Identity And Access Management

How Does Multi-Factor Authentication (MFA) Work?

How do online services know you are who you say you are when you try to login?

How Does MFA Work? - Expert Insights

Multi-Factor Authentication (MFA) is a way of cross-referencing multiple means of identification, to ensure that a user is who they say they are when they login to an online account. To do this, at least two authentication factors are required to verify your identity. Two-Factor Authentication (2FA) is a subset of MFA which, as the name implies, requires only two positive identifications to authenticate your identity.

MFA is effective because it relies on multiple authorizations before granting you access. Conventionally, passwords have been used to verify someone’s identity. However, passwords can be forgotten, written down and worked out. As people often use one password for multiple accounts, a data breach in an email account could leave critical or sensitive infrastructure vulnerable. Relying on a password alone to verify someone’s identity leaves more room for fraudulent activity than is safe. MFA will crosscheck your password, with something like a verification code, or a fingerprint, to prevent attackers gaining access to your account.

The Password Problem (Why Do We Need MFA?)

According to Cybernews, the most common password is “123456”, followed by “123456789”. In these cases, it doesn’t take a sophisticated hacker to access your account. Even if your password isn’t that simple, if it’s based around a name, a place, or a pet, it could be easy to hack. The problem with humans is that we find it easy to remember things that are significant or that we have an emotional attachment to. We also like to post about these things online. This makes it very easy to search someone’s social media platform and have a good understanding of their likes, and therefore their potential passwords. 

As computers become more powerful, it becomes ever easier for an attacker to succeed in a “brute force” attack. This is when a hacker attempts to guess your password by systematically attempting every combination of letters, numbers, and special characters until it lands on the correct combination. Depending on the length and complexity of the password, there are trillions of potential combinations. 

According to LastPass, a single password is reused across 13 different accounts. All it takes is for a data breach in one of these 13 accounts, and an attacker could gain access to all of them. MFA ensures that even if there is a data breach, there is another line of defence protecting your accounts. 

How Does MFA Help?

In practice, MFA requires at least two different verification methods (factors) to confirm your identity, before you are granted access. MFA doesn’t provide any of its own security protocols, but rather relies on the pre-existing security protocols surrounding each factor. By cross-referencing multiple factors—and therefore multiple security protocols—there is an increased level of certainty that the user is who they say they are. According to Microsoft, MFA can block over 99.9 % of account compromise attacks

Types Of Factors

There are three broad types of factors that are used to confirm an individual’s identity. These categories are knowledge (things you know), possession (things you have), and inherence (things you are). The chance of a hacker having successfully gained access to two of these means of verification is slim. 

Knowledge-Based Authentication (KBA) / Things You Know

Passwords / PINs

This factor is perhaps the most familiar. A password is known exclusively by users who have access to the account in question. We have already considered how brute-force attacks can overwhelm a password—not all passwords are created equally. Inclusion of numbers and special characters, and moving away from memorable words to a random arrangement is more secure. An effective way of improving the strength of your password is to increase its length. A 4-digit password results in 20 million possible combinations, doubling this number to an 8-digit password results in 500 billion possible combinations.

Answers To Security Questions

Security questions act in the same way as passwords—they are supposed to be exclusive pieces of information, that help to verify your identity. However, depending on the specifics of the question, security answers can be very easy to guess. Common questions ask for your mother’s maiden name, your first pet, school, or childhood best friend—and the answers to all of these might be publicly available on your social media accounts. As these are specified questions, with predetermined answers, they are known as “static” KBAs. 

“Dynamic” KBAs, on the other hand, are continually updated, making them more relevant and less easy to guess. You may be questioned about the details of a recent transaction, for example. This type of information is very specific to you, and unlikely to be accessed by anyone else. This results in it being much harder to correctly guess this type of security answer.

Possession / Things You Have

OTP As Token Authentication Via SMS Or Email

An OTP (One Time Password), sometimes an OTC (One Time Code), is sent to an account that is associated with you. This can either be via text or email but, in each instance, provides you with a passcode. This code is needed to gain access to your account. By ensuring the person attempting to login has access to the cellphone or email account of the named user, there is a higher chance that the login attempt is genuine. You might have experienced this type of factor if you have used a digital reader for online financial transactions.

Software Token Authentication

There are two ways in which this type of factor can work. First, a PIN can be sent to a general authenticator app on your cellphone—apps like Microsoft AuthenticatorGoogle Authenticator and Authy are popular options. The user then inputs this PIN to the online interface, in the same way as if it was sent via email or SMS. The advantage is that these PINs can refresh every minute to decrease the time that a hacker has to gain access. 

Alternatively, you might receive a notification in a specific authenticator app linked to the account you are accessing. All you need to do is click “accept” on this notification to confirm your identity, giving you access to your account. If you receive a notification and you are not trying to access your account, you can shut down the attacker’s attempt by denying the request. Once you have installed the relevant app, this method is quick and easy.  This method can have an additional layer of security if the authenticator app itself requires a passcode or biometric verification to be accessed.

Security Keys / Access Badges / Smart Cards

The most common usage of this type of factor is when you use a credit or debit card whilst shopping. You must be in possession of the card, as well as knowing the correct PIN, to spend the money. This type of factor is very strong as it combines a digital record with a physical object. These solutions can have advanced cryptographic capabilities and built-in security features, making them difficult to hack, clone or counterfeit. Each token can be programmed to allow access to a range of areas, from physical buildings to secure computer and network access, as well as serving as ID or accreditation. 

