Authentication is the process of determining whether someone or something is, in fact, who or what it says it is. The number of factors required for users to prove their identities often depends on the sensitivity of the data and digital resources involved.
For example, online retail stores often only require users to provide one piece of verifiable information, such as a password, to access their online accounts. You might not want others to know what you purchased on a particular site, but sensitive information is not at risk. However, financial institutions handle much more sensitive data, such as account balances and payments, so they often require users to provide at least two pieces of verifiable information to access their online accounts.
The number of factors required for each authentication method is reflected in its name:
Single-factor Authentication (SFA): Requires users to provide one verifiable credential to access online resources.
Two-factor Authentication (2FA): Requires users to provide two verifiable credentials to access online resources.
Multi-factor authentication (MFA): Requires users to provide at least two verifiable credentials to access online resources.
If one factor is compromised, others are unlikely to be, so there’s greater security in requiring users to authenticate themselves using additional factors. The goal is to appropriately balance the security needed to protect online resources with the user experience and make the overall authentication experience as painless as possible.
Verifiable information falls into three different categories:
Knowledge factors: Things that you know. This typically includes passwords, personal identification numbers (PINs), and one-time passwords (OTPs). It may also include asking the user to answer a security question, such as the name of the street you grew up on.
Possession factors: Things that you have. This includes a device or something else in a user's possession. It may include an authenticator app on a mobile device, security keys, or a security token, which is a hardware device that plugs into your computer's USB port. A smartphone frequently provides the possession factor in conjunction with a one-time passcode (OTP) app.
Inherence factors: Things that you are.This is where "biometrics" come in. It may include a fingerprint scan, facial recognition, retina scan, or voice authentication.
To learn more about the most common types of verifiable information used and the pros and cons of each, see Authentication.
Single-factor Authentication (SFA)
With SFA, users are only required to provide one piece of verifiable information to authenticate. This information might be anything from a knowledge factor, such as a password, to a biometric factor, such as a fingerprint.
Note that SFA is not necessarily less secure than 2FA or MFA. SFA refers to the number of factors used -- in this case, one -- to authenticate, and not to the type of authentication used. Passwords are the most common type of SFA used and are often compromised or forgotten. However, fingerprints are another type of SFA and are considered one of the most secure methods available because they’re difficult to fake.
Also note that SFA and single sign-on (SSO) are not the same thing. SFA refers to the number of pieces of verifiable information required to authenticate, while SSO is an authentication process that allows users to sign on to their applications and services with one set of credentials.
How does SFA work?
SFA requires users to provide one piece of verifiable information to authenticate.
Users provide the required information, which could be a password, a PIN, or fingerprints.
The online resource compares the information provided with the authentication information it has stored in the system.
If the authentication information provided matches the information in the system, users are granted access. If it doesn’t match, users are denied access.
Two-factor Authentication (2FA)
With 2FA, users are required to provide two pieces of verifiable information to authenticate. 2FA was designed to add an additional layer of security to sensitive information. Primary credentials and passwords are often forgotten or compromised, so 2FA can be used to help ensure that sensitive information is secure.
The two pieces of verifiable information requested must be from different categories. For example, sign-on processes might require that users provide their usernames and passwords (something they know), and a fingerprint (something they are) to access their systems and applications. Or, sign-on processes might require that users provide their usernames and passwords (something they know), and proof that their smartphone is in their possession (something they have).
How does 2FA work?
2FA requires users to provide two pieces of verifiable information to authenticate. The verifiable information requested must be from different authentication categories.
- Users provide the first piece of required information, which could be a password or PIN.
- The online resource compares the information provided with the authentication information it has stored in the system.
- If the authentication information provided matches the information in the system, users are asked to provide the second piece of required information, which could be a one-time passcode (OTP), or a fingerprint.
- If the authentication information provided matches the information in the system, users are granted access. If it doesn’t match, users are denied access.
Multi-factor Authentication (MFA)
With multi-factor authentication, users are required to provide more than one piece of verifiable information to authenticate. MFA was designed to add additional layers of security to sensitive information.
Note that 2FA is also considered MFA because more than one credential is required to sign on. But MFA often involves more than two credentials.
As with 2FA, the pieces of verifiable information requested must be from different categories. Sign-on processes might require that users provide their usernames and passwords (something they know), but also require either something they have, such as a fob or smartphone, or something they are, such as a fingerprint or retina scan.
How does MFA work?
MFA works the same way as 2FA, but users are required to provide a minimum of two pieces of verifiable information to authenticate. Both of these diagrams show examples of MFA authentication.
The increasing role of AI in authentication
Everyone agrees that authentication is important, but it must strike a balance between its role as a security enforcer and its position as the front door to your organization. You don't want known, low-risk employees to undergo rigorous authentication each time they log in; such an experience would be frustrating and a barrier to productivity. If you make the experience of registering or purchasing too cumbersome for customers, there's a good chance those customers will take their business elsewhere.
That's where artificial intelligence (AI) comes in. As MFA integrates machine learning and AI, authentication methods become more sophisticated, more attuned to who is logging in and whether there is anything different about this login attempt or online behavior. As context changes, such as the user's location or device—or even the sensitivity of the app being accessed—further risk-based authentication will be triggered, known as step-up authentication. When all the context is as expected, the system requires less authentication, which makes access easier for the user.
Balancing security and the user experience
As you can see, there are a wide variety of ways users can be authenticated, and the methods used depend on the sensitivity of the information being accessed.
At first, it might seem like a good idea to protect all of your digital resources with the most secure methods available, such as facial recognition or fingerprints. However, those methods require users to have recognition technologies available, which can be expensive. On the other hand, if you’re not protecting sensitive information, you might consider using SFA with a password or PIN, or 2FA with a mobile phone if most of your users have them. Although these methods might not provide the highest level of security, they are easier and less expensive to implement. The trick is finding the appropriate balance between security and the user experience.
Conclusion: the need for MFA
Authentication used to be simpler, back when all employees were connected to a network and accessed applications and resources in a centralized data center. Now, employees connect using multiple devices, many of them unmanaged, and they are constantly on the move, connecting from home, public Wi-Fi, and often from various geolocations. Organizations serving customers—whether they're consumers, patients, citizens, students, or others—must provide a simple, low-friction experience while managing identities that may number in the millions.
The use of a modern authentication system, including artificial intelligence and machine learning, enables organizations to provide the necessary security to keep intruders out. At the same time it makes access easy for legitimate users to keep employees productive and customers happy.
