Multi-factor authentication (MFA)

Essential knowledge

Author:

Fluent Commerce

Changed on:

24 Jan 2024

Overview

Multi-factor authentication (MFA) is used to ensure that digital users provide at least two pieces of evidence to prove their identity. Each piece of evidence must come from a different category, something they know, have, or something they are.

Traditionally, authentication mechanisms or factors have been categorized as belonging to one of three groups:

Something you know (for example, a password or a PIN).
Something you have (for example, a mobile phone or a token).
Something you are (for example, a fingerprint or other biometric data).

In best practice, though, MFA goes beyond 2FA by requiring a user to authenticate via two or more authentication factors from different categories (e.g., a “something you know” combined with a “something you have”). The goal of having two or more authentication factors from different categories is to reduce the likelihood of an impostor gaining access.

Key points

MFA Categories: OTP, delivered through various means, offer time-limited codes effective against online attacks.
OTP Options: SMS, Voice, Email, and Application/Soft Tokens provide versatile MFA choices.
Authentication Methods: Mobile Apps, Authentication App (TOTP), Email, and SMS come with specified security settings for password limits, block duration, and passcode refresh.

Supported MFA Categories

One-time Passcodes (OTP) One-time passcodes are the most popular additional security factor today, in part because they can be delivered in a wide variety of ways to meet user needs. This possession factor enables the user to receive the OTP and enter it into an application, proving that the user owns or controls the device or method of OTP delivery. OTPs are time-limited, and servers can restrict the number of instances a user can attempt to enter the correct OTP, making it an effective defense against the online credential stuffing attacks used to compromise passwords.
SMS OTP SMS OTP is delivered via SMS to a user’s mobile phone. SMS OTP option has the advantage of not requiring a user to own a modern smartphone that supports mobile applications.
OTP via Voice Voice OTP delivery happens via phone call to a number already associated with a user.
OTP via Email OTP delivered via email is a viable second factor. It requires the user to switch to their email application from whatever application they were authenticating to and either remember the OTP code or copy and paste it into the authenticating application. Because of these limitations, email-based OTP is typically used to reset forgotten passwords. The user can prove they own the email account by responding to a time-limited link within the email.
OTP Application/ Soft Tokens OTP Application/Soft Tokens are a software-only variant of the RSA/OATH tokens. They use the same interface as the hard tokens so that a single server-side implementation can leverage both hard and soft tokens. The software provides a rolling series of OTPs and can run as a mobile or desktop application.

Allowed Authentication methods

Mobile Applications	Password Failure Limit	Block Duration	Passcode Refresh Duration	Passcode Lifetime
Mobile Applications	3	2 minutes	30 seconds	Not available
Authentication App (TOTP)	3	2 minutes	Not available	Not available
Email	3	0 minutes	Not available	30 minutes
SMS	3	0 minutes	Not available	30 minutes

Fluent Commerce

Copyright © 2024 Fluent Retail Pty Ltd (trading as Fluent Commerce). All rights reserved. No materials on this docs.fluentcommerce.com site may be used in any way and/or for any purpose without prior written authorisation from Fluent Commerce. Current customers and partners shall use these materials strictly in accordance with the terms and conditions of their written agreements with Fluent Commerce or its affiliates.

Multi-factor authentication (MFA)

Overview

Key points

Supported MFA Categories

Allowed Authentication methods

Fluent Commerce

Building Blocks

By Type

Helpful Resources

Quick Links