What is Multi-factor authentication (MFA)?

Multi-factor authentication (MFA)

MFA is a method of computer access control in which a user is granted access only after successfully presenting at least two separate pieces of evidence to an authentication mechanism. Typically, of the following categories:

• Knowledge factor
• Possession factor
• Inherence factor
  

Authentication Factors

1. Knowledge factor: "Something you know." The knowledge factor may be any authentication credentials that consist of information that the user possesses, including a personal identification number (PIN), a user name, a password or the answer to a secret question.
2. Possession factor: "Something you have." The possession factor may be any credential based on items that the user can own and carry with them, including hardware devices like a security token or a mobile phone used to accept a text message or to run an authentication app that can generate a one-time password or PIN.
   
   
3.  Inherence factor: "Something you are." The inherence factor is typically based on some form of biometric identification, including finger or thumb prints, facial recognition, retina scan or any other form of biometric data.
   
   
4. Location factor: "Where you are." While it may be less specific, the location factor is sometimes used as an adjunct to the other factors. Location can be determined to reasonable accuracy by devices equipped with GPS, or with less accuracy by checking network routes. The location factor cannot usually stand on its own for authentication, but it can supplement the other factors by providing a means of ruling out some requests. For example, it can prevent an attacker located in a remote geographical area from posing as a user who normally logs in only from home or office in the organization's home country.
   
   
5. Time factor: "When you are authenticating." Like the location factor, the time factor is not sufficient on its own, but it can be a supplemental mechanism for weeding out attackers who attempt to access a resource at a time when that resource is not available to the authorized user. It may also be used together with location as well. For example, if the user was last authenticated at noon in the U.S., an attempt to authenticate from Asia one hour later would be rejected based on the combination of time and location.