MFA vs. 2FA vs. 2SV: How to choose the right multi-factor authentication
What's the difference between MFA, 2FA and 2SV? Learn how to select the type of multi-factor authentication that best fits your needs and security requirements.
Published December 16, 2021Increasingly sophisticated cyber threats and attack strategies on password credentials make our favorite devices, network systems, applications and databases more vulnerable.
About half of all breaches result from compromised credentials, most thanks to phishing scams. And security awareness education is not enough to secure your organization. Users are human, and accidents happen. As cyber threats become more and more difficult to thwart, multiple security layers are key to protect access to systems. The best way to create security layers for system access is by using multi-factor authentication, two-factor authentication (2FA), or two-step verification (2SV).
While each of these authentication methods appear to be the same thing, they have distinct differences. Here is a breakdown of each:
Multi-factor authentication (MFA): MFA is a security enhancement that requires a user to submit two or more items of proof (factors) for system access. Authentication factors can include another piece of information like a password, something the user possesses such as a keycard, or a biometric like their fingerprint.
2-factor authentication (2FA): This type of multi-factor authentication uses two distinct authentication factors. These have to be two different categories of authentication, such as knowledge and possession. We see 2FA frequently, for example, when a person logs in to an account with their username and password, then receives a push notification on their smartphone to approve the login.
2-step verification (2SV): This type of multi-factor authentication requires two sequential verification steps using authentication factors. For example, Google uses 2SV. To log in, you enter your username and password, then enter an additional code.
Broadly speaking, both 2FA and 2SV are types of multi-factor authentication, which can also extend to three-factor authentication or three-step verification (or more). The primary difference comes down to the kind of authentication methods that are applied. If login is simply a two-step process, it's always going to be 2SV. If that two-step process uses different authentication factors, then it's a 2FA login.
While there are many different solutions and ways to authenticate system access and verify a user's identity, usually in addition to a traditional username and password, each method falls into one of four categories, or factors. All four factors relate to the user: their knowledge, hardware devices or additional tech, who/what they are and where they are located.
The most common way to authenticate system access is with personal knowledge unique to the user. This can be a piece of information or set of characters that the user has to submit to gain access. The classic example is, of course, a password and the username, but it can also be a personal identification number (PIN), or even both used sequentially, which is considered two-step verification.
You'll also sometimes see questions about the user, such as their birthplace or the first car they owned. Generally, these are not the best ways to verify identity. This information is all too easy to find on websites or social media profiles.
Another factor for system access can be something that the user has with them. This could include a device like a key card, hardware key or token, or cell phone. It also includes 2FA applications, such Google Authenticator, Microsoft Authenticator, and LastPass Authenticator.
In practice, a possession factor doubles as a knowledge factor, because the user’s device or application requires an additional password they should know. For example, if a user logs in with their username and password, and 2FA is prompted through a one-time Google Authenticator password, then the user needs to "possess" the Google Authenticator app that holds the other password or PIN.
Hardware tokens such as YubiKey or Token2 work in a similar way to 2FA applications. In this case, however, the user inserts a key, which is linked to the device the person is using. Every time the user needs login and MFA, the token displays a new code.
You can also choose to send SMS codes to a user’s mobile device(s) to authenticate access. Keep in mind though, an SMS isn't a secure MFA method because a code sent in plain text (non-encrypted) to a phone number is easy for bad actors to steal or spoof.
Most widely-used for in-person identification, various biometrics such as fingerprints, eye scans, and face or voice recognition processes can confirm a user's identity. Some of these are of course also widespread in personal electronic devices, like your smartphone. Think of Apple's Face ID or Android's fingerprint authentication.
The user’s physical location can also dictate system access.Or, the user’s location doesn't necessarily decide whether or not they have permission to enter the application or device, but it determines which factor will be used for authentication. For example, if you're using a corporate network on-site, you'll only need your Windows username and password to log in. But if you're off-site, you'll receive a 2FA prompt to complete authentication with your hardware token.
Implementing MFA is a best practice. We all know this, and have for some time. What's changed is that MFA is now a really common regulatory and cyber insurance requirement. Depending on the requirement, implementing MFA can mean two or more steps of verification or two or more distinct authentication factors.
Protects against negligence: It 's hard to remember passwords. That's especially true if they're complex. So, many users create short, easy to remember passwords, giving cybercriminals a clear route to stealing credentials through brute force attacks or harvesting techniques. MFA provides another layer of security if employee passwords are compromised.
Prevents unauthorized access: Since it requires an additional step or factor to gain access to your network system or software application, MFA helps keep criminals out. More often than not, cybercriminals don’t have the knowledge or possessions needed to satisfy the second factor, even if they have valid primary credentials.
