Multi-factor authentication (MFA) is confirmation a user is who they say they are via two or more different method types. Forcing users to authenticate in this way reduces the risk that someone can authenticate themselves as someone else by a single compromised method of authentication, such as knowing a password. Methods of authentication come in three different types where multi-factor authentication requires any two or more of the different types.
- Knowledge: Authentication via something you know, such as passwords, PINs, address or date-of-birth confirmation and security question answers.
- Possession: Authentication via something you have, such as a smartcard, key fob, token or smartphone.
- Inherence: Authentication via something you are, such as biometric data including finger or palm print, iris scan, voice print or face scan.
The main risk is missing multi-factor authentication for software that requires it, such as protecting important information assets or functionality. In particular, multi-factor authentication should be enforced for all privileged or administrator accounts. It’s also possible that multi-factor authentication can be easily bypassed due to incorrect or insufficient implementation or configuration.
After evaluating whether sufficient multi-factor authentication exists, users will then try to bypass it to identify themselves as other users and gain access to system functionality and information assets that they shouldn’t be able to.
- Stouffer, K. et al. (2015) Guide to industrial control systems (ICS) security. NIST Computer Security and Resource Center. Available at: Link (p. 92)