What Is MFA?
Multi-factor authentication (MFA) is a security method whereby users are required to verify their identities using two and more forms of identification. Such forms, including the password, fingerprint, SMS verification code, smart card, and biometric recognition, can be combined in different ways. This can improve the security and reliability of user accounts.
Why Is MFA Required?
With the reform of global digitalization, communication, shopping, and office via computer networks gradually become mainstream. However, cybercrimes, with increasingly complex attack vectors, are on the rise in recent years. This has led to severer security-related economic losses. Therefore, it is critical to secure enterprise information, personal information, and network devices.
An important task is to verify the identity of anyone that wishes to access applications, services, and network devices. However, the defense mechanism using only one form of identification is weak and risky. For example, passwords attacks, such as brute force cracking, credential stuffing, and phishing emails, may occur. Also, keys and door cards may be lost or stolen. Worse still, the leakage of biological features may bring greater threats. This urgently calls for MFA to play its role.
The most common and simple access control method is to use MFA to verify user's identity, thereby improving account security and reliability.
What Are the Common Identification Forms?
- Knowledge factor: password, personal identification number (PIN), and security question answer.
- Possession factor: software token and hardware token.
- Software token: SMS verification code, email verification link, verification code, and QR code provided by the service provider (for example, WeChat QR codes that a user scans for authentication).
- Hardware token: dedicated devices — ID cards, driving licenses, passports, key cards, and hardware encryption locks — that function as security keys.
- Inherent factor: behavioral biometric features, such as fingerprints, voice, facial features, iris, retina patterns, DNA, handwritten signatures, behavioral biometrics such as keystroke dynamics or speech patterns.
- Location factor: specific location, device, and IP address range.
- Time factor: specific time range.
If multiple forms of identification, such as password + security question answer or ID card + SMS verification code + email verification link, are of the same type, single-factor authentication (SFA), rather than MFA, is applied.
In short, MFA requires users to present two and more forms of identification.
What Is the MFA Process?
- A user logs in to an application.
- The user enters the login credential — usually the account and password — for initial authentication.
- After the authentication succeeds, the user is prompted to submit the second form of identification.
- The user enters the second form of identification into the application for secondary authentication.
- If only two forms of identification are configured and the second authentication passes, the user is granted the corresponding system operation permission. If three or more forms of identification are configured, the user needs to submit identity information as prompted. The corresponding system operation permission is granted until all forms of identification are verified.
What Are the Typical Applications of MFA?
- Knowledge factor + Possession factor: Employees remotely log in to the office system through the VPN. Two forms of identification are involved: password and SMS verification code. When a user logs in to the system via an email address or social media account, two forms of identification are involved: password and CHAPTCHA.
- Knowledge factor + Possession factor: The authentication process of payment systems for gaming, shopping, and mobile apps involves two forms of identification: password and SMS verification code/QR code scanning.
- Knowledge factor + Location factor: When a user logs in to the system via an email address or social media account, two forms of identification are involved: password and specified IP address range.
- Knowledge factor + Time factor: The authentication process of the coupon redemption systems of mobile apps involves two forms of identification: password and specific time range.
- Possession factor + Inherent factor: The authentication process of the ticket checking system in railway stations and airports involves two forms of identification: valid certificate (such as ID card and passport) and facial recognition.
- Possession factor + Location factor + Inherent factor: The authentication process of the clock-in and clock-out systems in some companies involves three forms of identification: smartphone, specific location range, and facial features.
What Are the Advantages and Disadvantages of MFA?
Advantages
Improved security is obviously the main benefit of MFA. In the current digital era, service providers and enterprises have become the prime targets of cyber attacks. Attackers steal identity credentials to intrude the enterprise intranet, which may cause great losses. To solve this, MFA helps create an additional security barrier between attackers and enterprise networks, requiring other forms of identification in addition to login names and passwords.
MFA makes it difficult for attackers to take over accounts even if they steal the login password, as they still need another identification factor to gain access. Based on devices, MFA can protect most accounts against attacks.
Another benefit of MFA is its wide application. Smartphones now are in wide use. With the positioning and facial recognition technologies of a smartphone, service providers and enterprises enforce MFA in systems and applications, and even on VPNs connected to enterprise intranets to protect network access.
Disadvantages
Some enterprises choose not to adopt MFA due to certain concerns. The first concern is about work efficiency. Under the traditional static password login mechanism, employees spend some time on account login every month. The use of MFA, however, has doubled the login time. The reason is that employees need to provide other forms of identification, in addition to passwords. Also, MFA takes the form of time-based dynamic tokens (TOTPs) in many cases, while the token validity period is limited. Once the token expires, employees need to wait for a new token to be issued, thereby affecting the work efficiency.
Another concern is that it is difficult to implement MFA. In other words, MFA can be applied to all resources and deployed across the enterprise only after it covers all IT resources.
The last concern is the high installation and maintenance costs, including costs of purchasing, replacing tokens, and renewing software. For example, if one or more forms of identification for an enterprise or individual are lost or stolen, they need to report the loss, apply for and set new forms of identification. This can increase maintenance costs either for enterprises, individuals, or maintenance vendors. To protect the infrastructure such as the local system and network, they need to deploy tools to manage MFA. This increases the IT security budget and O&M costs of enterprises.
However, the advantages of MFA outweigh its disadvantages. To protect networks, users, and employees, enterprises still want to perform MFA as part of an access management strategy.
What Are the Differences Between MFA and 2FA?
Item |
Differences Between MFA and 2FA |
|---|---|
Number of identification forms |
MFA ≥ 2FA. MFA requires two or more forms of identification, while 2FA only requires two forms of identification. |
Security |
MFA ≥ 2FA: Compared to 2FA, MFA may require more forms of identification, thereby improving user account security and reliability. |
Number of users |
MFA ≤ 2FA. 2FA is generally used in daily work and life. MFA, which may require three or more different forms of identification, is generally used by personnel in special industries such as the scientific research sector and military industry. |
User experience |
MFA ≤ 2FA: The adding of an additional identification form is accompanied by one more authentication steps and longer waiting time during the operation, affecting user experience. |
Installation and maintenance costs |
MFA ≥ 2FA: Adding an additional identification form will result in more complex network devices and software systems, as well as higher maintenance costs. |
Confidential information level |
MFA ≥ 2FA: MFA, which may require three or more different forms of identification, protects confidential and top-secret information in fields such as scientific research and military affairs. |
By referring to the differences between 2FA and MFA and considering actual application scenarios and network conditions, you can select the most suitable user identity authentication. This can help ensure the security and operability of data and systems.
Common Authentication Modes on Huawei Firewalls
- Local authentication: User information is saved on a firewall. If a user accesses the portal authentication page and sends the user name and password to the firewall, the firewall implements authentication on the user.
- Server authentication: User information is not saved on a firewall. If a user accesses the portal authentication page and sends the user name and password to the firewall, the firewall forwards the user information to a third-party authentication server for identity authentication.
- Single sign-on (SSO): A user sends the user name and password to a third-party authentication server. After the user passes the authentication, the third-party authentication server sends the user's identity information to a firewall. The device only records the user's identity information, without participating in authentication.
For more information about products, see HUAWEI USG6000E User and Authentication Configuration Guide.
- Author: Zhang Lincui
- Updated on: 2023-11-08
- Views: 561
- Average rating:
