The Different Levels of MFA

November 10, 2021

The recent rise in online and digital security threats has given birth to a new form of authentication: Multi-Factor Authentication. Currently, there are several "factors" in which a user can employ to authenticate their identity. In precedence of adoption and, coincidentally, level of security, the factors are typically:


  1. A Knowledge Factor. This is something you know - a username, a password, a PIN
  2. A Possession Factor. This is something you have - an SMS address, a one-time password, a hardware token
  3. An Inherence Factor. This is something you are - biometrics (fingerprint, facial recognition, voice recognition), location


Multi-Factor Authentication, as the name may suggest, employs more than one "factor" to verify a user's identity; however, as the landscape of digital security is constantly evolving, these factors once perceived as impenetrable are now perhaps not as secure as we once hoped. This exploratory piece aims to investigate the various possession factors of authentication and their respective levels of security.


SMS Authentication

Firstly, SMS authentication - also known as SMS-based Two-Factor authentication (2FA) - allows users to verify identities with a code that is sent via text message. However, malicious actors can easily coerce phone providers into swapping SIM cards through an attack called SIM Hijacking. Once achieved, the actor can then request password resets and direct the relevant traffic to your SIM card ... which is now in their phone. This effectively gives the actor full access to any of your services which use SMS 2FA to authenticate users and evidently, is considered to be a weak form of verification and should be avoided if possible.


One Time Password (OTP)

Another possession factor commonly used is called a One Time Password, or OTP protocol. There are various companies which provided OTP services including Google (Google Authenticator), Microsoft (Microsoft Authentication), and Duo Security. These services implement a time based OTP algorithm which, upon request from an online service, will send a notification to your phone containing a one time password. Typically, this password is only valid for 60 seconds which decreases the likelihood of an unwanted user accessing your service however unfortunately, this method is likewise not as secure as hoped. Although convenient, the OTP process of authentication is vulnerable and susceptible to online identity theft. Social engineering attacks such as phishing can give malicious actors access to your mobile device. Even leaving your device unattended and unprotected can easily afford actors access to your notifications and subsequently, your one time passwords.

Hardware Token

Hardware tokens are arguably the most secure mode of possession factor authentication. Put simply, hardware tokens are small physical devices which can authenticate the user to a specific network or service. Most hardware tokens, similar to a mobile devices with an OTP service installed, generate a one time password on request. The biggest difference being, a hardware token is a lot harder to forge compared to a software token. Software tokens, such as Google Authenticator, are essentially only as secure as the phone in which the service is installed. This means if the mobile device is compromised, so are the one time passwords. A physical hardware token can only be compromised if it is physically stolen or destroyed. Yubico's Yubikey is one example of a hardware token: it is a small USB which can be inserted into a computer and upon a physical touch, will authenticate the user. The Yubikey and similar devices are the best choices to preform possession factor authentication.

Have More Questions?

Feel free to reach out to us if you have any questions or concerns! Our cybersecurity professionals will be more than happy to help you with anything you need. Book an appointment with us today!

Prevent and protect. Try it for 1-month.