What is Multi-Factor Authentication (MFA)?

This article was updated on April 23, 2024.

Keeping your organization and consumers safe can be challenging as cybercriminals test new attack vectors and data breaches continually expose credentials. Instead of relying solely on usernames and passwords for user identity verification, adding extra security measures like multi-factor authentication can strengthen your defense.

What is multi-factor authentication?

Multi-factor authentication, or MFA, is a method of authenticating people using more than one type of identifier. Generally, you can put these identifiers into three categories based on the type of information:

• Something a person knows: Usernames, passwords, and personal information are common examples of identifiers from this category.
• Something a person has: These could include a phone, computer, card, badge, security key, or another type of physical device that someone possesses.
• Something a person is: Also called the inherence factor, these are intrinsic behaviors or qualities, such as a person’s voice pattern, retina, or fingerprint.

The key to MFA is it requires someone to use identifiers from different categories. For example, when you withdraw money from an ATM, you’re using something you have (your ATM card or phone), and something you know (your PIN) or are (biometric data) to authenticate yourself.

Common types of authenticators

Organizations that want to implement multi-factor authentication can use different combinations of identifiers and authenticators. Some authenticator options include:

• One-time passwords: One-time passwords (OTPs) can be generated and sent to someone’s mobile phone via text to confirm the person has the phone or via email. There are also security tokens and apps that can generate OTPs for authentication. (Something you know.)
• Knowledge-based authentication: Knowledge-based authentication (KBA) identity verification leverages the ability to verify account information or a payment card, “something you have,” by confirming some sequence of numbers from the account. (Something you know.)
• Security tokens: Devices that users plug into their phone or computer, or hold near the device, to authenticate themselves. (Something you have.)
• Biometric scans: These can include fingerprint and face scans from a mobile device, computer, or security token. (Something you are.)

Why MFA is important

It can be challenging to keep your users and employees from using weak passwords. And even if you enforce strict password requirements, you can’t be sure they’re not using the same password somewhere else or accidentally falling for a phishing attack.

In short, if you want to protect users’ data and your business from various types of attacks, such as account takeover fraud, synthetic identity fraud, and credential stuffing, you’ll need to require more than a username and password to authenticate users. That’s where MFA comes in. Because it uses a combination of elements to verify a consumer’s identity, if one of the required components in a transaction is missing or supplied incorrectly, the transaction won’t proceed. As a result, you can ensure you’re interacting with legitimate consumers and protect your organization from risk.

LEARN MORE: Explore our fraud prevention solutions.

How to provide a frictionless MFA experience

While crucial to your organization, in-person and online identity verification shouldn’t create so much friction that legitimate consumers are driven away.

Experian’s 2023 U.S. Identity and Fraud Report found that 96 percent of consumers view OTPs as convenient identity verification solutions when opening a new account. An increasing number of consumers also view physical and behavioral biometrics as some of the most trustworthy recognition methods — 81 and 76 percent, respectively.

To create a low friction MFA experience that consumers trust, you could let users choose from different MFA authentication options to secure their accounts. You can also create step-up rules that limit MFA requests to riskier situations — such as when a user logs in from a new device or places an unusually large order.

To make the MFA experience even more seamless for consumers, consider adding automated identity verification (AIV) to your processes. Because AIV operates on advanced analytics and artificial intelligence, consumers can verify their identities within seconds without physical documentation, allowing for a quick, hassle-free verification experience.

How Experian powers multi-factor authentication

Experian offers various identity verification and risk-based authentication solutions that organizations can leverage to streamline and secure their operations, including:

• Experian’s CrossCore® Doc Capture confidently verifies identities using a fully supported end-to-end document verification service where consumers upload an image of a driver’s license, passport, or similar directly from their smartphone.
• Experian’s CrossCore Doc Capture adds another layer of security to document capture with a biometric component that enables the individual to upload a “selfie” that’s compared to the document image.
• Experian’s OTP service uses additional verification checks and identity scoring to help prevent fraudsters from using a SIM swapping attack to get past an MFA check. Before sending the OTP, we verify that the number is linked to the consumer’s name. We also review additional attributes, such as whether the number was recently ported and the account’s tenure.
• Experian’s Knowledge IQSM offers KBA with over 70 credit- and noncredit-based questions to help you engage in additional authentication for consumers when sufficiently robust data can be used to prompt a response that proves the person has something specific in their possession. You can even configure it to ask questions based on your internal data and phrase questions to match your brand’s language.

Learn more about how our multi-factor authentication solutions can help your organization verify consumer identities and mitigate fraud.