March 27th, 2019
The days of trusting passwords alone—single-factor authentication—are nearly over. Today, IT security teams responsible for user identity and access management are turning to more secure options: multi-factor authentication (MFA) and two-factor authentication (2FA).
Is MFA more secure than 2FA? Are the terms interchangeable? If not, what’s the difference between the two? Keep reading to get the facts.
What Are the Different Authentication Factors?
Whether a user is accessing his email or the corporate payroll files, he needs to verify his identity before that access is granted. There are three possible ways this user can prove he is who he claims to be:
- Knowledge—the user provides information only he knows, like a password or answers to challenge questions
- Possession—the user supplies an item he has, like a YubiKey or a one-time password.
- Inherence—the user relies on a characteristic unique to who he is, such as a fingerprint, retina scan, or voice recognition
The difference between MFA and 2FA is simple. Two-factor authentication always utilizes two of these factors to verify the user’s identity. Multi-factor authentication could involve two of the factors or it could involve all three. “Multi-factor” just means any number of factors greater than one.
PCI DSS Has Replaced 2FA with MFA
In version 3.2, the Payment Card Industry Data Security Standard (PCI DSS) replaced all references to two-factor authentication with multi-factor authentication.
This does not mean three authentication factors are required for PCI compliance. Organizations need only use two of the three factors to be in compliance. The language change merely indicates that using three factors is perfectly acceptable under the security standard.
Perhaps three factors will be necessary in the future, but that is not the case today.
Is MFA More Secure than 2FA?
This is a natural question to ask. If two factors are good, three must be better, right? Usually, that is the case.
Requiring three different factors to authenticate is more secure than requiring just two. Most IT professionals—and even end users—know passwords are compromised with relative ease. But it’s unlikely an attacker could obtain a user’s password and get the same user’s YubiKey or mobile device.
The chances of the attacker also obtaining the user’s fingerprints are much, much smaller. Inherence is very difficult to hack or steal, and that’s what makes it so valuable as an authentication factor.
But there are a few other considerations.
Consider the MFA User Experience
End users won’t appreciate an authentication solution that is slow, cumbersome, or unreliable. When security controls prevent users from getting their work done, they start looking for ways to get around the rules or speed up the process.
It’s difficult to image how users could find workarounds for all three authentication factors, but remember how creative users have been in undermining password security: writing passwords down on notes under their keyboards, reusing passwords for multiple accounts, using the simplest passwords possible, like “123456” or “Password.” If three factors of authentication are overkill for your level of risk, using two factors is a valid option.
But finding a solution that has an easy-to-use interface and that allows users to select the authentication methods convenient for them is the best of both worlds.
What’s the Future of Multi-Factor Authentication?
Cybersecurity regulations and industry requirements are constantly changing in response to emerging threats. PCI’s change from 2FA to MFA is a clue about where user authentication could be headed in the coming years.
When evaluating authentication solutions that are 2FA only or allow for three authentication factors, consider which investment provides the flexibility you’ll need in the future.
A multi-factor authentication solution like DUO gives administrators control over how many forms of authentication are necessary and which methods can be used. As your organization’s security needs evolve, administrators can leverage the existing investment in Duo to enhance data protection.
Multi-factor authentication can include two or three different factors, which two-factor authentication is always limited to two factors. Requiring users to authenticate with three factors is more secure, but users expect an MFA solution to be easy to use. While PCI DSS currently requires two factors of authentication, there is no guarantee that won’t change in the future.