top of page

InfoSec Basics - Multi-factor Authentication

Multi-factor Authentication, or “MFA”, ( can be quite confusing, but I think it’s more because of the number of variations and solutions, rather than with the concept. There’s “multi-factor authentication” and “MFA”, but then we a number of other terms, such as “2-factor authentication” and “2FA” – these latter two are simply MFA where the number of factors is two. (Technically correct, but I think it’s debatable whether the distinction is useful, and I worry that it actually generates more confusion than it resolves.)

As previously described (, our basic process for providing user access is to identify a user, confirm that identity, then provide the appropriate access. MFA mainly focuses on making the authentication step more robust.

Generally, a process is defined as MFA when it requires two or more different “factors” in order to accept that user is who they say they are. The factors can be described (and many sources use almost exactly this wording) as follows:

  • Something you know (“knowledge factor”)

  • Something you have (“possession factor”)

  • Something you are (“inherent factor”)

But what IS a factor, really?

A factor is simply a way of classifying methods by which we can confirm our identity. (The Wikipedia article actually describes “Somewhere you are” as an additional “location-based” factor, but I won’t really talk about that as most sources only discuss three factors, and location-based factors are relatively uncommon in use.)

Something you know

This is the most common factor – often the only one used - and is usually a password or a PIN (personal identification number). If it’s compromised, however, it can be used without you even being aware of it. That’s why long, unique passwords are recommended – to minimize the impact if a password is compromised. If my password for my cat video site is compromised, my dog video site can still be safe. (Incidentally, “secret questions” like “where were you born” are not considered secure, as they are generally simple to find out – one possible workaround is to make up answers to these questions...)

Something you have

A simple example is a key to a door. If you don’t have it, you cannot open the door. In terms of computers, these are often referred to as “tokens”, and broken into three main groups:

Disconnected tokens

  • Are “disconnected” in that they are not physically connected to the computer being accessed.

  • Usually involve a step in the authentication process where the user needs to type the number showing on the token, which changes every minute or so

  • In the “old days”, many technology professionals (including me) had one of these:

Connected token

  • Physically connected to the computer being accessed, often via USB, but also potentially via Wifi or Bluetooth

  • One example - Note that this is described as “2FA”...

Software token

  • This is where the “token” is stored on the device, often in a way that mimics an old-style physical token. A number of vendors provide tools like this, including Google Authenticator, Authy, Okta, and others.

Something you are

This factor refers to biometrics. This is a fascinating area, and is developing very rapidly. While the most common examples are fingerprints and facial recognition, there are many others, including gait analysis (ie, the way you walk), retinal or iris scans, scans of the veins in your palm, voice recognition, and so on.

Without going down too many rabbit holes, there are a lot of interesting and challenging questions in this area, including (but by no means limited to)

  • How certain can we be that the feature in question is unique to the person?

  • How reliably/quickly can we measure the feature?

  • How do we store the biometric data gathered?

  • Can the “feature” be reproduced by an attacker?

See the so-called “Gummi bear attack”, to defeat early fingerprint authentication (

Also, the Cisco Talos security team was able to defeat fingerprint authentication using a 3d printer (

  • Does the feature change over time? If so, how can we be sure that the “same person” can be reliably identified / authenticated over time?

  • Can the feature be deliberately altered?

  • What are the privacy implications of all of this?

  • What happens if the data is compromised?

  • Should biometrics be treated as an “authorization” mechanism, or an “identification” mechanism? Or both?

This area of study is still in its infancy, so while a lot of research and discussion has already taken place, this is only the beginning. For anyone truly interested in this area, don’t forget to read a lot of speculative fiction – the most bizarre-seeming ideas are probably among the ones we will be studying in years to come!

Now what?

Remember what I said about how the basic concept of MFA was relatively simple and it was the number of variations and solutions that get confusing? Well, this is where we stop avoiding rabbit-holes and peek down a few of them...

When discussing “something we have”, a connected physical token is generally considered the “gold standard”. They are generally designed to be as difficult as possible to duplicate, so login is virtually impossible unless you are in possession of the token. Disconnected tokens are arguably less secure, since they do not require the physical presence of the token – just some way to view it. As one amusing old example, use a webcam -

With soft tokens (eg, Google Authenticator, Authy, or Okta), the “something you have” is your phone, but the question becomes whether that phone - or the software on it – can be duplicated. Soft tokens are generally considered to be less secure than hard tokens, though ANY form of MFA is vastly superior to none.

One still-common approach to MFA is to send an SMS (“Short Message Service”, aka text message) to a mobile device. Though still vastly superior to not using MFA, this is not considered “secure”, due to the fact that SMS messages are not encrypted, the potential that the device could be compromised, and the potential of the phone service itself being compromised. This last is referred to as “SIM-swapping”, and is where an attacker convinces the phone company to switch service from one phone to another. (SIM = “Subscriber Identify Module” - it’s the small chip which needs to be in a phone for it to be used)

Stop! Too many rabbits hopping around! What does this all mean?

Let’s try to simplify by thinking of some examples.

Example 1a – Single Factor (Something you know):

Malice has managed the compromise Alice’s cat video site, and has Alice’s password. Malice can now view Alice’s cat videos and impersonate Alice at will. This is bad.

Example 1b – Multi Factor (Something you know / something you have):

Malice has managed to compromise Alice’s cat video site, and has Alice’s password. Malice enters Alice’s password and is prompted for the 6-digit code which has been sent to Alice’s mobile device. Malice is stuck, and Alice’s cat-video collection is safe.

Example 2a – Single Factor: (Something you have):

Alice has a locker with a lock on it. Malice can either steal the key, or copy it, and then access Alice’s locker at will. This is bad.

Example 2b – Multi Factor (Something you know / something you are):

Alice has a locker with a lock and a numeric keypad. Malice has copied Alice’s key, but can’t access the locker without knowing the PIN. Malice is stuck, and Alice’s locker is safe.

It should be noted that no authentication factor is perfect, so MFA is best considered a layered-defence that raises the bar for an attacker. If Malice is a “script kiddie”, Alice is pretty safe, but if Malice is a nation-state actor and is specifically targeting Alice, it’s a very different game. That said, consider that we live in houses with doors and windows, not bunkers with steel-gates, barbed-wire, and bullet-proof windows.

Even so, the harder we can make something for any attacker, the better.

Example 3 – High risk – Multi Factor (Something you know / something you have / something you are):

Alice is a reporter investigating government corruption in a country with a high death-rate among reporters. In order to access a global news service, Alice takes a connected token, authenticates to the token with a fingerprint, then plugs it in (something you have / something you are). Alice then enters a password (something you know).

If Malice catches Alice in possession of the connected key and can compel the entry of the password (eg, with a crowbar), all bets are off. But, if Malice captures Alice but not the token, or the token but not Alice, the account cannot be accessed.

How likely is that last scenario, though? Not very, for the vast majority of us.

So, in general, we should take advantage of any security tools available to us. Some will say that “Second-factor using SMS” is insecure, but that’s a relative thing. In fact, according to one post by Microsoft (, 99.9% of account compromise attacks can be blocked simply by enabling MFA – that’s pretty good, I think.

Without going into a vast analysis of the relative effectiveness of different forms of MFA, it is clear that ANY form of MFA is superior. Use it. Most services now offer it.

Then, if you want more, and it’s available, go with more. Download a soft-token app, set up your mobile phone as a “connected token”, get a hard-token, etc, etc.

But start with MFA.




bottom of page