WHAT IS AUTHENTICATION?

Authentication is an important component of access control. It is the security practice of

confirming that someone is who they claim to be. The number of factors required for users to
prove their identities often depends on the sensitivity of the data and digital resources involved.

In the scope of cybersecurity, the most common example of authentication is logging into a
service on the web, such as signing into Gmail in a web browser or logging in on the Facebook
app. When a user provides a username and password combination, the service can confirm
these details and use them to authenticate the user.

AUTHENTICATION FACTORS

Authentication factors are different classes of identity verification methods.

Verifiable information falls into three different categories:

● Knowledge factors: Things that you know. This typically includes passwords, personal
identification numbers (PINs), and one-time passwords (OTPs). It may also include
asking the user to answer a security question, such as the name of the street you grew
up on.

● Possession factors: Things that you have. This includes a device or something else in
a user's possession. It may include an authenticator app on a mobile device, security
keys, or a security token, which is a hardware device that plugs into your computer's
USB port. A smartphone frequently provides the possession factor in conjunction with a
one-time passcode (OTP) app.

● Inherence factors: Things that you are. This is where "biometrics" come in. It may
include a fingerprint scan, facial recognition, retina scan, or voice authentication.

What are some real-world examples of the three authentication factors?

Knowledge (something the user knows): This factor is a piece of knowledge that only one user
should have, like a username and password combination. Other types of knowledge factors
include security questions, ID numbers, and Social Security numbers. Even a "secret handshake"
may be something a user knows.
Possession (something the user has): This factor refers to possession of a physical token,
device, or key. The most basic example of this authentication factor is using a physical house
key to enter one's home. In a computing context, the physical object could be a key fob, a USB
device, or even a smartphone. Many modern MFA systems will text a temporary code to a user's
phone and ask them to enter the code in order to access their account. This demonstrates that
the user possesses a phone that no one else possesses, helping establish their identity (unless
an attacker has hijacked the user's SIM card).

Inherent qualities (something the user is): This refers to a physical property of one's body. The
most basic version of this authentication factor is the ability to recognize someone by sight or
by the sound of their voice. Humans use this ability constantly in their daily interactions.
Checking one's appearance against the photo on one's ID card is another example of verifying
inherent qualities. In a computing context, one example of this authentication factor is Face ID,
a feature offered by many modern smartphones. Other methods may include fingerprint
scanning, retina scans, and blood tests.

Two-factor Authentication (2FA)

Requires users to provide two verifiable credentials to access online resources.
Two-factor authentication, abbreviated as 2FA, is an authentication process that requires two
different authentication factors to establish identity. In a nutshell, it means requiring a user to
prove their identity in two different ways before granting them access. 2FA is one form of multi-
factor authentication.

With 2FA, users are required to provide two pieces of verifiable information to authenticate. 2FA
was designed to add an additional layer of security to sensitive information. Primary credentials
and passwords are often forgotten or compromised, so 2FA can be used to help ensure that
sensitive information is secure.

The two pieces of verifiable information requested must be from different categories. For
example, sign-on processes might require that users provide their usernames and passwords
(something they know), and a fingerprint (something they are) to access their systems and
applications. Or, sign-on processes might require that users provide their usernames and
passwords (something they know), and proof that their smartphone is in their possession
(something they have).

2FA authentication factor?

Some commonly used authentication factors for 2FA include:

1. Knowledge: This is a piece of information that only the user should know, such as a
password or the answer to a security question.
2. Possession: This factor relies on the user maintaining physical possession of an
object. For example, a hardware key that can generate passcodes, or a mobile device
that can be sent codes.
3. Biometric Data: These are unique biological traits of the user that can be used in
authentication. Examples include fingerprints, retinal scans, and face ID.
4. Location: Location-based tools like GPS can be used to restrict authentication to
users within a specified geographic region.

