Authentication is the process of establishing that an entity is who they claim to be at a point in time. It is normally based on verifying one or more security credentials assigned to a user the first time they signed-up to a service.
Before security credentials (authentication factors) are assigned to a user, the user has to prove her identity such as ownership of an email address or a phone number. This process is called identification.
After identifying the user, access credential is assigned to the user or in most cases, the user is allowed to choose for example a password.
The user identity (e.g email address) is used to identify them in the database while the access credential (authentication factor) is used to ensure that the user is actually the one trying to access the service at that point in time.
If the user is only required to provide just one access credential, for example, a password to access the service, it is called a Single Factor Authentication (SFA).
If more than one access credential, for example, a password and one-time code (usually sent via SMS, email or generated on an app) it is called 2-Factor (2FA) or Multi-Factor Authentication (MFA).
2FA vs MFA
With 2FA, exactly two different access credentials are required. And in most cases, the second factor is provided after the first factor. For example, to login to a website you’re required to enter a password (first factor), if the entered password is correct, you are then requested to enter maybe an SMS code sent to your mobile phone. If the password is not correct, the user will not receive SMS code as the SMS code is only sent after the password has been verified to be correct. Whether the first factor is verified before the second is requested depends solely on the implementation.
For an authentication method to be regarded as MFA, the factors must be more than one (1), it can be two different factors, three factors and so on. An example of this is entering a PIN or passcode on a mobile application to unlock the application and generate a one-time password (OTP). Here, the PIN is used to make the mobile application usable, as a result, an OTP is displayed for the user. The PIN code (knowledge factor) is used to unlock the mobile application, the OTP is the possession factor; the smartphone can as well, be used to achieve a 3rd factor (contextual factor). This ensures the website owner that whoever that entered the OTP must know the PIN code and is in possession of the smartphone. In this example, three different factors (knowledge, possession and contextual) was used.
The PIN code is referred to as knowledge while the OTP is known as a possession factor. Together it proves that the user is in possession of the software (shared secret key) and is in control of it since she has the knowledge of the PIN code to generate the OTP
MFA can be performed using a single authenticator that requires more than one factor or by a combination of authenticators . In the example above, a single authenticator was used.
According to NIST digital Identity Guidelines “A multi-factor authenticator requires two factors to execute a single authentication event.”
The most common authentication factors are :
- Knowledge e.g. a password
- Possession e.g. a smartphone
- Inherence e.g. Fingerprint biometric
For a Single Factor authentication, anyone of them is enough, whereas a combination of two or more of the factors are required for Multi-Factor Authentication.