Keerthi Vibisan
Keerthi Vibisan
Software Engineer at Grootan working on IAM

Multi-Factor Authentication (MFA)

Written by Human, Not by AI

Posted on in IAM • 297 words • 2 minute read
Tags: IAM Basics

It is an authentication method that requires user’s to provide two or more verification factors to gain access to a system or application, rather than relying on one factor or authentication (which is commonly a password).

can combination of password and security question check can be qualified as MFA?

No, having password + security question check will not be qualified as MFA. Because both password and security question belong to the same authentication factor or category.

✔️ The purpose of MFA is to combine multiple types of authentication factors from different authentication categories

So to understand MFA you need to understand authentication factors and authentication categories

  • Authentication Factors - These are specific methods used to verify users identity. (E.g., password , OTP, fingureprint)
  • Authentication Categories - The authentication factors are grouped into categories based on the nature of verification.

There are 3 types of authentication categories

  1. Something You Know (Knowledge-based) - This is the most common form of authentication and this type of authentication is based on some information that only the user knows.

    • Password
    • Pin
    • Security Questions
    • Passphrases

  2. Something You Have (Possession-based) - This type of authentication is based on something that user have or owns. This relies on some device or software that user uses.

    • Mobile Device (OTP, Authenticator Apps)
    • Email (OTP, Link)
    • Security Token
    • Physical Keys (U2F/FIDO2)

  3. Something You Are (Biometric-based) - This type of authentication is based on what a user is. This uses some unique physical characteristics of a user to verify their identity.

    • Fingerprint Scanning
    • Facial Recognition
    • Iris or Retina Scanning
    • Voice Recognition

Conclusion

MFA works by combining at least two authentication factors from different authentication categories. By combining these factors, MFA reduces the risk of unauthorized access.

Example

  • something you know (password) + something you have (mobile phone for OTP)