Multi-Factor Authentication – A Complete Guide

Friday 13th October, 2023

In the spirit of Cybersecurity Awareness Month 2023, throughout which we have been focussing on enhancing your digital defences and promoting online safety, we’re taking a deep dive into the topic of multi-factor authentication (MFA).

In an era where cyber threats continue to evolve, leaving both IT professionals and consumers grappling with the ever-looming threat of data breaches, KHIPU remains steadfast in its mission to help people and businesses stay safe online. Let’s explore how MFA plays a vital role in fortifying our digital world.

Multi-factor authentication, or MFA, is a critical tool used by businesses to validate the identities of individuals accessing their online platforms. In this KHIPU Insight, we’ll provide answers to some of the most common questions surrounding multi-factor authentication.

What is Multi-Factor Authentication (MFA)?

MFA stands for Multi-Factor Authentication. It is an additional layer of security used to ensure that people trying to gain access to an online account are who they say they are. MFA requires users to provide two or more verification factors before they can access an account. These factors typically fall into one of three categories:

  1. Something you know: This could be a password or a personal identification number (PIN).
  2. Something you have: This might be a smartphone, security token, or smart card that generates or receives authentication codes.
  3. Something you are: This includes biometric factors like fingerprints, retina scans, or voice recognition.

Why is MFA so important?

  1. Enhanced Security: MFA provides an extra layer of security beyond just a password, making it significantly more difficult for attackers to gain unauthorized access.
  2. Reduced Risk of Unauthorized Access: Even if a hacker managed to steal your password, they would still need the additional authentication factor to access your account.
  3. Protection Against Phishing: MFA can prevent phishing attacks where attackers trick users into revealing their passwords. Even if the attacker obtains the password, they still need the second factor to access the account.
  4. Compliance Requirements: Many regulatory standards and compliance frameworks require the use of MFA to protect sensitive information and systems.
  5. Securing Personal and Financial Information: With the increasing number of online services handling sensitive data and financial transactions, MFA is crucial in protecting personal and financial information from unauthorized access.

Implementing MFA significantly strengthens the security posture of any system or online account, making it an essential practice in the field of cybersecurity.

What is the difference between multi-factor and two-factor authentication?

Two-Factor Authentication (2FA): 2FA means using two different ways to prove you are who you say you are before you can access your account. It’s like having two locks on your door instead of one. For example, when you log in, you enter your password (first lock) and then a special code sent to your phone (second lock). Both are needed to get in.

Multi-Factor Authentication (MFA): MFA is like 2FA but with extra options. Instead of just two ways to prove your identity, you can use several. For example, you could have a fingerprint scan, a password, and a code from an app. It’s like having multiple locks and each one needs a different key. More locks make it much harder for someone to break in, even if they have one of the keys.

In simple terms, 2FA uses two locks (methods) to protect your account, while MFA uses more than two locks, adding extra layers of security to keep your information safe.

Multi-factor vs two-factor authentication – a technical breakdown

Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) are related concepts, but they are not exactly the same. Both provide additional layers of security beyond just a username and password, but they differ in the number of factors they require for authentication.

Two-Factor Authentication (2FA):

  • Two Factors: 2FA requires users to provide two different authentication factors before gaining access to an account.
  • Typical Factors: The two factors in 2FA usually include something you know (password) and something you have (like a smartphone or security token).
  • Example: When you log into an account with 2FA enabled, you typically enter your password (something you know) and then receive a verification code on your smartphone via an app or SMS (something you have). Both factors are required to access the account.

 Multi-Factor Authentication (MFA):

  • More Than Two Factors: MFA, as the name suggests, involves using multiple factors for authentication. It can include not just something you know and something you have but also something you are (biometric factors like fingerprints or facial recognition).
  • Flexible Approach: MFA provides a more flexible approach by allowing the use of various combinations of factors. For example, you could use a fingerprint scan (something you are) along with a password (something you know) and a security token (something you have) for MFA.
  • Example: In an MFA setup, you might need to provide a fingerprint scan, a password, and a verification code from an authentication app. All three factors are required to access the account.

In summary, while 2FA is a subset of MFA, MFA is a broader concept that encompasses the use of multiple factors (beyond just two) for authentication. MFA provides a higher level of security because it incorporates a variety of factors, making it more challenging for unauthorized users to gain access to an account even if they manage to compromise one of the factors.

