While using digital services, you will eventually need to set up multi-factor authentication (MFA). MFA has become a standard way of protecting online accounts and confirming digital identity For example, you may have needed to set up MFA while accessing a bank account or secure workplace login.
MFA is a security procedure that safeguards digital accounts. With MFA, a user must authenticate their ownership of the account every time they return to a site by providing login credentials in addition to their password. For logins and accounts that contain financial info or important information, MFA is a critical step to prevent identity fraud or data theft.
Those login credentials are called authenticators. An MFA system requires two or more authenticators to confirm the user is who they say they are. When only two authenticators are used, MFA may sometimes be referred to as two-factor authentication (2FA).
By adding multiple layers of security from different authenticator categories, multi-factor authentication increases confidence that the user accessing the account is the same person who created it.
Authenticators come in different categories: something you know (e.g. password, date of birth), something you have (e.g. a smartphone, hardware token), and something you are (e.g. your fingerprint, your face). Under MFA and 2FA, the authenticators must be from different categories.
Once an individual presents these pieces of evidence, they will be admitted to their account, thus protecting organizations from fraud and safeguarding users’ data. Multi-factor authentication is already standard practice for performing secure online financial transactions and accessing confidential information. However, MFA should be considered for any other digital accounts that hold privileged data, including social media and e-commerce websites.
Common Authenticators:
| SMS text message or phone call | User enters a six-digit verification code sent via text or call. This is sometimes not safe for higher levels of authentication, such as DEA EPCS authentication. |
| Knowledge-based authentication | Users set up a secret that only they know the answer to, such as a PIN number or password. When answered correctly, the user gains access. |
| Push Notification | User approves sign-ins via push notifications sent to an authentication app. |
| Code Generator | User receives and enters generated codes via apps like ID.me Authenticator or Google Authenticator. |
| Hardware Token | User can use a physical token, often a USB, to prove their identity. |
| Software Token | User can use a software key, such as Mobile YubiKey, to prove their identity. |
| Location-based Factors | In recent cases, a new verification method based on a user’s GPS location can be used to authenticate. |
Depending on the security level your organization requires, some of these options may be more suitable than others. For example, SMS texts are less secure than code generators. More valuable data should have higher standards for MFA authenticators.
How ID.me Can Help with Multi-factor Authentication
ID.me offers MFA for businesses and governments to secure login systems. In addition, our identity verification services are secured by multiple forms of MFA as part of our compliance with NIST standards.
We can develop solutions that leverage the following systems:
- Code Generator Apps (with ID.me’s own Authenticator app or other common MFA options)
- Native App Push Notifications
- SMS one-time passwords
- Landline one-time passwords
- FIDO U2F Security Keys
- Software Tokens
ID.me has set up accounts with MFA for 25 state workforce agencies, the Department of Veterans Affairs, the Social Security Administration, and several large corporations.
Please contact an ID.me representative to learn more or see ID.me’s work in action by contacting us on our sales demo page.
