MFA Can Involve 2FA
Two-factor authentication is a subset of multi-factor authentication. So the core definition of both is essentially the same. MFA simply means that a resource (such as your computer or online account) is secured by more than one type of credential.
The reasoning behind MFA is that there’s an exponential reduction in the odds of someone compromising all of the authentication factors you need, especially if they’re very different in nature.
The most common type of MFA is two-factor authentication with a password and a code sent via SMS texts or through a dedicated authentication app, but different services mix and match factors as required.
Types of MFA
Authentication factors can be broadly sorted into knowledge, possessions, and inherent unique attributes.
Factors that you know include passwords, PINs, the answers to security questions, and so on. These are often the most vulnerable to being compromised because they can be stolen or, in some cases, guessed by brute force.
Authentication factors you possess are objects like keys, RFID cards, and devices like computers and smartphones. To compromise this factor you need to either steal the object or make a perfect copy of it without the owner noticing.
Inherent factors are things that are unique to you, but can’t be changed. These are mostly biometric factors such as your fingerprints or iris patterns, but can also include voice matching, facial recognition, and many other similar options.
Hidden Authentication Factors
There are also authentication factors that you don’t even know about but are used silently to verify your access. For example, the GPS location of your phone, the MAC address of your network adapter, or your browser fingerprint. You may never know that this is being checked, but when an unauthorized user without that hidden factor tries to gain access, they’ll be blocked.
Risk-Based Authentication
Speaking of hidden authentication factors, this ties in with risk-based authentication. This is a practice where you usually only need 2FA or even one factor to access your resources, but if something out of the ordinary happens additional factors are required.
Maybe you’re in a different country or trying to log in from a computer you’ve never used before. The authentication system picks up on violations of your usual patterns and takes action by asking for more proof that you’re really who you say you are.
How Many Factors Do You Need?
If you’re currently using 2FA to secure your online accounts or other resources, should you be using MFA with more than two factors? As we’ve seen, you may actually already benefit from MFA without knowing it. There are some cases, though, where you might want to consider adding more factors or changing factors if possible.
If you’re using SMS-based verification codes, you should consider switching to an authenticator app if the service offers one. Thanks to a hacker’s ability to clone SIM cards, SMS is not the most secure second factor.
Keep in mind that while adding more factors does significantly raise the security level of access control, it also introduces more work for you. Additionally, if you misplace some of your factors, you could be significantly inconvenienced.
As such, we recommend that the average user sticks to 2FA with a few backup factors in the event you’re locked out or need to have extra protection in high-risk scenarios. Some password managers can help you with this, and you should be using one regardless.