03. Multi-Factor Authentication (MFA)

0 March 18, 2025

Introduction

Multi-Factor Authentication (MFA) is a security method in which a user must use multiple verification factors to gain access to a system, application, or network. This significantly reduces the risk of unauthorized access, as an attacker needs more than just a password to compromise an account.

How does MFA work?

MFA requires at least two of the following verification factors:

  1. Something you know → Password, PIN, or security question.
  2. Something you have → Authenticator app, smart card, token, or SMS code.
  3. Something you are → Fingerprint, facial recognition, or voice recognition.

In an MFA login, the primary factor (usually a password) is used first, followed by an additional verification required through a second factor.

Why is MFA important?

  • Stronger security: Prevents access by attackers who only have a password.
  • Protection against phishing: Password theft alone is not enough to gain access.
  • Required for compliance: Many laws and regulations (such as NIS2 and GDPR) mandate MFA for sensitive data.
  • Limits the impact of data breaches: Even if login credentials are leaked, an additional verification step is still required.

Different types of MFA

1. Authenticator apps

Users receive a one-time code (TOTP) via an app such as:

  • Microsoft Authenticator
  • Google Authenticator
  • Authy
  • Duo Mobile

    These codes expire after a short time and are safer than SMS codes.
2. Physical tokens and smart cards
  • Hardware tokens → A small device that generates unique codes.
  • Smartcards → Physical cards with a chip, often used in corporate environments.
3. Biometric authentication
  • Fingerprint
  • Facial recognition (e.g., Windows Hello, Apple Face ID)
  • Voice recognition

Biometrics is user-friendly, but not always 100% reliable due to possible spoofing attacks.

4. Sms- of e-mailcodes

Een eenmalige code wordt naar een telefoonnummer of e-mailadres gestuurd. Hoewel beter dan geen MFA, zijn sms-codes kwetsbaar voor SIM-swapping en onderschepping.

5. Push-notifications

A notification is sent to a device (e.g., Microsoft Authenticator or Duo Security) and the user can approve or deny it. This is safer than codes because there is less risk of phishing.

6. FIDO2 and WebAuthn

Strong, phishing-resistant authentication via:

  • YubiKeys
  • Windows Hello
  • Passkeys (Apple/Google/Microsoft)

Disadvantages of MFA

  • User convenience: Extra step during login.
  • Device dependency: Can cause problems if a phone is lost.
  • Costs and implementation: Hardware tokens or smart cards require investments.

Best practices for MFA

  • Use authenticator apps or FIDO2 keys instead of SMS codes.
  • Enable MFA for critical systems and cloud accounts.
  • Combine MFA with Single Sign-On (SSO) for a better user experience.
  • Use adaptive MFA: additional verification for suspicious behavior (such as logging in from an unknown device).

Conclusion

MFA is an essential security measure that significantly reduces the risk of account takeover. Although it adds an extra step for users, the benefits far outweigh the drawbacks. The safest MFA methods are authenticator apps, FIDO2 keys, and biometric authentication.