Multifactor authentication (also called MFA) is a technique that requires the use by a person or a system of a combination of at least 2 different types of authentication factors in order to gain access.

What is authentication?

Authentication is the security mechanism that regulates access control. It requires verification of the (digital) identity of a user or system through an authentication means.

Examples of multifactor authentication

Examples of multifactor authentication are:

• the combination of a password and a one-time code (token) by text message;
• the combination of a password and a smartcard;
• the use of an app or hardware token that generates changing passwords in combination with a password or PIN code.

Authentication factors

The 3 most common authentication factors are:

• Something (only) the user knows. For example, a password, a PIN code or another unique authentication code.
• Something the user has. For example, a smartcard, a token or a key. A (mobile) telephone also belongs to this category and is often used for SMS tokens.
• Something the user is. For example, biometric data, such as a fingerprint. This category also includes distinguishing products of acts, such as a signature or kinetic measurements of a keyboard.

Other authentication factors are:

• Where the user is. This authentication factor is based on a geographic determination. For example, by using the IP address.
• How the user behaves. This authentication factor is based on recognising behaviour. For example, by using a login time.

What is not a multifactor authentication?

A combination of the same type of authentication factor is not a multifactor authentication. For example, when multiple combinations of user names and passwords are necessary for gaining access. User names and passwords both fall within the ‘something the user knows’ type of authentication factor. As a result, these combinations do not qualify as multifactor authentication.

In general, the following examples are not authentication factors for the use of a computer or an application:
 

• an access pass using which access can be gained to an area to which multiple people have access;
• a unique telephone or unique computer (unless the mobile phone generates a temporary password or uses a built-in authentication factor);
• a unique IP address.

More information

• Factsheet  Use two-factor authentication of the National Cyber Security Centre.
• Dutch DPA Data breaches report 2020 (pp. 7-11).