Multi-factor authentication: secure access solutions and systems

Authentication processes have become increasingly relevant due to the expansion of online platforms for user access. In this way, users can use or manage their contracted products and services in a simple and personalized way.

These access management systems work in different ways depending on the configuration chosen by the platform or company. Multifactor authentication is presented as the most secure method of granting access, as it requires the validation of several requirements rather than a single piece of information that can be more easily stolen or supplanted.

What is multi-factor authentication MFA?

MFA, multi-factor authentication, or multi-factor authentication is a protocol for user access to platforms based on the delivery and validation of two or more factors that only the specified user can know, possess, be or use. This involves more complex authentication models than the traditional use of username and password.

User identification is a prerequisite for online trading. In an initial registration, an exhaustive identity verification process is carried out in which the user presents evidence that legitimizes the operation to be carried out and associates the process with his/her identity. During this initial registration, credentials are generated with which the user can later access his or her client area. 

The different platforms enabled for customers and users allow different types of operations to be carried out: from the use of digital products and services to the modification of contract conditions, cancellation of what has already been contracted, modification of essential data, or registration in new systems.

These types of operations involve different levels of complexity and risk. Defining authentication policies based on the risk of the operation is ideal for ensuring security, agility, and expertise. The latest multi-factor authentication platforms allow companies to implement dynamic access policies that request different types of authentication factors depending on the operation to be performed.

These systems are also known as adaptive multifactor authentication. As we have been saying, the type of operation the user intends to carry out is taken into account, although there are also models in which contextual information is used to decide to add steps until access is achieved.

For example, if a user tries to log in from a location far away from the one they are used to or from a different device, then an extra factor will be requested or it will be decided to request an inherent authentication factor (if this is not usually requested in the simple process). Other data such as the operating system, IP address, date and time, or consecutive login attempts that fail to provide a PIN or password also serve as indicators for requesting more complex factors and information.

MFA Authentication Factors

MFA will always use at least two enabled factors to grant access to a login request. There are different types of factors that base their nature on the basic characteristics of possession, knowledge, or inherence. The following are the different types of authentication factors to consider when establishing multi-factor strategies:

• Biometrics: the preferred and most popular is the face. Face and facial biometric verification are currently gaining ground against the fingerprint, which, although widespread, is no longer used by users to the detriment of the face or voice. In many cases, and to provide extra security, facial biometrics is active (i.e. it prompts the user to perform an action such as smiling or making a head movement). These are known as inherent factors, the user is the authentication factor itself. They are the most secure and preferred.
• One-time: Passwords and OTP (One-Time-Password) codes are generally sent to mobile devices via push notifications or SMS. They can also be sent to email via certified communication. They are received on devices and accounts that can only be accessed by the legitimate user and have a limited validity period.
• Knowledge-based Authentication (KBA) bases its factors on asking the user for information only the user knows. On the one hand, there are basic security questions about information already provided at registration, such as date of birth, the date on which the account was opened for the first time, last digits of a credit card, or indication of the products contracted. In addition, the registration often asks you to answer personal questions such as "who was your history teacher at school" or "the name of your first pet". The traditional username-password and PINs are also considered a KBA factor.
• Possession: These are the least used due to the risk of loss and because users do not always have them at hand. They include security tokens, cryptographic cards or coordinate cards, other hardware devices such as those with USB, and some items with NFC technology.

The combination of two or more of these factors results in a secure multifactor authentication strategy. As a general rule, two are used, although as we have explained above, more may be requested if suspicious behavior is detected or if a sensitive procedure is to be carried out.

Differences and similarities with 2FA two-step authentication

If there is one term that commonly appears alongside MFA multi-factor authentication, it is 2FA. Two-factor authentication or two-step authentication is the name used to refer to MFA strategies that use only two factors. In other words, the main difference lies in the number of factors to be used.

We can safely say that two-factor authentication is a simpler type of two-factor authentication. While in a policy defined as MFA several are collected and not always the same two are requested, in 2FA models only two specific authentication factors are collected and used.

