inherence can be either active or passive. Businesses favor passive multi-factor authentication because users experience less friction.
When does a company need to use multi-factor authentication?
Companies should use multi-factor authentication whenever they need to verify a user’s digital identity. The most common reason a company would need to authenticate a digital identity is when a user attempts to access a valuable digital asset.
“Multi-factor authentication is needed when there’s stored value, and you’re not sure the person who’s logging in is the person they say they are,” said Hindman.
A valuable digital asset could be anything from loyalty points to a home address, birthday, or credit card details. Fraudsters will target anything of value behind an account that they can use, transfer, or sell.
So companies of all sizes, across industries, that offer user accounts would likely benefit from a multi-factor authentication solution. Businesses can use MFA to protect their customer accounts as well as employee accounts in their network environments.
At a minimum, companies should always deploy multi-factor authentication whenever someone signs in to their account from a new device or new location. At most, companies should deploy multi-factor authentication whenever an account sees potentially high-risk activity like changing account details.
Businesses could deploy multi-factor authentication for every login attempt, but that would increase friction for good customers. The ideal MFA solution is one that presents no friction for good customers. That’s in addition to using passive and active forms of multi-factor authentication and stopping fraud by detecting suspicious, unknown, or high-risk activity.
How does multi-factor authentication work for fraud prevention?
Multi-factor authentication is most useful for account takeover fraud prevention. Account takeover (ATO) fraud happens when a bad actor uses hacked credentials to take over a customer account for nefarious purposes.
MFA adds more than one layer of authentication to the login process. This complexity decreases a fraudster’s ability to break into an account. A bad actor would need a user’s login credentials and their device or fingerprint, for instance, to access an account.
When presented with multi-factor authentication, a fraudster is likely to move on to an easier target. Multi-factor authentication also detects suspicious activity from credential-stuffing and brute-force attacks.
Brute-force attacks can cost businesses thousands of dollars in processing fees. And a few hundred account takeovers can easily cost a business tens of thousands of dollars in overhead damage control costs.
Furthermore, MFA protects accounts against fraudulent account activity. Fraudsters may attempt to break into accounts and change a shipping or billing address, credit card number, or login credentials.
These fraudulent changes are difficult to detect because it can seem like the actual account holder is conducting an everyday activity. But changes to login credentials could be a fraudster hijacking an account and locking out a good customer.
Multi-factor authentication solutions mitigate risk, reduce customer friction
Kount’s MFA solution uses both passive and active multi-factor authentication to protect customer accounts. Kount Control authenticates users passively and only challenges suspicious or high-risk activity, reducing friction for good customers and keeping bad actors out.
Kount challenges risky behavior through a Secure MFA dynamic hyperlink instead of a one-time numeric passcode. Though they are commonplace, fraudsters can more easily hack one-time numeric email or SMS passcodes.
Scammers often use phishing or social engineering to gain access to these passcodes and then customer accounts. Such was the case at the world’s second-largest cryptocurrency exchange. An OTP phishing attack breached some 6,000 customer accounts.
Kount delivers a Secure MFA dynamic hyperlink via SMS or email to provide real-time authentication that doesn’t sacrifice security. With this link, Kount matches a user to their device through trusted device capabilities.
Once Kount matches users to their accounts and devices, in most cases, users don’t have to go through the MFA process again. Best of all, Kount Control isn’t just an MFA solution. It can also detect and protect businesses against high-velocity activities like card testing, credential testing, and malicious bots.