Do You Even MFA?

If you are reasonably involved with internet services every day, you undoubtedly have heard about multi-factor authentication (MFA). If not, don’t worry, you will. Cybercrimes are on the rise, and their damage costs are predicted to achieve the impressive mark of $6 trillion by the end of 2021 [1]. Poor user practices, weak passwords, and lost/stolen user credentials are in the top 8 leading causes of ransomware attacks reported by managed service providers in 2020 [2]. One of the most devastating cyberattacks nowadays is the ransomware attack, which hijacks access to data and other resources in an organization until a ransom fee is paid (usually a very high amount).

Since an overwhelming portion of cyberattacks is associated with issues involving identity and access management (IAM), MFA has the potential of serving as a robust mitigation mechanism. Simply put: you should be using MFA, if not already.

However, at least three questions might be asked when someone hears about MFA for the first time: 1) What is authentication? 2) What is a factor in the context of authentication? 3) What is multi-factor authentication?

Breaking Down MFA

According to NIST, authentication is the process that verifies the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources [3]. More specifically, digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity [4]. An authenticator is something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. An authenticator is also known as a token [5].

An authentication factor is a concrete instance of authentication. It typically refers to the method through which one will support a given identity claim. The most common example of an authentication factor is password authentication: whenever someone claims an identity (typically with a username), a password must also be informed to verify that identity.

Credit card holders are required to inform their pin code to prove their identity as well as owners of smartphones are often required to scan their face and/or fingerprint. So there is clearly more than one method for verifying an identity claim.

 Indeed, authentication factors are organized into three main types:

  • Something you know: a piece of information that a user has memorized and can be retrieved at any time. This includes a password, a personal identification number (pin), an answer for a pre-selected security question, an answer for randomly selected security questions (such as “What mortgage company you used for refinancing your house?”), and other mechanisms associated with information that (hopefully) only the intended user would know.
  • Something you have: a piece of information that is provided by a physical device carried by the user. This is often done via security tokens that can store cryptographic keys, certificates, biometric information, and/or generate random codes, smartcards, and other mechanisms associated with information that only the intended user would have.
  • Something you are: a piece of information provided by a device that can read a physical and unique characteristic of the user. This is known as biometrics – metrics from the human body – and can be very useful for authentication purposes. Smartphone users are familiar with fingerprint scans and facial recognition. Biometric devices are associated with information that only the intended user can provide just by being that user.

Other types of authentication factors might include:

  • Somebody you know [6]: a type of vouching, that is, a peer-level authentication process when one user assists another user's authentication.
  • Something you process [7]: a type of formula-based authentication in which a password is composed of a set of characters, values, and operators, which are used in conjunction with random inputs to compute a result that is used for authentication.
  • Somewhere you are [8]: a piece of information associated with the user's location, such as GPS coordinates, IP, and MAC addresses.
  • Something you do [9]: a piece of information associated with user's behavior patterns while speaking, typing, gestures, among others.

However, the first three types those most commonly associated with MFA. In fact, the NIST Digital Identity Guidelines:Authentication and Lifecycle Management [4], only refers to something you know, something you have, and something you are as types of authentication factors.

An authentication system that requires only one authentication factor is known as single-factor authentication (SFA) [10]. When someone logs in to their social media account and all it takes to authenticate that person is a username (identity claim) and a password (what you know as a support of the identity claim), then SFA is in place. If, in addition to providing their password, the user receives a code via short message service (SMS) and must confirm that code in order to complete the authentication (what you have, a cellphone, as a support of the identity claim), then a second factor of authentication is in place. Combining two factors for authentication purposes is known as two-factor authentication (2FA).

Multi-factor is a characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or a combination of authenticators that provide different factors.

The notion of factors should not be confused with the notion of steps, as remarked by Yuriy [11]. While factors refer to an action in the system, a step is a user-specific action. Yuriy explains that when someone must use a password and a security key (in a physical device) to authenticate, then 2FA in two steps is in place. However, if all a user has to do to authenticate is to touch a biometric sensor of a device equipped with a security key, then a 2FA is still in place (something you are + something you have) while authentication occurs in a single step. Thus FIDO2’s passwordless solution [12] is 2FA in onestep while FIDO U2F [13] using passwords is 2FA in two steps.