What are some examples of MFA?

Authentication Apps:

Many services provide authentication apps like Google Authenticator or Authy. After entering your password, the app generates a time-sensitive code that you must enter to access your account. This code changes every few seconds, adding an extra layer of security.

Text Messages or Phone Calls:

After entering your password, the service sends a one-time code to your phone via text message or phone call. You need to enter this code to complete the login process. This ensures that even if someone knows your password, they can’t log in without also having access to your phone.

These methods use something you know (your password) along with something you have (your smartphone or authentication app) to confirm your identity, making it much more difficult for unauthorized users to access your accounts.

Biometric Authentication:

Some devices and services use biometric information like fingerprints, facial recognition, or even iris scans as an additional factor for authentication. For instance, on smartphones, you can use your fingerprint or face to unlock the device or access specific apps. Biometric MFA relies on unique physical or behavioural traits, adding a layer of security based on who you are, in addition to what you know (password) or have (authentication token). These methods demonstrate the diverse ways MFA can enhance security, combining different factors to ensure the authenticity of the user attempting to access an account or device.

What is the strongest authentication factor and what is the weakest 

Strongest Authentication Factor

Biometric Authentication (Something You Are):

Biometric authentication methods, such as fingerprints, facial recognition, or iris scans, are considered the strongest because they are unique to each individual and difficult to replicate. Biometric data provides a high level of security because it’s based on physical or behavioural characteristics that are hard to forge or steal.

Moderate Authentication Factors

Possession-based Authentication (Something You Have):

Possession-based methods like security tokens, smart cards, or authentication apps are moderately strong. They require the physical possession of a device or token, which provides an added layer of security beyond passwords. However, if the device or token is lost or stolen, there is a potential risk.

Knowledge-based Authentication (Something You Know):

Knowledge-based authentication includes passwords, PINs, or security questions. While widely used, these are weaker than biometric and possession-based methods because they can be forgotten, guessed, or easily stolen through techniques like phishing or social engineering.

Weakest Authentication Factors

Social Engineering or No Authentication:

The weakest form of authentication is no authentication at all, where anyone can access a system or account without any form of verification. Social engineering, where attackers manipulate individuals into revealing sensitive information, is also a very weak form of authentication because it relies on tricking people rather than using specific credentials or methods.

Knowledge-based authentication (Something You Know):

This category includes information like passwords, PINs, or answers to security questions.

Passwords, in particular, have several vulnerabilities:

  1. They can be easily guessed: People often use weak passwords that are easy to guess, especially if they use common words, phrases, or patterns.
  2. They can be stolen: Passwords can be intercepted in transit, obtained through phishing attacks, or stolen from poorly protected databases during data breaches.
  3. They can be forgotten or shared: Users might forget complex passwords, leading to insecure practices like writing them down. Additionally, passwords are sometimes shared among multiple accounts, compromising security.

For these reasons, knowledge-based authentication is generally considered the weakest factor in the MFA framework. Implementing additional factors, such as possession based (Something You Have) or biometric (Something You Are) authentication, significantly enhances security by providing multiple layers of verification.

It’s important to note that the strength of authentication factors can vary based on implementation and context. For instance, a poorly implemented biometric system might be weaker than a well-designed and securely managed password system. Security best practices often involve using multiple factors (Multi-Factor Authentication) to create a stronger overall security posture.

Is biometrics classed as MFA?

Yes, biometrics can be considered a form of Multi-Factor Authentication (MFA). Biometric authentication involves using unique physical or behavioural traits, such as fingerprints, facial recognition, or iris scans, to verify a person’s identity. In the context of MFA, biometrics fall under the category of “Something You Are,” where the authentication process relies on the individual’s unique biological characteristics.

When combined with other factors like passwords (Something You Know) or security tokens (Something You Have), biometric authentication enhances security by adding an additional layer of verification. This multi-layered approach, using a combination of authentication factors, provides a more robust and secure way to confirm a user’s identity and protect sensitive information.


We hope that this guide to multi-factor authentication has been helpful in explaining just how effective MFA can be, when implemented correctly.

To find out more about our MFA solutions, you can read more about Okta – which is an enterprise-grade identity management service – or complete the form below to contact one of the KHIPU team.

*required field

Thank you - one of our team will be in touch