Two factor or multi factor authentication (2FA or MFA)? How to use both better

Passwords - they’re not great on their own. At least, not when you have hundreds or thousands of sensitive documents, credentials or datasets to protect. There’s too much information at stake to guard with just a code and username. As you welcome more collaborators into a digital system, the risk of a hack, breach or leak only increases.

A strong password makes you (somewhat) secure, but doesn’t authenticate whoever’s submitting it. If the password is lost or stolen, someone else can use it — like a robber wearing a bank manager’s suit, waved through to the vault because of what they appear to have, not who they are.

Passwords don’t authenticate identity. Authentication does. And that’s why you’re here. The real question is: What kind of authentication should you go for? 2FA or MFA - What makes sense?

We want to explain what two factor (2FA) and multi factor authentication (MFA) really represent for your digital security. They share some traits but can suit different businesses and contexts. Also, the traditional methods for authentication are changing. But we’ll get to that later.

First, let’s shine a light on what separates these security practices. They make it tougher for criminals to access your user accounts, even if they’ve combed their hair and say all the right things.

The typical split for authentication

Passwords and usernames are the first factor granting user access. The second factor — and others — ask for more “proof” that someone is who they claim to be. Two factor authentication simply layers one more method on top, while multi factor can keep adding layers of protection. Technically, two factor is multi factor, but the latter can continue strengthening security with more prompts and verification tools.

Both methods use at least two of the following ways to approve access:

● Something you know e.g., a regular password, one-time password (OTP), pin number or answer to a security question.
● Something you have e.g., a badge, fob, smart card, software token or smart device.
● Something you are e.g., a fingerprint or voice/facial recognition.

The more authentication layers you have, the tougher it is for cybercriminals to break into an account. 2FA, then, is slightly more complex than a username/password combination, whereas an MFA solution can keep scaling with extra security requirements.

Here’s an example:

Two factor authentication

You have a WordPress plugin that a select number of people are allowed to access. They type their password and username or email address into the login portal. Then, they’re sent an OTP on their mobile device via SMS or an authenticator from the likes of Google or Microsoft. This provides a code that expires in several minutes. Once they enter the code, they’re in.

Multi factor authentication

The WordPress user performs the same first step, but this time, they’re asked to use an authenticator app that unlocks with a face scan from their smartphone camera. After they pass both stages, the app reveals a pin. They type it in. The user has now undergone three security checks. Your system confirms verification based on all of these conditions.

Which authentication do you really need under NIST recommendations?

The U.S. National Institute of Standards and Technology (NIST) develops many of the global standards for information security. It has a bone to pick with any organization that uses single factor authentication i.e., solely passwords. “You should use MFA wherever possible,” says one of their posts on the topic, “especially when it comes to your most sensitive data — like your primary email, your financial accounts and your health records.”

These suggestions reach fever pitch when you’re running a business with dozens or hundreds of people trying to enter an online account. In our WordPress example, a 2FA minimum limits hackers or other malicious actors from unauthorized access in your backend. But the more users and verified devices you’re trying to manage, the wider your attack surface becomes. MFA can grow with the sheer amount of people you’re trying to authenticate.

However, you don’t want to make the MFA journey too arduous. Simple, low-risk accounts that don’t contain much sensitive data can often settle for two factor authentication. If you have a depository of stock photos, for instance, then a username/password and face scan from Google Authenticator works just like an Apple ID for iOS, granting entry in seconds.

On the other hand, you might be protecting medical records, customer names and addresses, top-secret design plans or risk profile information. This is when multi factor authentication comes into play. It’ll take a little longer for users to authenticate themselves, but the extra protection is worth it. You’ll sleep better at night.

In fact, NIST has pushed hard for new MFA standards in the U.S. government throughout 2022. Some of its priorities for critical account protection include:

● Abandoning the use of SMS texts with a pin code.
● Limiting “shared secrets” such as an OTP or unique security answer.
● Promoting asymmetric cryptography in authentication.

Unfortunately, cryptographic authentication also has weaknesses. We’ll examine them soon. But first, we’d like to show you why you don’t have to choose between 2FA and MFA.

Thanks to Almefy, they’re both yours when you need them.

Choose easily — we’ve made access fit for you

Almefy changes the game completely for digital authentication. We’ve streamlined 2FA down to a single step.

Once you register users on the Almefy app — requiring only an email address or any identifier such as a username on a trusted device — they have an account for verification. And when they visit your log-in screen, there’s no password request. Instead, they open the app and scan a QR code. Boom. Done. Nobody even touches a keyboard to gain access.

As our technology spreads, many Almefy customers are already using this method alone for secure, reliable logins. Yet, if you have an established security protocol  - either single factor or multi factor — or want to add an additional authentication layer, you can use Almefy for that, too.

Just head to our Settings menu in the app and configure Almefy to function with extra authentication such as a pin or biometric scan. If you’re asking for a password/username as well, that’s a three factor authentication model with the relative ease of two factors. It’s MFA on rollerskates.

Almefy can integrate with almost any tool or application you can think of, including WordPress. That means your marketing team, freelancers and clients can safely view and edit content without the effort associated with tighter security.

Learn more about Almefy technology!

Almefy solves the password problem, too

The best part? We’ve eliminated passwords altogether.

This is a critical shift in two-factor and multi-factor authentication. Remember, passwords are often the first login factor. Then, asymmetric cryptography, the NIST’s preferred basis for authentication, still relies on locally stored keys. They don’t confirm your identity. Encrypted access uses a pair of encryption keys on a public key infrastructure (PKI), cross-referencing two scrambled lines of numbers so they match up. The issue is, clever hackers can decrypt and steal that information. PKIs are never the answer to ironclad MFA.

Read about the problem with PKI here. Almefy rids the risk of compromise because our encryption keys expire almost as soon as they’re generated. There’s no data hanging around in your network, and we don’t require any security certificates, which cause more headaches.

Plus, you’re avoiding the ever-present threat of users losing passwords, giving them up accidentally in a phishing attack or passing them onto the wrong people.

Almefy focuses on identity-based encryption (IBE). When you combine that with countless options for other authentication factors, there’s no need to use a password anymore. Leave it in the past, where it belongs.

2FA and MFA are at your fingertips, stronger than ever. Chat to us to schedule a demo, and we’ll show off the new kind of passwordless authentication you can count on.