Multi-Factor Authentication (MFA)

From PiRho Knowledgebase
Jump to navigationJump to search

Summary: Multi-Factor Authentication (MFA) is a security mechanism that requires users to present two or more independent forms of authentication before access is granted. MFA significantly reduces the risk of compromise caused by stolen passwords and has become a fundamental component of modern identity and access management strategies.

Context

For many years, usernames and passwords were the primary method of authentication. While simple and widely supported, passwords alone suffer from numerous weaknesses including phishing, password reuse, credential stuffing, brute force attacks, and accidental disclosure.

MFA addresses these weaknesses by requiring additional evidence that the user is who they claim to be.

A successful MFA implementation can greatly reduce the likelihood that a compromised password alone will result in unauthorized access.

Real-World Usage

MFA is commonly used for:

  • Microsoft 365
  • Cloud services
  • Virtual Private Networks (VPNs)
  • Remote Desktop Services (RDS)
  • Administrative accounts
  • Banking platforms
  • Customer portals
  • Privileged infrastructure access

Common Misconceptions

  • MFA makes systems impossible to compromise.
  • MFA only applies to cloud platforms.
  • SMS-based MFA is always secure.
  • MFA eliminates the need for strong passwords.
  • MFA is only required for administrators.

In reality, MFA significantly increases security but remains one layer within a broader defence strategy.

Typical Failure Points

  • Users enrolling incorrect devices.
  • Lost or replaced mobiles.
  • Poor recovery procedures.
  • Legacy applications that cannot perform modern authentication.
  • Overreliance on SMS authentication.
  • MFA fatigue attacks.

Core Concepts

Authentication Factors

Authentication factors are traditionally divided into categories:

Something You Know

Knowledge-based factors include:

  • Passwords
  • PIN numbers
  • Security phrases

Something You Have

Possession-based factors include:

  • Mobile authentication applications
  • Hardware tokens
  • Smart cards
  • FIDO2 security keys

Something You Are

Biometric factors include:

  • Fingerprints
  • Facial recognition
  • Iris recognition
  • Voice recognition

Multi-Factor vs Two-Factor Authentication

Two-Factor Authentication (2FA) requires two distinct factors.

Multi-Factor Authentication extends this concept and may require multiple independent factors depending on policy, risk level, location, or device trust.

All 2FA implementations are MFA, but not all MFA implementations are limited to two factors.

Core Authentication Methods

SMS One-Time Passcodes

The user receives a temporary verification code by text message.

Advantages:

  • Simple deployment
  • No application installation required

Disadvantages:

  • Vulnerable to SIM-swap attacks
  • Dependent on mobile coverage
  • Less secure than modern alternatives

Authenticator Applications

Applications generate time-based one-time passcodes (TOTP).

Examples include:

  • Microsoft Authenticator
  • Google Authenticator
  • Authy

Advantages:

  • More secure than SMS
  • Works offline
  • Simple user experience

Push Notifications

The user receives an approval request on a registered device.

Advantages:

  • User friendly
  • Fast authentication process

Disadvantages:

  • Vulnerable to MFA fatigue attacks if poorly configured

Hardware Security Keys

Physical authentication devices based on standards such as FIDO2 and WebAuthn.

Advantages:

  • Resistant to phishing
  • Strong cryptographic protection
  • No reliance on cellular networks

Disadvantages:

  • Hardware cost
  • Device management requirements

Smart Cards and Certificates

Widely used in government, healthcare, military, and enterprise environments.

Authentication is based upon possession of a certificate and associated private key.

Practical Application

Small Business Deployment

A typical deployment may require:

  • Password
  • Mobile authenticator application
  • Recovery methods

This provides substantial protection with minimal infrastructure requirements.

Enterprise Deployment

Larger organizations often combine:

  • Conditional Access policies
  • Device compliance checks
  • MFA enforcement
  • Identity protection systems
  • Privileged access controls

Access decisions become risk-based rather than relying solely on static credentials.

Administrative Accounts

Administrative accounts should always be protected by MFA.

Recommended approaches include:

  • Hardware security keys
  • Certificate-based authentication
  • Dedicated administrative accounts
  • Privileged access workstations

Common Pitfalls

Treating MFA as a Silver Bullet

MFA is highly effective but does not prevent:

  • Malware infections
  • Session hijacking
  • Insider threats
  • Compromised endpoints

Weak Recovery Processes

Many organizations secure authentication but leave account recovery procedures vulnerable.

Examples include:

  • Helpdesk password resets without verification
  • Shared recovery email addresses
  • Uncontrolled break-glass accounts

MFA Fatigue Attacks

Attackers repeatedly trigger authentication prompts hoping users will eventually approve one.

Mitigations include:

  • Number matching
  • Geographic verification
  • User training
  • Risk-based sign-in controls

Legacy Systems

Older applications may rely on:

  • Basic authentication
  • POP3
  • IMAP
  • Legacy APIs

These systems often require modernization before MFA can be fully implemented.

Design & Architecture Considerations

Security

Prioritize phishing-resistant authentication where possible.

Preferred order:

  1. FIDO2 Security Keys
  2. Certificate-Based Authentication
  3. Authenticator Applications
  4. SMS Authentication

Scalability

Consider:

  • Enrollment processes
  • Device lifecycle management
  • Self-service registration
  • Self-service password reset

Maintainability

Successful deployments require:

  • Documented procedures
  • User training
  • Disaster recovery planning
  • Recovery code management

Backwards Compatibility

Some environments must support legacy systems temporarily.

Where modernization is not immediately possible:

  • Isolate legacy systems
  • Restrict network access
  • Monitor authentication activity
  • Plan migration away from legacy protocols

Troubleshooting & Diagnostics

User Cannot Receive Authentication Prompt

Check:

  • Device registration status
  • Internet connectivity
  • Authenticator application health
  • Notification permissions

User Replaced Their Mobile Device

Verify:

  • Recovery methods exist
  • Secondary authentication factors are available
  • Enrollment process is documented

Authentication Works for Some Services Only

Investigate:

  • Conditional Access policies
  • Legacy authentication usage
  • Application compatibility
  • Federation configuration

Unexpected MFA Challenges

Review:

  • User location
  • Device trust state
  • Risk policies
  • Recent identity protection alerts

Architectural Overview

+------------------+
| User             |
+--------+---------+
         |
         v
+------------------+
| Identity System  |
| (Azure AD / IdP) |
+--------+---------+
         |
         v
+------------------+
| Password Check   |
+--------+---------+
         |
         v
+------------------+
| MFA Challenge    |
| Push / Token     |
| Key / Biometrics |
+--------+---------+
         |
         v
+------------------+
| Access Granted   |
+------------------+

Best Practices

  • Enforce MFA for all users.
  • Require stronger methods for privileged accounts.
  • Use phishing-resistant authentication where possible.
  • Disable legacy authentication protocols.
  • Implement Conditional Access policies.
  • Test account recovery procedures regularly.
  • Monitor sign-in logs and authentication anomalies.
  • Educate users about phishing and MFA fatigue attacks.

Related Topics

References

  • FIDO2 Specifications
  • WebAuthn Standards
  • NIST Digital Identity Guidelines
  • Microsoft Entra ID Documentation
  • RFC 6238 (Time-Based One-Time Password Algorithm)