The four types of Multi-Factor Authentication (MFA) are knowledge, possession, inherence and location. These authentication types provide a foundation for a number of MFA methods, giving users multiple options for securing their data, ranging from SMS message tokens to hardware security keys. Which method is right for you or your business can depend upon what you have access to and how secure you want to be.
Keep reading to learn which MFA methods are the most secure and which method will best protect data for you or your business.
How Multi-Factor Authentication Works
MFA works by requiring one or more methods of authentication in addition to a traditional password in order to verify that a user should have access to an account. This adds another layer of security, because while a cybercriminal may be able to compromise one authentication factor, it’s significantly more challenging to compromise two at the same time.
Different methods of authentication verify identities in different ways – and some are more secure than others.
Why is multi-factor authentication important?
As cloud computing becomes the norm, our sensitive information is spread throughout the internet on various accounts, devices and cloud storage. This has increased the attack surface for all users – both individuals and organizations – and opened up more ways that cyber attacks can compromise users’ confidential data.
Because of this, data breaches are more common than ever. There were over 1,800 data breaches in 2022, with more than 422 million people affected, according to Statista. These data breaches often compromise passwords and other sensitive information.
If a set of credentials is compromised in a data breach, and a cybercriminal uses those credentials in a login attempt, the only thing stopping them from accessing the account would be multi-factor authentication.
Is multi-factor authentication secure?
Yes, multi-factor authentication is secure. Some MFA methods are more secure than others, but any MFA method will increase the security of an account. You should always choose to enable MFA when it’s available.
4 Types of Multi-Factor Authentication
There are four main types of authentication, including:
1. Knowledge: Something you know
Knowledge-based authentication relies upon something the user knows. For example, security questions verify identity by asking a secret question with an answer that only the user should know.
2. Possession: Something you have
Possession-based authentication verifies identity through what a user physically has. A badge with a chip that allows the user into the building, for example, is a type of possession-based authentication.
3. Inherence: Something you are
Inherence is based on inherited, unchangeable traits that the user has. If the previously mentioned security badge includes a photo of the user, then the badge would rely on both inherence and possession to verify identity. A more high-tech example is biometrics, such as a fingerprint scan.
4. Location: Somewhere you are
In a zero-trust cybersecurity environment, your physical location can be an authentication factor. Some apps and services require the user to be in a particular location in order to access them.
MFA Examples
There are many different methods for verification within the four categories above, but here are the most common methods that the average user will encounter in their digital life.
1. Time-Based One-Time Password (TOTP)
A TOTP is a code, usually a 6-digit number, that is only valid for a short period of time – often thirty to sixty seconds. With this method, the user can use a password manager that stores TOTP codes or download an authenticator app to store and access these codes. After entering their password to log in to an account, the user will be prompted to enter the code to verify their identity.
This is one of the most secure forms of MFA because the codes are protected and difficult to intercept. The only way a cybercriminal can steal the code is by compromising the device on which the code is generated, by stealing it or infecting it with malware.
2. SMS text message token
This method requires the user to enter their phone number when they create an account. When the user logs in with their credentials, they will be asked to enter a code sent by SMS text to their phone. With the code, they can then log in.
This is one of the less secure methods of MFA because phone numbers for individuals are usually easy to find online. If a cybercriminal has the user’s phone number, they can use a technique called SIM swapping to intercept their SMS texts.
The advantage is that it’s a convenient method and doesn’t require the user to download a new app. Some accounts offer SMS text tokens as the only MFA method. It’s better than no MFA at all, so if it’s the only option you should still use it.
3. Email token
Email tokens are similar to SMS tokens, but they use your email address to deliver the code. Similarly, the risk of email tokens is that a cybercriminal could hack your email account in order to get access to the code. If you use this method, be sure to secure your email account with a unique, complex password in order to protect it.
4. Hardware security key
A hardware security key is a physical token. After connecting it to your accounts, you should keep it in a secure location where you won’t lose it. When you log in to your account, you will usually insert the key into a USB port or tap it on your device. Your device will sense the key and validate your identity.
This is one of the most secure methods of authentication because it’s impossible for a cybercriminal to steal it over the internet. The only way this method could be compromised is if the physical key was stolen.
5. Biometric authentication
Biometric authentication validates your identity via facial recognition, fingerprint scan or iris scan. When first setting up biometric authentication, the user will register their fingerprint or facial scan with the device. Then the system will compare future scans to the first one to verify your identity.
Because everyone has a unique fingerprint and face, this can be quite secure. Fingerprints and facial recognition are already used widely on personal devices for login identification. It’s also often used as an MFA method for apps, commonly for banking or other apps with sensitive data. Biometrics are usually stored locally on the device to protect them.
The disadvantage of biometric authentication is if the user’s biometric information is leaked, it’s impossible to reset it like you would reset a password. If someone’s fingerprint is ever compromised, they should never use fingerprint scans as a method of authentication again. This is why it’s typically used as a second factor, or used as a convenient bypass to a code login (such as on your phone), and not as a primary identification factor.
6. Security questions
Security questions are often used to verbally confirm your identity, such as on the phone with your bank, but they are used digitally as well. If you choose to use security questions, be sure that the answer is truly confidential. It’s all too common for people to choose security questions that are easy to guess by looking up their online digital footprint. For example the answer to a question like “What is your dog’s name?” could easily be found on a user’s social media accounts. A common technique to prevent cybercriminals from finding the answer is providing fake answers that no one could ever guess. Just be sure to remember your fake answers!
7. Risk-based authentication
Risk-based authentication, or adaptive authentication, is the practice of changing the authentication required for access based on the level of risk. Risk-based authentication accounts for the human element. If users have to use multiple methods of authentication for every login, they can become frustrated. That may lead them to disable the MFA which leaves their account less protected.
With risk-based authentication, for example, an account may not require MFA when the user logs in on their work device, but would prompt the user for MFA when logging in on a different device. This means the user will get prompted for MFA less often, but a cybercriminal trying to hack into the account from their own computer would still get prompted for MFA.
MFA Keeps You Safe
No matter which method you choose, you should enable MFA for every account that offers it as an option. MFA is one of the best ways to protect your accounts, after using a strong password.
To make MFA more convenient, Keeper Password Manager has the ability to store TOTP codes and allows you to access them from any device. Keeper streamlines the authentication process and makes your life easier by automatically generating and securely storing strong passwords, passkeys and MFA codes.
Start Your Free Trial
