Multi-Factor Authentication can be confusing for those who haven’t used it regularly before, and that leads to lots of questions like “What the heck is MFA, and why should I use it?” Let’s dig into that topic and demystify something that is becoming part of our daily lives more and more often. 
Multi-Factor Authentication (MFA) is primarily exactly what it says on the tin: in order to log in, a user must be able to satisfy challenges that revolve around more than one piece of data, information, hardware, or some other combination of factors. If you’ve ever had your bank tell you that you must put in the code they just emailed you when you go to log in, then you’ve experienced an MFA challenge – but not all such challenges are quite as visible. Simply stated, an MFA challenge requires a user to present more than one security factor before they’re allowed to access something. Keep in mind that your username and password – while being two bits of data – are actually just one factor for authentication, so it’s best to see them as a single item to keep things simple as we explore.
Primarily, factors in authentication (the process by which a system confirms you are who you say you are) are broken down into several types:
Something you know: This includes things like your username and password combo. While they are preferably unique to you, it’s entirely possible that two people have the same username/password either by accident or because your data was leaked or stolen. Security questions (“What is your mother’s maiden name,” etc.) are also considered something you know in most security contexts.
Something you are: Biometric data is a factor used to prove who you are because it is – at least theoretically – entirely unique to you. This factor can include things like your fingerprint, specific topographical maps of your face, the pattern of blood vessels in your retina, etc. While biometric data is difficult to steal or fake, storing it brings with it privacy issues, and accurately collecting and reading it can be challenging for a lot of devices.
Something you have: Tokens that you have physical and/or digital control of can be used to prove who you are by having you show information on or in those devices and/or present the device itself. While tokens can be stolen, when combined with other factors they can be a great way to show a system you are really you. Some tokens generate one-time passcodes using a physical key-fob or an app on your phone. Others work by generating and sending a unique code through near field communication (NFC) – like holding your phone or a smart-card near a reader. In some cases, your laptop/desktop/phone itself can be this factor – by looking at things like geo-location, software installed, networks connected to, etc. authentication systems can confirm that the machine you are using is known to be used by you alone.
MFA is simply the use of at least two of these factor types in each login/access event. So, for example, when you log into a website; the site may ask for a username and password, and then send a one-time passcode to your phone via text-message. You type the code from the phone (something you have) into the site after you put in your password (something you know) to gain access to the website as a user. Apple devices like iPhones/iPads have been using biometrics as a second factor for some time (TouchID and FaceID), and Windows has begun to use it for laptops and desktops (Windows Hello).
Why are you seeing MFA being used more and more often? MFA offers much better security than a username/password alone. Since the user must also provide some other proof they are who they say they are, it becomes significantly harder for a threat actor to gain access to things they shouldn’t be able to touch. As usernames are typically easy to figure out – most systems use your email address, which is already public information – and passwords tend to either be weak and easy to guess, re-used on multiple sites, get stolen quite often, or any combination of the three; a username and password alone just isn’t proof you are who you say you are anymore. MFA therefore becomes necessary to allow a system to know you are who you say you are without relying solely on information that could be in the hands of anyone.
Not all MFA is created equally, of course. Email and SMS text message one-time-passcodes can be problematic if a threat actor gains access to your email inbox and/or tricks your phone service provider into re-routing text messages to them instead (a technique called “SIM Swapping”). While events like this are rare, they do happen, so email and text validation for MFA are better than nothing, but not the best. Authenticator apps like Microsoft Authenticator, Google Authenticator, and others make things more secure and harder for a threat actor to overcome easily. Biometric factors are even better, but can be difficult to use effectively. Not for the user, who just taps a finger or looks into a camera, but for the technology itself. Fingerprints can be subtly altered based on pressure against the reader. Facial recognition can be impacted by lighting, glasses, and a host of other factors. Retinal scanning requires the user to hold still and stare into a camera. Researchers and vendors have been making these things better and better over time, but they can still be tricky to deal with.
In the end, MFA is here to stay. Since usernames/passwords alone are considered nearly the same as not authenticating at all these days, more and more organizations are adopting some form of MFA to allow you to gain access to company resources safely. It doesn’t need to be difficult, however. Having an MFA challenge that just asks you to type to two numbers on your screen into your phone is easy, fast, and effective – with Microsoft and others adopting this methodology to make life easier for users while making it much harder for threat actors. Leveraging hardware “fingerprints” like the apps you have installed and the location the device appears to be sitting at can reduce the total number of MFA challenges a user has to deal with each day. The combination of known successful defenses with evolving technologies allows for MFA to better protect the organization without putting a burden on the users, allowing for better security while keeping users happy and productive.