Mitnick Security Blog - Cybersecurity News and Articles

What is Multi-Factor Authentication & How Does it Work?

Written by Mitnick Security | Mar 31, 2021 4:30:00 PM

It seems that everything we use these days requires a password. From email and social media accounts to everything in between, we always need a password to gain access. 

But it isn't as simple as just coming up with one password and using it for everything. At least, it would be best if you weren't doing that...

Using one password over and over for all of your accounts is incredibly risky. If one account has been compromised and you use that same password for everything, then all of your accounts have effectively been compromised. 

That’s why cybersecurity professionals have created a thing called multi-factor authentication (MFA)— and in this post, we’re here to tell you all about it.

The Reality of Weak Passwords

Be honest— have you ever created a less-than-secure password? Chances are, you have, even if you didn't realize it. You probably even use it over and over again across numerous accounts or some slightly altered variation of it.

After all, creating a unique password for hundreds of online accounts makes it difficult to remember them all— and people create weak passwords as a result. 

The problem is... since nobody wants to forget their passwords, many passwords contain easy-to-remember pieces such as family member names, pet names and important dates. A major “no-no” for proper password protection!

Through open-source intelligence gathering, attackers called social engineers can find information about you online, creating a breadcrumb trail to guess your password. This is just one of the reasons that passwords are easy to crack these days. Another reason is the existence of password cracking tools that allow attackers to try hundreds or thousands of passwords in a matter of minutes. 


You may be wondering to yourself, "If passwords are not secure, what do we do to keep our applications and accounts safe?" Enter multi-factor authentication.

What is Multi-Factor Authentication & How Exactly Does it Work? 

In an MFA environment, a password alone is not enough to gain access. The password may still be needed, but it's just one piece of the puzzle. Along with the password, additional factors are required to prove that the individual is authorized to have access. 

Multi-factor authentication is a method for authenticating in which a user must provide two or more factors for verification. 

When having multiple lines of defense in place for gaining access, true MFA requires that the factors used to gain access are not the same type of factor. 

The 5 Main Types of Multi-Factor Authentication

1. Knowledge (Something you know) 

          • Knowing a password. While often used as the only means of verification, passwords can be used as a second line of defense— required after a first form of authentication.

          • Knowing a passphrase. In our blog on password tips, we explain more about what this means. It’s often a string of words that form a sentence or phrase, using variances in characters and capitalization for extra protection, like “Be The Change That Y0u W!sh To See !n The W0rld.”

          • Knowing a passcode. This could be a string of numbers like “5928312” that you have memorized to get in.

          • Knowing the answer to a security question. Though with the right social engineering know-how, can be easily guessed if the right questions aren’t asked. Questions like “Where you went to high school,” for example, could be found on someone’s LinkedIn page by almost anyone.

PRO TIP: Since you always want to use two unique kinds of MFA factors, you wouldn't want to use a password and security questions for your two factors as they are both knowledge factors. 

2. Possession (Something you have) 

The possession type refers to anything that you have on you. 

  • Mobile devices

  • Key fobs

  • Access badges

  • Security tokens

  • Etc.

3. Inheritance (Something you are) 

Inheritance-based factor types generally refer to biometrics. 

  • Fingerprint scans

  • Iris or retina scans

  • Voice recognition

While knowledge, possession and inheritance are the three most commonly used MFA factors, the following two are also worth mentioning:

4. Behavioral (Something you do)

Computers and other devices can detect patterns in the way that we behave as humans. For example, a computer may be able to tell us apart from another person based on patterns in our typing. Although it is far rarer, behavioral factors have been used in MFA environments. 

5. Location (Somewhere you are)

Location is another factor that is sometimes used to help authenticate a user. For example, if you are supposed to be logging into an account from New York, but the device sees that you are logging in from Tokyo, it may block access. 

A Few Examples of MFA

  1. To log into her corporate computer, Jane must first plug in a USB security token to her system (something she has). Upon plugging in the token, she must enter her password (something she knows) on the screen. The system checks to verify that Jane is, in fact, in the corporate office (somewhere she is). Finally, Jane is given access to her computer.
  2. Marcus is attempting to log into his bank account. After entering his username, the bank sends a text message to his phone (something he has) with a unique one-time code. After entering the code, Marcus answers several security questions (something he knows) before gaining access to his banking information.
  3. Isabella is entering a secure facility. To enter the facility, she must swipe her access badge (something she has). After swiping her badge, she then scans her fingerprint (something she is) before giving access to the facility. 

Why Every Organization Needs MFA

Company assets are valuable and must be protected at all costs. Passwords simply don't cut it. 

Strong password hygiene and MFA are only one part of your security equation. 

Download our free 5-½ Steps Guide to Avoid Cyber Threats ebook for a holistic picture of what protection means for your organization.