There is no concrete recommendation or single answer to the question of whether it is more appropriate to use a full multi-factor strategy or a simple two-step authentication model. The decision should be made taking into account the risk policy of the platform or company, although if you have a system with a good user experience adding more layers of security (MFA) will not harm agility and will not generate friction in the access and login processes.

Best multifactor authentication mechanisms

U2F - Universal Second Factor - security keys and authentication factors based on the FIDO Alliance WebAuthn - FIDO2 - standards have been a revolution. However, the method preferred by users is biometrics. While fingerprint is still widespread, especially in mobile applications and web apps in the banking sector, face authentication (facial biometrics) is still the preferred and most secure option.

It is very important to keep in mind that OTP codes must expire within a short period of time. Temporary identification provides more security than static passwords. Notifications are a good method and QR codes have been used by certain platforms but inherent in any 2FA or MFA model should always be used.

Consumers of financial services appreciate that the companies they are customers of are taking security to the extreme, as the average user is already alert to a large amount of fraud taking place. SMS phishing is a reality that in recent years has increased and many users have fallen for it, but those who have set up multi-factor authentication have not had any problems in the aftermath.

The ITU (International Telecommunication Union) always recommends MFA to confirm that the claiming entity is who it claims to be. This applies to processes within organizations (employees and corporate access) and commercial access (customers). MFA is a reality that took off back in 2015 and that organizations such as the Spanish National Security Scheme (Esquema Nacional de Seguridad) oblige both public institutions and organizations and private companies to implement.

Multi-factor authentication based on KYC standards

Undoubtedly, the best possible multi-factor authentication system is one that uses factors based on a successful and validated Know Your Customer (KYC) process. This standard is recognized by regulations in more than 100 countries and territories worldwide and is mandatory for certain industries.

Identity verification using AML and KYC controls can be used to generate the credentials for subsequent access to the platforms. This not only ensures compliance with the requirements of regulators in most markets but also applies the highest level of security for online and remote user identification.

Doing this allows you to streamline regulated transactions without requiring subsequent authentications from users. That is, a user who authenticates to log in to your banking platform with two authentication factors - one of them based on KYC facial biometrics and another one an OTP, for example - will not have to enter another factor again if they wish to perform a high-risk transaction at a later time.

Advantages and benefits of MFA

Companies that have integrated MFA controls into their login and access processes have experienced improved user perception. Security is one of the main reasons why users choose to use a company's service over its competitors, and platforms with secure access systems have experienced an increase in users and transaction volume.

Online identity fraud is becoming an increasing concern and the number of attackers is rising sharply as the range of online services and the ability to operate remotely increases.

Risk reduction is also positioned as one of the main beneficial results of implementing multifactor authentication. Spending on mitigating risks that have ended up as completed fraud attempts has plummeted, in addition to avoiding problems with regulators and compensation payments to affected users. For example, such pressing risks that have caused so many penalties for companies in the telecommunications sector, such as Sim Swapping, have completely disappeared.

On the other hand, the use of biometric factors and password-free solutions have encouraged users. The experience is now much more agile and faster, in addition to solving the problem of forgetting. When the credential is you, you don't need to remember it or use a boring password manager.

Multi-factor authentication is required by law.

In many industries and sectors implementing MFA multifactor authentication systems is mandatory. Some National and international standards require its use in areas such as banking, insurance, and other businesses related to the financial sector. For any FinTech, InsurTech, or WealthTech platform, it is essential to have access gateways with MFA controls to develop its activity according to the regulations and with a security that does not complicate it.

The approval of the European directive PSD2 (Payment Services Directive 2) brought about a radical change in the way transactions are carried out on digital platforms throughout the European Union economy. And beyond Europe, the standards and requirements set out in this regulation have been used by many states around the world to draft their AML laws and sectoral regulations that govern how companies, businesses, and institutions in these industries should operate.

The most relevant introduction of PSD2 was the SCA (Strong Customer Authentication) standard, which sets the rules by which users must be granted access to their platforms, products, and services over the Internet. This system indicates that multi-factor authentication models must be integrated for both login and transaction authorization.

Tags