up:: [[Security Principles]] # Multi-Factor Authentication (MFA) **Multi-Factor Authentication (MFA)** is a security mechanism that requires users to verify their identity using two or more independent factors before gaining access to a system, application, or resource. These factors typically fall into three categories: **something you know** (e.g., a password), **something you have** (e.g., a security token or mobile device), and **something you are** (e.g., biometrics like fingerprints or facial recognition). ## Key Features - **Multiple Authentication Factors:** MFA requires at least two factors from different categories (knowledge, possession, or inherence) to confirm a user’s identity. - **Increased Security:** By combining multiple layers of security, MFA significantly reduces the likelihood of unauthorized access, even if one factor (like a password) is compromised. - **Flexibility in Factors:** Common MFA implementations use a combination of passwords, SMS codes, authenticator apps, hardware tokens, or biometric data. - **Time-Based One-Time Passwords (TOTP):** A temporary passcode generated by an authenticator app, which expires after a short time to add another layer of security. ## Problem Addressed MFA addresses the vulnerability of **single-factor authentication**, where relying solely on a password can lead to compromised accounts through [[phishing]], brute force attacks, or password theft. By requiring multiple forms of verification, MFA mitigates these risks, ensuring that even if one factor is compromised, an attacker would still need the other factors to gain access. ## Implications - **Enhanced Account Security:** MFA makes it significantly harder for attackers to gain unauthorized access, even if passwords are stolen or weak. - **Reduced [[Phishing]] Risk:** If a user falls victim to [[phishing]], MFA adds an extra layer that attackers must bypass, lowering the success rate of such attacks. - **Compliance with Regulations:** Many cybersecurity standards (such as PCI-DSS, [[General Data Protection Regulation (GDPR)|GDPR]], and [[Health Insurance Portability and Accountability Act (HIPAA)|HIPAA]]) require or recommend MFA to protect sensitive data, making it essential for compliance. ## Impact - **Reduced Account Compromise Risk:** MFA drastically lowers the likelihood of unauthorized access, protecting both users and organizations from data breaches. - **Improved User Trust:** Users trust systems that implement MFA because they offer better protection against unauthorized access and account takeovers. - **Stronger Data Protection:** By securing accounts with multiple layers of verification, organizations protect sensitive data, intellectual property, and critical systems from unauthorized access. ## Defense Mechanisms - **Time-Based One-Time Passwords (TOTP):** Authenticator apps (like **Google Authenticator** or **Authy**) generate a time-sensitive passcode that users must enter along with their password. - **Hardware Tokens:** Physical devices like **YubiKey** or **RSA SecurID** generate or store [[authentication]] codes that users must physically have to authenticate. - **SMS/Email Codes:** Temporary one-time codes sent via SMS or email provide an additional [[authentication]] factor, although these are considered less secure due to the potential for SIM swapping. - **Biometric Authentication:** Fingerprints, facial recognition, or iris scans provide a secure and unique form of [[authentication]] that is difficult to replicate or steal. - **Push Notifications:** Some MFA systems send push notifications to a registered mobile device, allowing users to approve or deny login attempts in real time. ## Exploitable Mechanisms/Weaknesses - **SIM Swapping (SMS-based MFA):** Attackers can hijack a user’s phone number by tricking the carrier into transferring the number to a new SIM, allowing them to intercept MFA codes sent via SMS. - **Phishing-resistant MFA Bypass:** Sophisticated [[phishing]] techniques may trick users into unknowingly providing their MFA codes or pushing them to accept a malicious login attempt. - **Device Theft:** If a user’s hardware token or phone with an authenticator app is stolen, the attacker may be able to bypass MFA if the device is not adequately protected. - **User Fatigue (Push Notifications):** Some attackers exploit “MFA fatigue” by flooding users with push notifications, leading them to mistakenly approve a malicious login attempt out of frustration. - **Lack of Backup Methods:** Users who lose access to their second [[authentication]] factor (e.g., losing a phone) can be locked out if there are no secure recovery options in place. ## Common Tools/Software - **Authenticator Apps:** **Google Authenticator**, **Microsoft Authenticator**, and **Authy** generate time-based one-time passwords (TOTPs) for MFA. - **Hardware Tokens:** Devices like **YubiKey** and **RSA SecurID** provide physical tokens that generate or store [[authentication]] credentials. - **Multi-Factor Authentication Services:** **Duo Security**, **Okta MFA**, and **Microsoft Azure MFA** offer integrated MFA solutions for businesses and enterprises. - **Biometric Authentication:** Systems that use fingerprint or facial recognition, like **Apple’s Touch ID/Face ID** or **Windows Hello**, enhance MFA by requiring something unique to the user. - **SMS/Email-Based MFA:** Many services offer SMS-based or email-based one-time codes for secondary [[authentication]], although they are generally considered less secure. ## Current Status MFA is widely adopted across industries as a standard security measure, especially in sectors dealing with sensitive information such as finance, healthcare, and government. However, new threats, such as advanced [[phishing]] and SIM-swapping attacks, are prompting the development of more secure MFA methods, including **phishing-resistant MFA** solutions like hardware tokens and **biometric-based MFA**. ## Revision History - **2024-09-06:** Initial entry