When trying find the best authentication solution the terminology in the landscape can often be confusing, especially when it comes to two factor vs Multi Factor authentication. In this article we will go through a detailed comparison of the two to help you be informed.
MFA vs 2FA - What's the difference?
When I talk about authentication with others, I realize that many people are confused with Multi Factor authentication (MFA) and Two Factor authentication (2FA). Let’s start with the obvious, the names themselves: Multi – means “many” whereas two means “two”,that is “one more than one”.
MFA requires many different factors (at least two, or more) whereas 2FA requires only 2 different factors (exactly two, not more than two) to authenticate a user. Now what exactly is considered a factor? The explanation is simple. There are several different factors:
- Knowledge (e.g. Password, PIN; meaning something you know),
- Possession (e.g. Smart card, smartphone, wearable, cryptographic key etc.; Meaning something you have),
- Inherence (e.g. Fingerprint, iris scan, voice print etc.; Meaning something you are),
- Context (e.g. Location, what you do, how the user reacts, pattern etc.; Meaning something the user does in the context of his or her user life)
When any two of these factors are required before a user could be authenticated, it is referred to as two factor authentication.According to NIST SP800-63B Multi Factor authentication (MFA) is “an authentication system or an authenticator that requires more than one authentication factor for successful authentication”.The point is “more than one authentication factor” is required to achieve MFA. SinceMFA requires more than one authentication factor and 2FA uses two factors, then all 2FAs are MFA, but not all MFAs are 2FA.
Now let’s consider how MFA and 2FA could be achieved with different authenticators: Multi Factor (MF) authenticators and single factor (SF) authenticators.
Multi Factor vs Single Factor Authenticators
Let’s first clarify the difference between the two terms “authenticator” and “authentication”.
- An “authenticator” is a device, token or software that is used to achieve the different factors of authentication e.g. security key, wearable, one time password (OTP), etc.
- Whereas “authentication” is the process of validating that the person or user that tries to authenticate is who they claim to be using the authenticators
For example, a password that is entered on a webpage to grant access to an online account. This password is the “authenticator”. Same holds true for a security key e.g. a Yubico yubikey that an employee uses to log into their application. The security key is the authenticator. While the entire process of using the password or a security key and verifying that the user is using his correct password or the correct security key, and providing access to the user, is “authentication”. Therefore, the tool that provides access to the user is the authenticator. The process to verify that the user is who he or she claims to be, is authentication. Makes sense?
Multi Factor authenticators (MF) are authenticators (e.g.software, tokens or your smartphone) that require a second factor of authentication before they could be used to authenticate a user.This means, they require an independent factor: For example, a password(factor: knowledge) or a fingerprint (factor: inherence) to become usable. Using your mobile phone as an example, the user has to provide their fingerprint or a password on the mobile phone before the mobile phone could be used to log he or she into a website. The fingerprint or password is a second factor used to make the mobile phone usable. The mobile phone on its own, is the first factor “possession”.The fingerprint or password required before the mobile phone could be usable makes the mobile phone a “Multi Factor authenticator”.
Single Factor (SF) authenticators are authenticators that do not require any second authentication factor to become usable.
According to NIST SP800-63B “Multi Factor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors”. This means that a user does not necessarily need to enter two different factors (e.g. Password and a one-time use code ) directly on a consumption device/application to achieve MFA or 2FA if an MF authenticator is used.
Pros and cons of Multi Factor authenticator vs single factor authenticator
Let’s look at the benefits of either of the authenticators.
Multi Factor authenticators (MFA)
This refers to using a single authenticator that requires a second factor to activate (MF authenticator) to achieve MFA or 2FA. For example, using a smartphone as an authenticator to access a website.The smartphone MUST be activated first using a PIN (knowledge) or a fingerprint(inherence) by the user. Then the key on the smartphone can be used to access the website.
- The user is in full control of both factors especially when an MF hardware cryptographic device is used as recommended by NIST for AAL 3.
- No risk of keylogger or screen capture to harvest the user password on device, web or on mobile applications.
- An attacker still needs the second factor to be able to use a stolen MF software / hardware authenticator.
- MF hardware authenticator device is mostly offline – more difficult for an attacker to get.
- The Verifier is only concerned with securing one factor. The second factor is controlled by the user.
- The second factor is on the same device. Where the second factor is verified locally e.g.OTP software generator on a smartphone, both the second factor and the secret key used to generate the OTP could be compromised at once.
- On the fly-phishing where an attacker captures for example the password and OTP provided by the legitimate user and uses it immediately for illegitimate access to the user resources. With MF authenticators only the OTP is captured (assuming the service provider is satisfied with multi factor using a single authenticator).
Single factor authenticators (1FA)
Here we are referring to achieving MFA or 2FA with 2 different single authenticators.For example, getting an OTP from an OTP app on a smartphone that doesn’t require activation (one single authenticator) and a Fingerprint capture (single authenticator) or a memorized secret.
- If one of the factors, say knowledge, is compromised it might not affect the other factor (e.g.OTP or crypto key) on the SF device. Although compromising the other factor might be trivial.
- The user is not in control of where both factors (e.g.Password and OTP) are entered.
- The user password could be sniffed or captured with a keylogger, screen capture from the authentication device/application.
- An attacker could use phishing to deceive users into entering their password on fake sites/login forms. Especially users that use the same password on many services – this gives an attacker automatic access to the other accounts that use the same password.
- An attacker could reset the user account with just their password and email to associate a new second factor to the user account.
- The SF authenticator device/software is not protected – for example, SF OTP software on a smartphone, all the attacker need is to steal the smartphone or token and then could try to get the second via phishing, brute force, keylogger, screen capture, and maybe social engineering.
- On the fly-phishing: both single factors could be captured which could compromise the other user accounts.
- The verifier must manage at least two different authenticators for each user.
A secure Multi Factor authentication solution that uses Multi Factor authenticators e.g. a smartphone with a device lock brings significant advantages for both the user and provider over 2FA with single factor authenticators.
Benefits for users
- It’s more convenient - the user needs just a single authenticator
- Cheaper – no additional device needed
- Theft and unauthorized access prevention - even if the MF authenticator is stolen it still requires a second factor to be usable
Benefits for providers
- Better security - higher degree of confidence that only authorized user could access sensitive/confidential data
- Convenient & scalable - the same solution can be deployed for employees and customers
- Lower administration cost – only one device is to be managed.
Want to learn more about smartphone-based multi-factor authentication? Have a look at our authentication solutions.