Multi-Factor Authentication (MFA)

Because let’s face it. Passwords suck.

Not all authentication methods are created equal. If your organization relies on USERID and password combinations for authentication to applications, data, and resources, then strengthening authentication for higher risk environments and applications using Multi-Factor Authentication (MFA) will enable your organization to support more effective and accurate access security in all environments where sensitive data is accessed daily. 


Weak and stolen passwords are the leading factor in breaches. Multi-factor authentication initiatives involve replacing or supplementing the more vulnerable single password authentication mechanisms with multi-factor mechanisms employing token, biometric recognition, and/or smartcard technologies. Depending on the level of security desired, two-factor authentication or three-factor authentication may be needed. These factors are grouped into three authentication categories: something you have, something you know, and something you are.

Identity And Access Solutions can reduce the risk of account takeovers and provide additional security for entities and their accounts through the implementation of solutions that combine something you know (e.g. password/personal identification number), something you have (e.g., cryptographic identification device, token); and/or something you are (e.g., biometric).

The factors of Multi-"Factor" Authentication:
  • Something the user knows – i.e. password or PIN
  • Something the user has – i.e. smartcard or token
  • Something the user is – i.e. biometric information

MFA step-up authentication capabilities will allow your organization to use location-based information (assuming location data is available from a user’s device) along with other enterprise attributes (user/entity and Application) to be adaptive in determining if additional factors are required in conjunction with standard authentication & authorization decisions to allow on-going access for both internal and external standard and privileged access.

Two-factor authentication can consist of a password or PIN combined with a token, a password or PIN combined with a smartcard, biometric information combined with a token, or a password or PIN combined with biometric information. Three-factor authentications would combine biometric information with the other two factors (password or PIN + smartcard or token).

Multi-factor authentication strategies allow for the chaining of one challenge to another and should always include at least two factors that are not guessable, reusable, findable, independent, and are difficult to steal or tamper with. Users can be challenged for a username and password (something you know), and upon successful verification users are then challenged with the second factor.


The key driver to implementation of multi-factor authentication is to make it easy for the users who have a business need to access data to get the information they need yet maintain an elevated level of security. To balance the needs of the end user and security, step-up (also known as risk-based) authentication can be utilized.

Step-up authentication is a function of the organization’s access management strategy. For example, if a user has logged in with a username and password (low identity assurance) and is requesting access to sensitive information requiring at least a moderate level of identity assurance, the organization’s access management solution will redirect you to execute another authentication strategy. The execution of multiple chained authentication strategies lifts the level of identity assurance and, as a result, is sufficient for access to sensitive information.