Explained: Two-Factor vs. Multi-Factor Authentication

It may seem like two-factor authentication and multi-factor authentication are the same. They’re not, explains Yaser Masoudnia, the Senior Director of Product Management at LastPass.*

Everyone knows that passwords alone aren’t enough. Weak, reused or old passwords cause 80 percent of data breaches. From phishing to ransomware, zero-day vulnerabilities, to man-in-the-middle attacks, to key-logging and password cracking, cyberattacks leverage faster tools and exploit known weaknesses to get around even the strongest of passwords. Every application, device and login is an entryway to your business. They need to be better protected.

Security Ledger Sponsored Content

Pairing passwords with additional authentication factors is critical to that protection. Multi-factor authentication (MFA) was developed to add security checks to the login process. By creating more login proof points, you can better prove that someone is who they say they are, while making it much harder for someone else to break through your defenses. However, to do that you need those multiple proof points, not just one (the password) or even two, as is the case with two-factor authentication (2FA).

Multiple beats Double

When you’re looking to add extra security, it may seem like 2FA and MFA are the same. Not so. Two-factor authentication is a great starting point, but a one-size-fits-all authentication approach does not work when users have different behaviors, personal devices, levels of access and attributes. While standard 2FA solutions have improved, the typical standalone solutions lack the necessary oversight, flexibility, visibility and intelligence IT teams need.

While standard 2FA solutions have improved, the typical standalone solutions lack the necessary oversight, flexibility, visibility and intelligence IT teams need.

— Yaser Masoudnia, LastPass by LogMeIn

Two-factor solutions also don’t adapt to a wide range of use cases and scenarios. The authentication factors required have nothing to do with a user’s risk profile or login scenarios. Also: the same two factors are required with every login, meaning the same level of security is applied to all users regardless of risk and contextual factors. Either 2FA is on and required (which can slow down users when the added security is not necessary) or it’s off and not required, which raises risk.

Yaser Masoudnia is the Senior Director of Product Management at LastPass

We’re also starting to see that typical 2FA methods such as knowledge-based questions and SMS-based one-time passwords can be vulnerable to simple phishing attacks and social engineering.

Adaptive MFA takes Risk-Based Approach 

On the other hands, adaptive multi-factor authentication selects a combination of factors based on a user’s risk profile and habits, providing a national and unobtrusive login experience. Artificial intelligence methods can check whether the overall picture fits: is it possible that an employee can log on to their account in Santa Barbara and two hours later access data again from Berlin? Is it plausible that the laptop used could be in a different country than the smartphone used for authentication? Checking mechanisms such as these have proven to be very effective for fraud prevention in financial transactions, for example, and in terms of access control.

When it comes to intelligence and control, adaptive MFA enables admins to implement flexible, granular policies around risk levels based on a variety of parameters, including an employee’s role, location, and the resource being accessed. Over time, the solution can “learn” the typical behaviors of an individual user and determine what the authentication requirements should be based on whether the user is acting within the “normal” range of behaviors or has deviated from them. While is clearly ideal for the business for security reasons, it also provides a much more intuitive and seamless authentication process for employees.

Behavioral learning like this makes it easier to accurately authenticate employees through the creation of an individual user profile with intelligent decisions made each time an employee logs on to the network. This also enables any anomalies or potential threats to be detected in real time. By only prompting the user when necessary and offering a more intuitive experience with features like biometrics, adaptive authentication offers many usability benefits over 2FA for both employees and administrators. 

Easier Integrations with 2FA

Finally, MFA solutions can be flexible, scalable and cost-effective because they’re able to be implemented with existing systems more easily than 2FA. You want your MFA of choice to be compatible with different authentication and single sign-on protocols. At the same time, guidelines must be mapped granularly both to groups of employees and individuals or adopted from existing identity and access management solutions. MFA solutions should also be compatible with current standards for single sign-on (SSO).

Such an integrated solution should offer support through various guidelines and reports at the same time. With an easy-to-use solution that adapts to the way employees work, adoption increases and so does the level of security. A flexible and adaptive MFA solution is therefore a strategically important element of every SMB’s modern security solution.

(*) Disclosure: This contributed article is sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.