MFA is now a baseline requirement in: PCI DSS v4.0—for all remote access to systems handling cardholder data. HIPAA—for securing electronic protected health information (ePHI). NIS2 and DORA—requiring strong access controls in critical sectors. Cyber insurance policies—most mandate MFA for coverage.

Illustration of IT items with focus on a lightbulb

Overview

When you access a protected resource, you authenticate against a data store with your credential information. It consists of a claimed identity and a secret associated with it. Traditionally, that's been done with just a simple username and password, which is the most common authentication method today. Unfortunately, username/password authentication has been shown to be quite vulnerable to phishing and credential hacking. Since passwords can be hard to remember, people tend to pick a simple one and reuse it across their various online and cloud services. This means that when a credential is hacked on one service, malevolent outsiders test it across other personal and professional digital services.

Multi-factor authentication (MFA) is designed to protect against these and other kinds of threats by requiring the user to provide two or more methods of verification before they are able to gain access to a specific resource like an application, data storage, or private network.

The term “factor” describes the different authentication types or methods used to verify someone’s claimed identity. The different methods are:

Something you know—like a password, a memorized PIN, or challenge questions
Something you have—while historically it was a hard token, more commonly it’s a smartphone or a secure USB key.
Something you are—common biometrics are fingerprint or facial recognition; less common are biometrics like voice or other recognition technologies.

Multi-factor authentication

How do you decide how many factors you should configure for a protected resource

Security and usability requirements dictate the process used to confirm the requester’s identity claim. Multi-factor authentication allows security teams to respond to the context or situation of the requestor (person or programmatic process), removing access being the most common scenario. Beyond determining how many types of authentication should be required, IT also needs to balance the cost of usability requirements with the cost of implementing them.

Single-factor authentication (SFA)

SFA has been and still is the default for securing access to mobile, online, and other secured information and facilities. Because it’s so ubiquitous and inexpensive, the most common type of SFA is username and password. Still, passwordless technologies are being adopted at an increasing rate to avoid threats posed by various phishing attacks. For example, the majority of mobile-based apps allow the use of fingerprint or facial recognition in place of the traditional username and password.

Passwordless options (e.g., FIDO2 and passkeys) are currently available from all major platform vendors including Microsoft, Apple, and Google.

Because they are used to verify identities, authentication tokens need to be protected against outsiders. In addition to strong token security, they are often configured to expire fairly frequently, increasing their refresh rate. While implementing short-lived tokens used underneath the passwordless interface raises security, it doesn’t meet the level offered by two-factor authentication.

Modern passwordless mechanisms like passkeys or WebAuthn are not typically classified as simple SFA—they are stronger forms of authentication that often combine multiple cryptographic assurances (something you have and sometimes something you are). True passwordless can itself be a form of strong multi factor or advanced authentication when implemented correctly.

Two-factor authentication (2FA)

2FA strengthens security by requiring the user to provide a second type (know, have, are) for identity verification. One proof of identity might be a physical token, such as an ID card, and the other is something memorized, like a challenge/response, security code, or password. A second factor significantly raises the bar for malfeasant and other outside actors to successfully breach through security.

Here is a common list of popular authentication methods:

One-time passwords—TOTP, HOTP, YubiKey and other FIDO compliant devices
Other out-of-band—voice call, mobile push
PKI—certificates
Biometrics—fingerprint, face, voice recognition
Proximity—cards, mobile app geo-fencing
What you know—passwords, challenge questions

Three-factor authentication (3FA)

This method adds another factor to two-factor for further difficulty in falsifying one claimed identity. A typical scenario might be to add biometrics to an existing username/password plus a proximity card login. Because it adds a notable level of friction, it should be reserved for situations that require a high level of security. Banks may find situations where 3FA makes sense, as would various government agencies. Specific high control areas within a part of an airport or hospital are also areas where security teams have deemed 3FA as necessary. 3FA is uncommon and adaptive MFA (which evaluates context risk) is the prevailing industry direction.

Where is MFA typically used?

Although many organizations view user verification as an afterthought, it’s important to note that Verizon’s annual DBIR consistently shows credential hacking as a top breach strategy. It’s simply a matter of time before virtually every organization suffers an event where they lose sensitive information that results in a tangible financial loss and potential loss of customer trust.

What makes these trends notable is that there has never been a time when multi-factor authentication is as convenient and affordable to implement as it is today. Traditionally, organizations have been limiting their MFA implementations to a small subset of specialized users who work with information that poses a higher level of risk to the business. Cost and usability have often been the limiting factors preventing wider deployments of strong authentication technology. Historically, strong authentication methods were expensive to purchase, deploy (including enrolling the users), and administer. But recently, there has been a sweeping set of changes across industries, within the organizations themselves, their customers (or patients, citizens, partners, etc.), and the technology that they have access to.

What are the main business drivers for implementing multi-factor authentication?

While each organization has their own concrete requirements, there are high-level business drivers that are frequently common across them:

Most industries must comply with some type of privacy law concerning customer, patient, or financial information. In addition, government agencies continue to firm up their policies requiring MFA for user identity verification.
More than ever, professionals are doing work outside the office, either as road warriors or as remote employees. The use MFA as part of their risk management practices or as part of a compliance initiative covering information (customer, patient, citizen, HR, etc.) that is subject to government authentication mandates.
Power users and the organizations they work within do so in a pervasively connected world, meaning when their credentials are breached the exposed vulnerability to their employer is a compelling force to securing their accounts with MFA.
Virtually everyone has a connected computer (smartphone) in their pocket from which they conduct their lives: social media, consumer personalized content, and e-commerce. Because customers expect to interact with businesses digitally on their devices, organizations often pursue an aggressive mobile app strategy that needs MFA to manage their risk.

