Skip to main content

Multi-Factor Authentication (MFA)

Learn what Multi-Factor Authentication (MFA) is and how it works. Explore the MFA process and find out what factors can be used during the MFA flow.

What Multi-Factor Authentication (MFA) Is

MFA is a secure way of verifying who the user is before allowing them to access the desired application or perform any other sensitive operation. It is mostly used during the login process. MFA provides increased security and is a core component of a strong identity and access management policy. It helps reduce risk of unauthorized access and ensures that the party initiating the sensitive operation is the right one. This usage of MFA is what is calledtransactionalsince it occurs outside the traditional authentication context.

How Multi-Factor Authentication (MFA) Works

MFA is a security mechanism that add an extra layer of protection so that the authentication is performed using at least two factors, for example, the username-password and the verification code. In context of the OAuth 2.0 flow, this security layer is applied when the resource owner is asked for an authorization grant by the client app via the authorization server (seerfc6749 section 1.2 and 1.3).

As part of this process, the authorization server must authenticate the resource owner and ask for their authorization. MFA can be applied at both of these stages (login and consent).

How_MFA_Works.svg

MFA requires multiple methods of authentication from independent categories of credentials. It combines two or more credentials, each corresponding to a different category (authentication factor). There are three most common authentication factors:

  • Knowledge factor: what the user knows (for example, a password or PIN)

  • Possession factor: what the user has (for example, a mobile phone, a security token, a mailbox)

  • Inherence factor: what the user is (for example, biometric verification or voice recognition).

Authentication Factor Types

There are a number of MFA types:

  • Mobile apps: MFA software’s mobile apps

  • Software token: Offline tokens that enable users to use MFA mobile apps

  • Push notifications: Sent to a user’s mobile device asking them to approve or deny the authentication request

  • Hardware token: Pieces of hardware users carry with them to authenticate their identity, for example, USB devices

  • One-time passwords (OTP): Authentication codes sent via via SMS, voice, or email

  • Risk-based authentication (RBA) software: Intelligent or adaptive MFA uses real-time information about end users to evaluate their risk and prompt them to authenticate when needed.

  • Passwordless authentication: Passwordless (invisible) authentication uses RBA factors (for example, location or IP address).

  • Biometrics: Biometric authentication factors, for example, facial or fingerprint recognition

  • MFA as a service: Using an MFA provider who offers a cloud-based MFA solution as a service

  • On-premises MFA: On-premises MFA solutions run locally on your server.

  • Offline-available MFA: Authentication using a mobile app with offline access to OTPs or one that uses a hardware-based U2F security key

  • Enterprise solutions: Companies that manage MFA at a large scale for a number of users need software offering administrator consoles, endpoint visibility, and single sign-on (SSO)

In this section: