MFA methods
Knowledge
Knowledge—usually a password—is the most commonly used tool in MFA solutions. However, despite their simplicity, passwords have become a security problem and slow down productivity.
Users today have too many passwords; to ease their management, users create passwords that are not secure or that are used repeatedly across platforms. Another disadvantage is that the knowledge can be forgotten or, if stored somewhere, stolen.
The security question—another knowledge method in wide use but falling out of favor—requires the user to store the answer to a personal question in their profile and then enter it during login. This process is seen as onerous by many users because of the need for repeated data entry and storing and managing their answers.
The dynamic security question, which is more effective and user-friendly, typically asks for contextual information the user has access to, such as a recent financial transaction.
Physical
Physical factors—also called possession factors—use tokens, such as a USB dongle or a portable device, that generate a temporary QR (quick response) code. Mobile phones are commonly used, as they have the advantage of being readily available in most situations.
On the plus side, physical factors are outside the network and usually difficult to spoof. But devices like phones can be lost or stolen, and mobile networks can present their own security vulnerabilities.
Virtual "soft" tokens are a cookie or piece of code stored in a way that effectively turns a device into a physical token. Soft tokens may not be suitable for all users since they require software and expertise to use properly. In addition, soft tokens can be copied, which could lead to unauthorized use.
The U2F standard combines a USB or near-field communication (NFC) token with an open-standard application, providing a simple way to use additional authentication factors with platforms that support them.
Inherent
This category includes biometrics like fingerprint, face, and retina scans. As technology advances, it may also include voice ID or other behavioral inputs like keystroke metrics. Because inherent factors are reliably unique, always present, and secure, this category shows promise.
However, not all devices have the necessary software, processing power, and hardware features (such as microphones and cameras), so some users may not be able to take advantage of these advances in MFA usability and security.
Location-based and time-based
Authentication systems can use GPS coordinates, network parameters, and metadata for the network in use, and device recognition for MFA. Adaptive authentication combines these data points with historical or contextual user data.
These factors have the advantage of operating in the background, with very little input required of users, which means they don't impede productivity. However, since they require software and expertise to use, they are mostly suitable for large organizations with the resources to manage them.
Time-based one-time password (TOTP)
This is generally used in 2FA but could apply to any MFA method where a second step is introduced dynamically at login upon completing a first step. The wait for a second step—in which temporary passcodes are sent by SMS or email—is usually brief, and the process is easy to use for a wide range of users and devices. This method is currently widely used.
On the operational side, two-step authentication requires the use of software or an outside vendor to provide the service. As with the use of mobile devices as physical tokens, mobile networks can introduce their own security issues.
The security key is generally a QR code that the user scans with a mobile device to generate a series of numbers. The user then enters those numbers into the website or application to gain access. The passcodes expire after a certain period of time, and a new one will be generated the next time a user logs in to an account.
Social media
In this case a user grants permission for a website to use their social media username and password for login. This provide an easy login process, and one generally available to all users.
But social media networks are often the target of online criminals because they provide a rich source of user data. In addition, some users may have concerns about the security and privacy implications of sharing logins with social media networks.
Risk-based authentication
Sometimes called adaptive multi-factor authentication, this method combines adaptive authentication and algorithms that calculate risk and observe the context of specific login requests. The goal of this method is to reduce redundant logins and provide a more user-friendly workflow.
For users with many logins for various systems, risk-based authentication can be a key time-saver. However, it requires software that learns how users interact with a system and IT expertise to deploy and manage.
Push-based 2FA
Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security while improving ease of use. It confirms a user's identity with multiple factors of authentication that other methods cannot. Because push-based 2FA sends notifications through data networks like cellular or Wi-Fi, users must have data access on their mobile devices to use the 2FA functionality.