How Multifactor Authentication Can Help Keep You Safe
Keeping your organization and consumers safe can be challenging when data breaches continually expose credentials and cybercriminals test new attack vectors. Adding extra security measures can be an important part of your defense and moving beyond relying on usernames and passwords alone may soon be a necessity.
What is multifactor authentication?
Multifactor authentication, or MFA, is a method of authenticating people using more than one type of identifier. Generally, you can put these identifiers into three categories based on the type of information:
- Something a person knows: Usernames, passwords and personal information are common examples of identifiers from this category.
- Something a person has: These could include a phone, computer, card, badge, security key or another type of physical device that someone possesses.
- Something a person is: Also called the inherence factor, these are intrinsic behaviors or qualities, such as a person’s voice pattern, retina or fingerprint.
The key to MFA is it requires someone to use identifiers from different categories. For example, when you withdraw money from an ATM, you’re using something you have (your ATM card or phone), and something you know (your PIN) or are (biometric data) to authenticate yourself.
Common types of authenticators
Organizations that want to implement multifactor authentication can use different combinations of identifiers and authenticators. Some authenticator options are:
- One-time passwords: One-time passwords (OTPs) can be generated and sent to someone’s mobile phone via text, confirming the person has the phone. You can also send OTPs via email, and there are security tokens and apps that can generate OTPs for authentication. (Something you know.)
- Knowledge-based authentication (KBA): Knowledge-based authentication (KBA) identity verification leverages the ability to verify account information or a payment card, “something you have,” by confirming some sequence of numbers from the account. (Something you know.)
- Security tokens: Devices that users plug into their phone or computer, or hold near the device, to authenticate themselves. (Something you have.)
- Biometric scans: These can include fingerprint and face scans from a mobile device, computer or security token. (Something you are.)
Authentication vs. verification
Identity authentication and verification are both important for preventing fraud, but they’re not identical.
Identity verification is when identity information meets an established set of criteria for eligibility. For many companies, the challenge is verifying someone’s physical identity using online identity verification methods.
Identity verification solutions can do this in various ways, and the correct approach may depend on the situation, the business’s goals and regulatory requirements. For example, a bank might verify and validate a customer’s identity by asking them to upload a copy of their driver’s license to confirm identity information, and layer in an additional MFA component by comparing it to a live feed from the person’s phone or webcam. A company selling low-cost consumer goods might not require consumers go through such an extensive authentication process, but they could use verification tools to confirm a customer’s name matches the name associated with their telephone number or credit card.
Identity authentication focuses on confirming that a person has the authority to access an account, capability or service. For example, a new user might create a username and password when they create an account. They then authenticate their identity by entering the correct username and password.
Depending on the type of interaction or request, companies can decide to require a stronger form of authentication — like providing authentication information with a username and password (something they know) and add an additional security layer where they upload a copy of their driver’s license (something they have) or use an OTP sent to their phone (something they have).
How to build an effective MFA strategy to combat fraud
It can be challenging to keep your users — and employees — from using weak passwords. And even if you enforce strict password requirements, you can’t be sure they’re not using the same password somewhere else or accidentally falling for a phishing attack.
In short, if you want to protect users’ data (and your business) from various types of attacks, such as account takeovers and credential stuffing, you may need to require more than just a username and password to authenticate users. However, companies also need to be careful not to create so much friction that they drive away legitimate consumers.
Experian’s 2022 Global Identity and Fraud Report found that 96 percent of consumers view OTPs as a convenient MFA solution when opening a new account. An increasing number of consumers also view physical and behavioral biometrics as some of the most trustworthy recognition methods — 81 and 76 percent, respectively.
To create a low friction MFA experience that consumers trust, you could let users choose from different MFA authentication options to secure their accounts. You can also create step-up rules that limit MFA requests to riskier situations — such as when a user logs in from a new device or places an unusually large order.
How does Experian power multifactor authentication?
Experian offers various identity verification and authentication solutions that organizations can use to streamline and secure their operations. With the right tools, organizations can quickly authenticate consumers with minimal friction:
- Experian’s CrossCore® Doc Capture confidently verifies identities using a fully supported end-to-end document verification service where consumers upload an image of a driver’s license, passport or similar directly from their smartphone.
- Experian’s CrossCore Doc Capture adds another layer of security to document capture with a biometric component that enables the individual to upload a “selfie” that’s compare to the document image.
- Experian’s one-time password (OTP) service uses additional verification checks and identity scoring to help prevent fraudsters from using a SIM swapping attack to get past an MFA check. Before sending the OTP, we verify that the number is linked to the consumer’s name. We also review additional attributes, such as whether the number was recently ported and the account’s tenure.
- Experian’s Knowledge IQSM offers knowledge-based authentication (KBA) with over 70 credit- and noncredit-based questions to help you engage in additional authentication for consumers when sufficiently robust data can be used to prompt a response that proves the person has something specific in their possession. You can even configure it to ask questions based on your internal data, and phrase questions to match your brand’s language.