It should be noted that requiring two instances of the same authentication factor does not
qualify as 2FA. For example, requiring a password as well as a security question is still single-
factor authentication. Both of these pertain to the factor of knowledge.

How does two-factor authentication work?

Two-factor authentication can work in multiple ways. One of the most common examples of
2FA requires a username/password verification and an SMS text verification.

In this example, when the user creates an account for a service they must provide a unique
username, a password, and their mobile phone number. When the user logs into that service,
they provide their username and password. This provides the first authentication factor
(knowledge; the user has proven that they know their unique login credentials).

Next, the service will send the user an automated text message with a numerical code. The user
will then get prompted to enter the numerical code. Assuming the code is correct, the user has
provided a second authentication factor (possession; the user is in possession of their mobile
device). Now the conditions for 2FA have been met and the user can be authenticated and
granted access to their account.

Why use two-factor authentication?

Password-based security has become too easy to exploit by attackers. With the prevalence of
phishing scams, on-path attacks, brute force attacks, and password re-use, it has become
increasingly simple for attackers to collect stolen login credentials. These stolen credentials
can be traded or sold for use in credential stuffing attacks. For this reason, 2FA is becoming
more and more commonplace.

Stronger identity verification has also increased in importance as remote workforces become
more common. Since employees' physical presence in the office cannot be used to verify their
identity, measures like 2FA help ensure that their accounts have not been compromised.

Security experts generally recommend that users enable 2FA whenever possible, as well as
requesting it from services that handle sensitive user data but don’t currently offer 2FA. While
2FA is not impossible for attackers to crack, it is significantly more difficult and expensive to
compromise than password-only authentication.

Is SMS-based two-factor authentication secure?

SMS-based 2FA (text-message verification) is much more secure than single-factor

authentication (password-only). That being said, SMS is among the least secure 2FA methods.
The SMS protocol is not very secure and SMS messages can be intercepted by attackers.

There are other ways to implement 2FA using a mobile device that are more secure: for
example, sending the verification code through a secure app that uses strong encryption.
Google and many other major Internet services use time-based one-time passwords (TOTP).
With TOTP, a client (often an app running on a smartphone) creates a temporary single-use
code based on the time of day. These codes have an extremely short lifespan, typically less than
a minute. This tight timeline makes it extremely challenging for an attacker to intercept and
decrypt the code before it expires.

There is also an emerging 2FA technology called ‘Sound-Proof,' which uses ambient noise
picked up by the microphones built into mobile devices and laptops. Sound-Proof works by
comparing the samples of ambient noise to ensure that both devices are in the same room.
Are there drawbacks to two-factor authentication?

While 2FA is helping make the Internet more secure, there are a few drawbacks that should be
considered. For example, 2FA may discourage less technically savvy users, for whom
downloading and navigating smartphone verification apps can be a challenge.

Requiring 2FA for a service can also create some economic barriers to entry. Not all users have
the modern smartphones required for many 2FA methods. Additionally, mobile data is very
expensive in some parts of the world, so even those with smartphones may suffer economic
consequences for downloading a 2FA verification app.

2FA also imposes business costs for those managing the service. 2FA is much more difficult to
implement than password-only authentication, and a business providing 2FA will either have to
incur setup costs or pay a third-party service to provide the authentication at an ongoing cost.
Smaller businesses may forgo the increased security of 2FA because they simply cannot afford
to support it.

Multi-factor Authentication (MFA)

With multi-factor authentication, users are required to provide more than one piece of verifiable
information to authenticate. MFA was designed to add additional layers of security to sensitive
information.

Note that 2FA is also considered MFA because more than one credential is required to sign on.
But MFA often involves more than two credentials.

As with 2FA, the pieces of verifiable information requested must be from different categories.
Sign-on processes might require that users provide their usernames and passwords (something
they know), but also require either something they have, such as a fob or smartphone, or
something they are, such as a fingerprint or retina scan.

MFA authentication factors?

