Multi-factor authentication (MFA)
Author:
Fluent Commerce
Changed on:
24 Jan 2024
Overview
Multi-factor authentication (MFA) is used to ensure that digital users provide at least two pieces of evidence to prove their identity. Each piece of evidence must come from a different category, something they know, have, or something they are.
Traditionally, authentication mechanisms or factors have been categorized as belonging to one of three groups:
- Something you know (for example, a password or a PIN).
- Something you have (for example, a mobile phone or a token).
- Something you are (for example, a fingerprint or other biometric data).
In best practice, though, MFA goes beyond 2FA by requiring a user to authenticate via two or more authentication factors from different categories (e.g., a “something you know” combined with a “something you have”). The goal of having two or more authentication factors from different categories is to reduce the likelihood of an impostor gaining access.
Key points
- MFA Categories: OTP, delivered through various means, offer time-limited codes effective against online attacks.
- OTP Options: SMS, Voice, Email, and Application/Soft Tokens provide versatile MFA choices.
- Authentication Methods: Mobile Apps, Authentication App (TOTP), Email, and SMS come with specified security settings for password limits, block duration, and passcode refresh.
Supported MFA Categories
- One-time Passcodes (OTP) One-time passcodes are the most popular additional security factor today, in part because they can be delivered in a wide variety of ways to meet user needs. This possession factor enables the user to receive the OTP and enter it into an application, proving that the user owns or controls the device or method of OTP delivery. OTPs are time-limited, and servers can restrict the number of instances a user can attempt to enter the correct OTP, making it an effective defense against the online credential stuffing attacks used to compromise passwords.
- SMS OTP SMS OTP is delivered via SMS to a user’s mobile phone. SMS OTP option has the advantage of not requiring a user to own a modern smartphone that supports mobile applications.
- OTP via Voice Voice OTP delivery happens via phone call to a number already associated with a user.
- OTP via Email OTP delivered via email is a viable second factor. It requires the user to switch to their email application from whatever application they were authenticating to and either remember the OTP code or copy and paste it into the authenticating application. Because of these limitations, email-based OTP is typically used to reset forgotten passwords. The user can prove they own the email account by responding to a time-limited link within the email.
- OTP Application/ Soft Tokens OTP Application/Soft Tokens are a software-only variant of the RSA/OATH tokens. They use the same interface as the hard tokens so that a single server-side implementation can leverage both hard and soft tokens. The software provides a rolling series of OTPs and can run as a mobile or desktop application.
Allowed Authentication methods
Mobile Applications | Password Failure Limit | Block Duration | Passcode Refresh Duration | Passcode Lifetime |
Mobile Applications | 3 | 2 minutes | 30 seconds | Not available |
Authentication App (TOTP) | 3 | 2 minutes | Not available | Not available |
3 | 0 minutes | Not available | 30 minutes | |
SMS | 3 | 0 minutes | Not available | 30 minutes |
