Help, Types of MFA

Multi-Factor Authentication, or MFA, as defined by NIST are any combination of 2 or more factors used when authenticating a person’s identity, NIST goes on to say, “MFA can be performed using a single authenticator that provides more than one factor”. Those factors are “something you have, something you know, and something you are”. AffirmID Auth includes all and adds one mor, “presence”. To satisfy its identifier that you are you it is required a person has possession of the phone meeting the possession and something you have, that person knows and can successfully enter the BioPIN within 3 try’s as something you know, and the biometrics of their human traits match yours.

In addition to the number of authenticator factors, also consider their type, “1-way” or “2-way” when selecting an authenticator of choice for your business. Registering authenticators with the secure service relying on them is a requirement. OTP authenticator registration, often referred to as 2FA or 2-step, is a 1-way process, a result of sending registration information over unsecure channels such as email, webpage, or SMS text message each an attack vector. A cryptographic authenticator such as WebAuthn provide 2-way security in which cryptographic credentials and tokens are exchanged and validated by both the relying party and the authenticator.

AffirmID Auth supports One-Time-Passcode two-factor authentication in which accounts are setup using a QR code or by manual entry of the account information and secret. Consider how either is delivered and received as a man-in-the-middle could hijack the information. Generally, the first factor is a PIN or password, or something you are, and the second is the One-Time-Passcode produced by AffirmID Auth.

NIST defines multi-factor authentication, or MFA, as comprised of something you know, something you have, and something you are. Scenarios where MFA is often used include username only also known as password-less authentication and private key authentication.

Private key authentication requires use of a more sophisticated type of device token such as a smartphone acting as the authenticator. A hypothetical application may be a notification pushed to a phone running an authenticator app secured by a biometric and responding, after button tap, with cryptographic key.

Username only authentication normally comprises the username augmented by a biometric enabled authenticator using a cryptographic key. In practice the username is provided augmented perhaps by a fingerprint scan and followed by button tap. Something you know, the username, something you are, the fingerprint, and something you have, the button tap token.