MFA in Practice

Some of the most popular apps and services offer some form of MFA. For instance,LinkedIn allows their users to turn on two-step verification and choose if they will user an authenticator app or a phone number as a second authentication step.

Two-step verification settings on LinkedIn.

If the user chooses Authenticator App, LinkedIn will request the installation and configuration of Microsoft Authenticator or another authenticator app the user prefers.

Instructions for two-step verification using an authenticator on LinkedIn.

If the user chooses SMS, then LinkedIn will request a phone number.

Instructions for using two-step verification using SMS on LinkedIn.

Twitter allows users to choose from some combination within three options for a second factor of authentication in addition to the password-based authentication.

Two-factor authentication settings on Twitter.

Many other popular apps and services offer at least a second factor of authentication. If they do and you use their services, you should activate 2FA right away, if you haven’t done already.

 MFA implies two or more factors required for authentication, thus 2FA is a form of MFA. Some services such as will allow you to check whether a given website supports or not 2FA.

Checking whether or not Chase online services use 2FA.

Is 2FA Enough?

For most cases, 2FA might be enough. Imagine that in order to access your favorite social media platform, you need to type in your username and password, which triggers an action that sends you a random code via SMS. You type the code you received via text, and you complete the authentication. If someone somehow finds out what your password is, that would not be enough to authenticate successfully. They would also need to have access to your cellphone. However, 2FA with SMS can be problematic. SMS is a technology created for communication purposes, not security. Hackers use several attacks such asSIM swapping and reverse proxy with which they can see one's SMS texts and altogether bypass 2FA that uses SMS [14]. Thus, 2FA itself is not a security guarantee as the actual factor being used in 2FA matters. A better second-factor alternative, for instance, is a security key stored in a USB drive: something you have that is much harder to violate.

What about more than two factors? Convenience and security are almost always antagonists. A highly secure authentication mechanism might not be the most convenient, and sometimes this is precisely what one should want, depending on how critical the activity associated with the preceding authentication is. As an illustration, consider the process required for the President of the United States (POTUS) to order a nuclear strike [15].  POTUS considers a nuclear strike first, then consults with military and civilian advisors on options in person or by phone. POTUS then chooses to go ahead with the strike. Using a challenge-response technique, a Senior Officer in the Pentagon war room verifies that the order is genuinely coming from POTUS. A challenge code is read, and POTUS responds with the matching answer contained in a card named"biscuit." This is something that POTUS has. The Pentagon war room plans where and when to strike after verifying that the command came directly from POTUS. Each worldwide command and launch crew gets an encrypted communication, including the Sealed Authentication System (SAS) and the missile codes. Within seconds, the launch crews receive the transmission and validate the SAS codes. The Captain, Executive Officer, and two additional crew members validate the command if the launch is from a submarine. Missiles are unlocked and prepared for launch using the specified codes. When launching from land, the message is delivered to 45 separate launch crews in various places. They are divided into five groups, each with five crews. All crews verify the order. After that, the missiles are unlocked and prepared for launch. At launch moment, all crews turn their launch keys to fire missiles at the same time. To launch missiles, only two crews in each group must turn their keys. The missiles are finally launched.

Something so critical such as a nuclear strike, could never be done by an unauthorized party. Thus, all the steps previously mentioned are in place to ensure that the authorized crews will execute only an order coming from POTUS. Needless to say that the overwhelming majority of users will never order a nuclear strike. Still, the nuclear strike example serves as a helpful illustration to remind us that the more critical an action is, the more sophisticated and involved must be the associated authentication.

Authorizing large payments, deleting files, erasing databases, transferring data from one server to another, starting/stopping engines in a factory, opening/closing gates and roads, activating/deactivating alarms, elevating a moving bridge, allowing an airplane arrival/departure, increasing/decreasing the temperature of an entire facility are all examples of procedures that, if done by unauthorized parties, could lead to catastrophic results, including financial loss, operational disruption, social chaos, and even death. The decision of what kind of MFA will take place should correspond to how critical the activity associated with the authentication is.