Inherence / Things You Are

Biometrics – Fingerprint, Facial Recognition

As many cellphones have built in fingerprint readers and facial recognition capabilities, this type of authentication is becoming easier to implement. A biometric factor is one of the most secure as it requires information unique to the user and is difficult to steal or replicate, to verify the user’s identity. This type of factor is a quick and easy means of authentication—as there is no password or number, there is nothing to be forgotten or shared.

For a more detailed look into the different factors, why not read our article: What Are The 3 Types of Multi-Factor Authentication?

Adaptive Authentication/Risk-Based Authentication

Some enterprise MFA services have started to include behavioral and contextual factors into the verification decision to ensure users can easily access critical accounts, without compromising on security.  Even if an account password and OTP suggest that the correct person is accessing the account, is the attempt in line with previous attempts, or could there be something else going on? 

If there are reasons to suspect a fraudulent attempt, the MFA can ask for an additional authentication factor to reach a conclusion about the user’s identity. Two of the key behavioral and contextual factors that MFA solutions consider are the time and the location of a login attempt.


By cataloguing when the user has previously logged into the account, systems can build a detailed pattern of how the user interacts with the account. If there are any login attempts that don’t fit with this established trend, the attempt can be flagged and require further verification. If an account is usually accessed between the hours of 9AM and 6PM, a login attempt at 3AM will be flagged as suspicious. 


By cross-referencing the user’s geo location or IP address, a decision can be made as to whether the person trying to access the account is the owner. Is the sign-in happening from a new device, or one already associated with the account? Is the geo-location similar to a previous login, or in a location you might expect? 

In both of these situations, a judgement is needed to decide the validity of the login attempt. As AI capabilities build up a picture of the individual, fraudulent attempts can be easier to detect, resulting in fewer false negatives. 

What Are The Benefits Of MFA?

Adds A Layer Of Security

By requiring two different types of information to access an account, the chances of an attacker succeeding are reduced. Even if they manage to break down one line of defense and obtain a password, for instance, they will still not be granted access to your users’ accounts. 

Easy To Set Up And Quick To Enact

With MFA being used by many banks and email services, users are familiar with how certain methods of authentication work, such as OTPs and fingerprint scanners. Thanks to this, employees are unlikely to run into difficulties in adopting the new security procedures. 

Coupled into this benefit is the ease of verification. The number of people with a cellphone that has biometric capabilities is no longer a minority, but fast becoming the norm. This means that users can expect a high level of security, built around equipment they already possess.  

What Are The Drawbacks Of MFA?

Not Inherently Strong

It is worth remembering that MFA isn’t inherently strong; it relies on each factor having its own set of robust security procedures. The security of each factor enhances the overall security. This is not to say that one weak factor completely undermines the integrity of an MFA solution, but to suggest that MFA is a tool that should be used as part of a safe approach to digital life.

MFA Bypass Attacks

MFA use will increase the chances that user authentication is accurate, however there are ways in which the security can be bypassed. If someone else has access to the email account that an OTP is being sent to, the attacker might be able to gain entry. In this instance, adaptive authentication comes into play.

There are several reports of attackers using “social engineering” to gain access to a system. In practice, this is when a user is encouraged to unwittingly reveal the login credentials for an account. It’s been reported that in a recent breach affecting Rockstar Games, employees believed they were giving critical details to part of the IT team. Uber also reportedly fell victim to “MFA Fatigue” where an attacker sent multiple push notifications, until an employee accepted one in order to stop being disturbed. Rather than breaking into the system, the attacker has been let into the system by an employee not understanding the significance of this notification. 

Key to avoiding this type of attack is ensuring that your employees aren’t a weak link in the chain. This is achieved through educating your workforce to understand how MFA works, and what it can protect against. Although this is a very simple step, it means that attackers will have to work a lot harder to gain access. 

Lost Authentication Devices

If you ever lose your MFA device, the first thing users should do is contact the admin who will be able to deactivate the device. This can be done with the click of a button but ensures that the stolen device does not create a hole in your network’s security. It should be relatively easy to register a new device with an MFA solution. However, it is important that care is taken when doing this to ensure that admins do not authorize a foreign device, thereby granting them legitimate access to the systems. 

Ensuring Ease of Use

There might be the perception that MFA is unnecessary and time consuming. There is the possibility that employees will have to login, then go to their email account, find a code, then click on an app. This does not have to be the case.

Adapting your policy to suit your business ensures that employees can interact efficiently with the MFA. Adaptive authentication can be used as a secondary factor once the password has been entered. If the time and geolocation of the login corresponds with a known location and an expected time, there is no need for OTPs or further factors. If, however, the login does not correspond with the prediction, then the user will be asked for another factor to verify their identity. This ensures that users are never having to do unnecessary work. By ensuring your MFA suits your business, users will be on board and understand the benefits and drawbacks.   


MFA is an effective way of cross-referencing at least two means of authentication to confirm that you are who you say you are. Factors that you either “know”, “have” or “are”, can be used to make this decision. 

To help you find the right MFA tool to protect your business against credential-related breaches, we’ve put together a list of the Top 10 MFA solutions on the market, which you can find here