The Evolution of Multi-Factor Authentication

Multi-Factor Authentication has undergone significant improvements over the years. Additional verification methods started with 2FA, then evolved to MFA to see its latest form in PMFA.

From hardware tokens to biometrics_ the evolution of MFA

The ever-increasing security incidents are getting more and more prevalent in everyday news. No industry is spared from data breaches. Attackers aren’t focused on big businesses only: on an average, two thirds of mid-size companies experience credential theft attempts every year.

Why does this happen?

Since the 1960s, passwords have been the main way of authentication. Nowadays outdated, solely using passwords has proven to be a pain to use for plenty of reasons:

  • they are not user friendly
  • they are a hassle and could be quite expensive to manage
  • most importantly ‒ they are a perfect opportunity for cyber attackers to infiltrate organizations

However, times are changing. What decades ago might have seemed like science fiction is now gaining real traction among the organizations. Meet the advantages of using multi-factor authentication.

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication, or MFA, is a an additional security step that requires several different factors to confirm or verify the identity of a user when authenticating online. This security method is usually based around the following verification methods:

  • Something the user knows: a username and password, a PIN or a security question
  • Something the user has: a smartphone or physical token
  • Something the user is: biometrics such as fingerprint, facial or voice recognition, or iris scan
  • Somewhere the user is: some specific location based on a device network or GPS signal

Two-Factor Authentication (2FA)

One of the oldest two-factor authentication (2FA) methods are hardware tokens. They usually come in the shape of a key fob that displays a randomly generated password. When a user presses a button on the little device, it displays a series of numbers (usually for a short period of time), which then has to be typed into the application or resource to gain access. However, this type of token has lost support among the companies, since the deactivation process can be a burden once the employee loses the key log or leaves the job.

Smartphones step in

Here’s one common example: after entering your sign-in information (username and password) on a platform, an SMS is sent to the user’s previously registered phone. This message contains a secret code that the user has to type in to finish the sign-in process. This second step represents another layer of security over the easily-compromised password/username combination.
This phone-as-token method is an important step towards the right direction. It is based on something the user possesses, in this case, a phone. Still, it is not sufficient: just like the knowledge-based protection (a password or a PIN), possession still can be transferred. What if your smartphone gets stolen? Another problem is that SMS and phone calls are too easy to redirect to another registered device (swap) and then hack.
This leads us to the last and most important factor in the authentication process: using something that the user is.

Benefits of biometrics

So, the password can be stolen, SMS or token verification can be hacked, so there is another factor included, the biometrics (facial recognition or fingerprint). It relies on a user’s unique biologic characteristics, so the sign-in can occur only if the authorized user is provided. With biometric authentication, as a third security step, it is extremely complex for attackers to acquire access to corporate applications. On top, there is no need to spend time entering long passcodes or PINs, so it’s also a lot quicker. Besides this, it is mobile: the enterprise workers can access systems safely while working from outside the office, from multiple locations.

Passwordless MFA (PMFA)

Now, what if you completely get rid of using passwords but still keep the MFA? This is called Passwordless Multi-Factor Authentication, or PMFA.
This solution provides simple sign-in by using a smartphone application. Thanks to biometrics, there is no need for passwords, usernames, PINs, 2FA apps, or hard tokens to authenticate online securely: all you need is a mobile device with the app installed and your email address.


Passwordless MFA