Before granting a user access to a software application or a network, identity verification

systems assess the user for characteristics that are specific to them in order to make sure they
are who they say they are. These characteristics are also known as "authentication factors."

The three most widely used authentication factors are:

 Knowledge: something the user knows
Possession: something the user has
Inherent qualities: something the user is

MFA refers to any usage of two or more authentication factors. If only two authentication
factors are used, MFA can also be referred to as two-factor authentication or two-step
verification. Three-factor authentication is another form of MFA.

How does MFA work?

MFA works the same way as 2FA, but users are required to provide a minimum of two pieces of
verifiable information to authenticate.

Why is MFA more secure than single-factor authentication?

Single-factor authentication is the use of just one of the above factors to identify a person.
Requiring a username and password combination is the most common example of single-factor
authentication.

The problem with single-factor authentication is that an attacker only needs to successfully
attack the user in one way in order to impersonate them. If someone steals the user's password,
the user's account is compromised. By contrast, if the user implements MFA, an attacker needs
more than a password to gain access to the account — for example, they will likely need to steal
a physical item from the user as well, which is much more difficult.

This issue also applies to other forms of single-factor authentication. Imagine if banks only
required the use of a debit card for withdrawing money — the possession factor — instead of
requiring a card plus a PIN. In order to steal money from someone’s account, all a thief would
need to do is steal their debit card.

It is important to keep in mind that it is the use of different factors that makes MFA secure, not
multiple uses of the same factor.
Suppose one application prompts a user to enter a password only, while another application
prompts a user to enter both a password and an answer to a security question. Which
application is more secure?

Technically, the answer is neither: both applications are relying on one authentication factor
alone, the knowledge factor. An application that requires a password and either a physical token
or a fingerprint scan is more secure than an application that only requires a password and some
security questions.

Which forms of MFA are the most effective?

This is a highly contextual question. Generally, any form of multi-factor authentication will be
much more secure than single-factor authentication.

With that said, certain forms of MFA have been shown to be vulnerable to sophisticated attack
methods. In one real-world example, attackers sent employees SMS phishing messages
pointing to fake login pages for the organization’s single-sign-on service. If a user entered their
username and password into this fake page, the following steps took place:

The attackers used the stolen username and password on the organization's real login page.

The real login page attempted to verify another authentication factor — possession — by
sending a temporary code to the real user’s phone.

The attackers redirected the user to another fake page, which asked them to enter the
temporary code.

If the user did so, the attackers used that code on the real login page and gained access to the
account.

By contrast, another way of verifying possession — a USB security token — would not be
susceptible to this particular attack. If all users are given unique security tokens to plug into
their computers, and must physically activate those tokens in order to authenticate, attackers in
possession of someone’s username and password would not be able to access accounts
unless they stole that person’s computer. The same could be said of verifying identity using
inherent qualities, e.g. a user’s fingerprint or facial scan.

Does this mean security tokens and fingerprint scans are more secure than one-time
passwords? In a phishing context, yes. But organizations should evaluate their specific security
risks and needs before selecting an MFA method. And again, any form of MFA is more secure
than single-factor authentication, and would represent an important step forward in an
organization’s security journey.

How can users implement MFA for their accounts?

Many consumer web services offer MFA today. Most applications that do have MFA offer a
form of 2FA that requires the user to use their smartphone when logging in. Explore the security
settings in each application to see if it is possible to activate 2FA. In addition, Cloudflare allows
all Cloudflare users to implement 2FA for their accounts.

How can businesses implement MFA?

Using an SSO solution is a recommended step for implementing MFA. SSO provides a single
place for implementing MFA across all apps, whereas not all individual apps will support MFA.

Cloudflare Zero Trust integrates with SSO vendors who support 2FA. Cloudflare helps protect
companies' websites and cloud applications by controlling what users are able to do and
enforcing security policies for employees whether they work remotely or within controlled office
environments.