Allows geographic flexibility: Many MFA solutions, such as knowledge-based factors or possessions like a phone, a hardware token, or an authenticator app, do not require users to be on-site to complete their login. So, MFA is manageable from any location.
Ensures compliance: MFA is one of the most frequent regulatory compliance requirements for customers and employees. These include PCI Data Security Standards, GDPR and other industry regulations. Increasingly, we're also seeing MFA cyber insurance requirements.
Neither of these factors or methods is necessarily better than another; the optimal solution really depends on your specific situation. The key for organizations is to create a balance between security, productivity and budget.
Think of it this way. The security benefits of a five-step verification system are great! You can get that system locked down. No one's getting in. But it’s not practical if it means employees lose half an hour every day just trying to log in.
And no matter which MFA method you use, prepare your business for multi-factor authentication. Plan in advance to set up your MFA deployment for success.
When evaluating MFA provider options, it's important to consider your organization's infrastructure. Can you host the solution on-premise? Or do you need a cloud-based system?
If possible, on-premise MFA is a more secure method since MFA enforcement and monitoring can only be done from the local, secure network. Because an internet connection is not required for on-site access, this reduces risks from internet-based attacks.
On-premise solutions can still enforce MFA to secure remote access via a variety of connection types, like remote desktop protocol, virtual private network, virtual desktop, and internet information services (IIS).
When no such connection exists, MFA policies are still enforced through an agent on the remote machine that connects to the on-premise service via the internet. See more on this with UserLock Anywhere
An agent also allows a machine to be protected with MFA when offline, without an internet connection.
Let’s first look at how to decide between 2SV and 2FA. First, 2FA is more secure because it requires two different factors, compared to 2SV, which usually requires two steps of the same factor (like two knowledge authentications). For that reason, many compliance requirements such as HIPAA, PCI DSS, and GDPR specifically require two factors of authentication and not just two steps.
On the other hand, 2SV is generally easier and faster for employees because it requires two items of information they already know. When organizations do not specifically need "two-factor" authentication for compliance purposes, they’ll likely find 2SV a more appealing security protocol.
When organizations need to protect extremely valuable systems holding sensitive information, they can implement MFA that requires three-step verification and 2FA. For example, if someone is at a data warehouse and wants to get into a specific subsection, that employee could be required to enter a password, unique PIN, then do an eye scan to gain access. In this case, it's three steps of verification but only two factors.
Regardless of what system is accessed or which method of authentication and verification you choose to use, granular access control offers organizations another security measure. Granularity means restricting or permitting specific system access and controlling details on when and how MFA is prompted.
Only in certain scenarios does it make sense to require users to constantly verify who they are. System administrators should manage their MFA requirements by setting user-specific standards on the type of MFA solution used, the frequency, application or system, and overall login circumstances.
Much of this can be better executed when MFA is part of a wider access management solution to enforce login restrictions, prompt MFA, and monitor all access logs. UserLock, for instance, also lets system administrators manage user access and verification requirements based on contextual factors such as device origin, time frame, type of session, and whether or not simultaneous sessions are happening at once.
While MFA offers a way to keep the convenience of passwords while bolstering security, the most secure option for some organizations may be to avoid passwords altogether. An alternative solution to MFA for system access management and identity verification is using non-password methods such as biometrics, mobile push notifications, one-time passwords, or email links to log on. In this case, there is no standard login, meaning that no username or password is entered to gain access.
Another form of passwordless authentication is single sign-on (SSO), which gives users access to all systems by just completing one login. UserLock, for example, enables users to access both the cloud applications and network resources of the organization with just their Active Directory credentials. The single sign-on can even combine with MFA requirements for additional security.
Going passwordless eliminates the need for employees to create and memorize complex passwords. It also thwarts phishing scams attempting to access a user’s credentials because there are none, and is overall a more convenient option for employees.
There are some specific advantages to using SSO with Active Directory accounts as well. For instance, ensuring a single set of credentials for all users, keeping Active Directory the central identity management system, and combining it with MFA for better security. There’s also the non-security benefit of improving employee productivity by limiting time spent logging into applications.
Balancing convenience of access for employees while preventing security threats is a challenge for many organizations. Simply requiring a single authentication with a traditional username and password is no longer enough to prevent threat actors from authorized access. Since passwords can be compromised, it’s critical to implement the extra security layer of multi-factor authentication, two-step verification or two-factor authentication.
To maximize security, it’s also best practice to combine authentication requirements with access control management and granularity (controlling who has permission, to what systems, how they must gain access, when they can, and where they can access from). Access control, MFA, and even single sign-on (for those that want to shift to passwordless) can all be managed from Active Directory with UserLock.