However, keep in mind that using two or more instances of the same factor is not as strong as using different types of factors [16].

For More Information

Suppose you are just interested in adopting MFA as the new norm for accessing applications online. In that case, thankfully, that should not be too hard, as more and more companies and services are facilitating the configuration of at least 2FA for everyone. If you want to get deep in the weeds with authentication, great options for high-quality content for more technical education on IAM are available. NIST has a four-volume document suite on Digital Identity Guidelines [17] defining technical requirements in several areas related to authentication. FIDO Alliance [18] is a comprehensive source of information about standards and technology, use cases, research and development, certifications, and more. IDPro provides an ongoing Body ofKnowledge [19] in which one can find relevant information about several aspects of IAM.


MFA is necessary, and you should be using it to authenticate in every device and/or application you use. Relying on password-based authentication (something you know) can be dangerous, and statistics show that this remains one of the top causes of cybercrimes.  The use of security keys, smartcards, and other physical devices (something you have) as a second factor of authentication can significantly improve the security of authentication systems. Biometrics (something you are), already in prominent use in mobile devices, is becoming more common in desktop and laptop computers.A large number of manufacturers and online services support MFA. Thus, it is highly recommended to enable at least 2FA in every possible online service immediately as the benefits outweigh (by very far) any eventual inconvenience.


[1] S. Morgan, "Cybercrime Magazine," 29 March 2020. [Online]. Available:    [Accessed 10 November 2021].

[2] F. Richter, "Statista," 6 July 2021. [Online]. Available:    [Accessed 10 November 2021].

[3] J. T. F. "Security and Privacy Controls for Information Systems and    Organizations," NIST, 2017.

[4] P. A. Grassi, J. L. Fenton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr, J. P.    Richer, N. B. Lefkovitz, J. M. Danker, Y.-Y. Choong, K. K. Greene and M. F.    Theofanos, "Digital identity guidelines: authentication and lifecycle    management," 2017.

[5] P. A. Grassi, M. E. Garcia and J. L. Fenton, "NIST Special Publication 800-63, Revision    3," NIST, 2017.

[6] J. Brainard, A. Juels, R. L. Rivest, M. Szydlo and M. Yung, "Fourth-Factor    Authentication: Somebody You Know," in 13th ACM conference on    Computer and communications security, Alexandria, Virginia, USA, 2006.

[7] S. U. Shah, A. A. Minhas and others, "New factor of authentication: Something you    process," in 2009 International Conference on Future Computer and    Communication, Kuala Lumpar, 2009.

[8] E. Grosse and M. Upadhyay, "Authentication at scale," IEEE Security \&    Privacy, vol. 11, no. 1, pp. 15-22, 2012.

[9] A. Ouda, "A framework for next generation user authentication," in 2016 3rd MEC    International Conference on Big Data and Smart City (ICBDSC), Muscat,    Oman, 2016.

[10] W. Newhouse, B. Johnson, S. Kinling, J. Kuruvilla, B. Mulugeta and K. Sandlin,    "Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal    Second Factor Implementations for Purchaser," National Institute of    Standards and Technology, 2019.

[11] A. Yuriy, "Medium," 10 November 2021. [Online]. Available:    [Accessed 11 November 2021].

[12] "Fido Alliance," 2021. [Online]. Available:    [Accessed 11 November 2021].

[13] "FIDO Alliance," [Online]. Available:    [Accessed 11 November 2021].

[14] S. Wajid Ali Shah, J. Jay Jeong and R. Doss, "The Conversation," 16 August 2021.    [Online]. Available:    [Accessed 11 November 2021].

[15] K. Walsh, "CNBC," 16 August 2017. [Online]. Available:    [Accessed 11 November 2021].

[16] R. A. Grimes, Hacking Multifactor Authentication, John Wiley \& Sons, 2020.

[17] "NIST," [Online]. Available:    [Accessed 11 November 2021].

[18] "FIDO Alliance," [Online]. Available: [Accessed    11 November 2021].

[19] "IDPro," [Online]. Available: [Accessed 11 November 2021].



David Silva

Senior Research Scientist at Algemetric.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.