Which mandates require that organizations use MFA to be in compliance?

MFA is now a baseline requirement in:

PCI DSS v4.0—for all remote access to systems handling cardholder data.
HIPAA—for securing electronic protected health information (ePHI).
NIS2 and DORA—requiring strong access controls in critical sectors.
Cyber insurance policies—most mandate MFA for coverage.

What are some ways to make MFA less intrusive on the user experience?

IT has access to a few technologies to reduce the friction that MFA can potentially impose on users:

Single sign-on.
Risk assessment of an access request.
Matching the best authentication type to the user.

Single sign-on (SSO)

SSO allows users to authenticate to multiple resources from just a single interaction from the user, meaning that users enter a single credential from which the infrastructure beneath it authenticates to each of the protected resources on their behalf during that session. The most secure approach to SSO is for the authentication engine to use a unique set of credentials for each resource that is set up for SSO. This builds up security to a high level because:

The user doesn’t know the actual credential of the resource, but rather just the credential provided to the authentication gateway. This forces the user to use the authentication gateway rather than going to the resource directly. It also means that each resource has a unique credential. So if the identity store of one of them is breached, it doesn’t compromise the others. This approach allows IT to comply with MFA requirements while performing serial authentications to protected resources.
By leveraging the user context, risk-based (RBA) technology can be used to invoke MFA only when needed. Whether it’s to comply with a government mandate or enforce the organization’s risk management policy, RBA can be used to decrease the instances that an authentication request is imposed onto a user. Policies are commonly a mix of location, device, and time of access.

Low-friction authentication options

While the traditional OTPs/TOTPs will continue to be the most common type of second-factor authentication, there may be other options that make more sense for a situation. Out-of-band push mobile apps offer a low-friction option to OTP because all the user needs to do is hit the accept button. For higher-risk situations, some push apps may be configured to require a fingerprint to verify the person’s identity, as well as a confirmation of information (such as a number presented on the desktop) to further verify that the user possesses both the desktop and smartphone.

Facial recognition is quickly becoming the biometric authentication of choice. The low-friction nature of Windows Hello, noting that it gets better over time, offers a convenient user experience. The biggest challenge is that Windows Hello doesn’t work well with various lighting situations. This failure to recognize faces across lighting can be managed with additional facial registrations. More recently, some mobile apps offer the ability to register a person’s iris patterns in their eyes. Used together (facial, fingerprint, iris), biometric authentication options raise the security bar high for an outsider to defeat. Biometric methods are also an excellent option for organizations looking for a low-friction way to protect against phishing attacks.

Voice recognition has gained popularity in the financial services sector. Institutions like it because it’s entirely passive for customers as they speak with a service representative. The representative is notified when the customer’s identity has been verified. They use voice recognition in place of challenge questions with customers who frequently have difficulty remembering the correct responses to them. In this case, security and usability are optimized.

FIDO/FIDO2 are attractive options for when users roam across multiple devices. Part of what makes FIDO an attractive authentication option is its broad vendor support and its focus on usability. FIDO has gained notable traction in universities that deal with a large number of students who use a variety of digital services. FIDO allows the portability of passwordless authentication across different devices and platforms.

The profiling of smartphone gestures is a form of behavioral analytics that analyzes how a person physically interacts with their device. It uses heuristics to track patterns in gestures, producing confidence scores based on the consistency of those patterns. As more data is collected, the system becomes more confident in recognizing the user's unique behavior, increasing the accuracy—or fidelity—of the gesture profile. While not initially strong enough to serve as a primary method of identity verification, gesture profiling can be a useful complementary factor when combined with other authentication methods.

How OpenText helps

OpenText™ Advanced Authentication is part of our enterprise-grade identity and access management portfolio. It enables flexible deployment of MFA, including:

Passwordless and biometric authentication.
Risk-based and contextual access decisions.
Policy enforcement across hybrid and multi-cloud environments.
Integration via APIs, SDKs, and federation protocols (SAML, OAuth, OIDC).

Whether you're securing internal users, partners, or consumers, OpenText delivers secure, compliant, and scalable authentication at enterprise scale.

How is OpenText Advanced Authentication different than other MFA solutions?

Security teams often implement the supporting software that comes with the authentication they are adopting. This seems to work well until different devices are purchased that require a different software implementation, creating yet another silo. In large organizations, it’s possible to have multiple silos of passwordless technologies used for either multi-factor authentication or to satisfy some other authentication requirement. The weakness of this situation is that each authentication silo has its own set of policies. Keeping these multiple policy stores up to date requires higher administrative overhead and introduces the risk of having uneven policies.

OpenText Advanced Authentication is designed to serve even the largest organization’s multi-factor authentication needs. Its standards-based approach provides an open architecture free from the risks of vender lock-in. The framework supports a variety of devices and additional out-of-the box methods but can also be expanded as new technologies are delivered to the market.

Regardless of the platform (web, mobile, client) OpenText Advanced Authentication also provides out-of-the-box support for the most common platforms and applications. Beyond serving as the central policy engine for corporate-wide authentications, OpenText Advanced Authentication also offers a risk-based engine to control when MFA is invoked as well as control which authentication types are offered under different risk levels. Beyond its own built-in engine, OpenText Advanced Authentication integrates with OpenText Access Manager to provide a robust set of single sign-on options and risk metrics that can be used as part of an adaptive access management use case.