Soren Learning

Chapter 10

MFA / 2FA — Adding a Layer of Protection Beyond Passwords

SecurityMFA2FAAuthenticationZeroTrust
Listen to this article

I. Core Definitions

  • Two-Factor Authentication (2FA): A security protocol that requires exactly two distinct forms of identification before granting access to a system. It modifies traditional password-only systems by adding a single extra layer of protection.
  • Multi-Factor Authentication (MFA): Takes the concept of 2FA further by requiring two or more authentication factors. It is widely adopted to ensure that even if one or two factors are compromised, attackers must still bypass additional layers to gain unauthorized access.
  • The Three Authentication Factors: Both 2FA and MFA draw from three distinct categories to verify identity:
    • Something you know: A password, PIN, or the answer to a security question.
    • Something you have: A smartphone, physical token, or a one-time code sent via SMS/email.
    • Something you are: Biometric markers such as fingerprints, facial recognition, or iris scans.

II. Key Differences: 2FA vs. MFA

  • Security & Number of Factors: While 2FA uses only two factors and can be vulnerable if one is compromised, MFA uses multiple layers (two or more) and is inherently more secure.
  • Ease of Application: 2FA is generally simpler to implement and easier for users to adopt because it builds directly on existing password systems. MFA can be more complex to deploy, sometimes requiring specialized hardware or additional user training.
  • Flexibility: MFA allows organizations to customize security based on risk. For example, a business can require a strict hardware token for accessing highly sensitive data, while allowing a simple password and one-time code for less sensitive systems.
  • Cost & Scalability: 2FA is usually cost-effective. The cost of MFA varies widely; while cloud-based identity management offers affordable subscriptions, incorporating specialized hardware tokens or biometric scanners can significantly increase expenses.

III. Common Types of MFA / Authentication Methods

  • One-Time Passwords (OTPs): Temporary numeric codes used for verification.
    • HOTP (HMAC-based): Generates a code based on an incrementing counter, meaning the code does not expire until it is used.
    • TOTP (Time-based): Generates a code locally on a user's device that expires after a short interval (typically 30 seconds), making it highly secure against reuse and offline-capable.
  • Push Notifications: A prompt sent to an authenticator app where a user taps "Approve" or "Deny" to verify a login attempt.
  • Phishing-Resistant MFA: Designated by CISA as the "gold standard," this method utilizes asymmetric cryptography where private keys never leave the authenticator device. Examples include FIDO2/WebAuthn, hardware security keys (e.g., YubiKeys), platform authenticators (e.g., Windows Hello, Apple Touch ID), and passkeys.

IV. Security Risks & Vulnerabilities

  • MFA Fatigue (MFA Bombing): A social engineering attack where an adversary repeatedly spams a user's device with MFA push notifications, hoping the frustrated or fatigued user will accidentally approve the login.
  • Interception & SIM Swapping: MFA methods relying on SMS or email are vulnerable to interception, SIM swapping, and SS7 protocol exploitation, allowing attackers to steal the verification code.
  • Real-Time Phishing: Traditional OTPs (even TOTPs) are susceptible to Adversary-in-the-Middle (AitM) attacks, where users are tricked into entering their codes into a proxy site, which attackers then relay to the legitimate service.

V. Best Practices & Defense Strategies

  • Adopt Phishing-Resistant MFA: Move away from SMS, voice calls, and simple push notifications. Instead, implement FIDO2 authentication, passkeys, or PKI-based authentication, which bind the login cryptographically to the specific domain, making credential theft structurally impossible.
  • Disable Simple Push Notifications: Replace standard "Approve/Deny" push prompts with number-matching (requiring the user to type a code displayed on the login screen into their app) or challenge-and-response methods to prevent accidental approvals.
  • Enable Risk-Based Authentication & Context: Use behavioral analytics, geolocation, and device fingerprinting to assign risk scores to logins. If a login comes from an unusual location or device, dynamically require additional authentication factors.
  • Limit Prompts & Monitor with SIEM: Configure rate limits on how many MFA requests can be sent in a short period to thwart fatigue attacks. Integrate MFA logs with Advanced SIEM platforms utilizing User and Entity Behavior Analytics (UEBA) to detect and isolate abnormal authentication patterns in real time.