Fact-checked by Grok 2 weeks ago

Multi-factor authentication

Multi-factor authentication (MFA) is an process that requires users to provide two or more distinct verification factors to confirm their before accessing a resource, such as an online account, application, or network. These factors are categorized into three primary types: something you know (e.g., a or ), something you have (e.g., a hardware token, , or ), and something you are (e.g., a biometric identifier like a or facial recognition). By combining multiple factors, MFA ensures that even if one element, such as a , is compromised, unauthorized access remains difficult without the additional verifiers. MFA serves as a critical layer in cybersecurity defenses, significantly reducing the risk of account takeovers from common threats like , , and brute-force attacks. Research from indicates that accounts protected by MFA are over 99.9% less likely to be compromised due to identity-related attacks. Organizations such as the National Institute of Standards and Technology (NIST) and the Open Web Application Security Project () strongly recommend MFA as a foundational for securing user , particularly for sensitive systems handling personal or financial data. Common MFA implementations include one-time passcodes sent via or , time-based codes generated by authenticator apps like , push notifications to mobile devices, and phishing-resistant methods such as hardware security keys compliant with the FIDO2 standard. While MFA adds friction to the login process, its adoption has grown rapidly across , environments, and systems to counter evolving cyber threats.

Fundamentals

Definition and Principles

Multi-factor authentication (MFA) is a security process in which a user's identity is verified by requiring the presentation of two or more distinct authentication factors, drawn from categories such as (something you know, like a or PIN), (something you have, like a hardware token or ), (something you are, like a biometric trait such as a ), and (somewhere you are, such as a specific geolocation or network) in some frameworks. This approach ensures that authentication relies on independent credentials that are difficult for an attacker to compromise simultaneously, thereby strengthening access controls to systems, applications, and sensitive data. The foundational principles of MFA center on layered defense, where multiple verification steps create redundant barriers against unauthorized access, making it exponentially harder for adversaries to succeed even if one factor is breached. For instance, a common combination might involve a knowledge factor like a password paired with a possession factor such as a one-time code generated by an authentication app, ensuring that knowledge of the password alone is insufficient for entry. By design, MFA mitigates risks associated with single-factor vulnerabilities, particularly password compromise through methods like phishing, brute-force attacks, or credential stuffing, as the additional factor provides a critical second line of defense. MFA encompasses and extends beyond two-factor authentication (2FA), which is a specific subset requiring exactly two factors, by allowing for three or more to achieve even higher assurance levels in sensitive environments. This evolution reflects a broader recognition that increasing the number and diversity of factors proportionally reduces the , promoting in protocols without relying solely on any single .

Historical Development

The roots of multi-factor authentication (MFA) emerged in the within and banking systems, where physical tokens were introduced to supplement passwords and address vulnerabilities in single-factor methods. A pivotal milestone was the launch of Security Dynamics' SecurID hardware , which generated time-based one-time passwords (OTPs) to verify users through a of a PIN (something known) and the device (something possessed), marking one of the first commercial MFA solutions widely adopted in secure environments like and defense. These early implementations laid the groundwork for layered security, responding to the increasing of sensitive data. During the 1990s, MFA expanded through challenge-response protocols that enabled servers to issue dynamic queries, with users responding via tokens or cryptographic computations to prove possession without transmitting static secrets, including the system developed in 1989 by Bellcore for one-time passwords. This period also saw the rise of as an inherence factor, with and facial recognition technologies advancing rapidly due to improved algorithms and hardware, enabling automated identity verification in systems. Patents filed by entities like in 1995 further formalized these multi-factor approaches, integrating them into emerging network infrastructures. The 2000s brought a transition to software tokens and mobile integration, facilitated by widespread smartphone adoption and heightened security needs that accelerated MFA deployment in government and financial sectors. SMS-delivered OTPs and early authenticator apps reduced dependency on physical hardware, broadening accessibility while introducing new vectors like SIM swapping. In the 2010s, standardization gained momentum with the FIDO Alliance's formation in July 2012, which developed open protocols like U2F and FIDO2 to promote phishing-resistant MFA across devices and services. The Yahoo data breaches of 2013 and 2014, announced in 2016, compromising over three billion accounts due in part to absent default MFA, intensified regulatory and corporate mandates for its implementation. By , MFA trends have shifted toward passwordless models, incorporating passkeys, , and device-bound authenticators to streamline verification and block 99.9% of account takeover attempts, as organizations prioritize user-friendly defenses against AI-driven attacks.

Types of Authentication Factors

Knowledge Factors

Knowledge factors, often referred to as "something you know," form the foundational category of methods in multi-factor (MFA) systems, relying on that only the legitimate user is presumed to possess and recall. These factors verify through mental recall rather than physical possession or inherent traits, making them a core component of single-factor setups like traditional logins and a building block when layered with other factors in MFA to enhance . Common examples of knowledge factors include static passwords, which are alphanumeric strings chosen by the user; personal identification numbers (PINs), typically short numeric sequences; security questions or challenge responses, such as "What is your mother's maiden name?"; and passphrases, longer mnemonic phrases designed for better memorability and resistance to brute-force attacks. Device-specific variants like pattern locks on smartphones, where users trace predefined shapes on a , also qualify as knowledge factors since they depend on recalled sequences rather than external devices. One-time passcodes derived from user knowledge, such as those computed via challenge-response protocols where the user applies a shared to a , represent a less common but evolving subset aimed at adding temporality to static secrets. Knowledge factors offer notable strengths, including low implementation costs since they require no additional hardware or infrastructure beyond standard input interfaces, and ease of use due to their familiarity and minimal cognitive overhead for users accustomed to password entry. These attributes contribute to high user acceptance in both consumer and enterprise environments, facilitating broad adoption without specialized training. However, they are inherently susceptible to weaknesses such as social engineering attacks, where adversaries trick users into revealing secrets through phishing or pretexting; keylogging malware that captures keystrokes; and brute-force or dictionary attacks exploiting weak or reused credentials. Pre-registered knowledge-based authentication (KBA) systems, like static security questions, amplify these risks by relying on semi-public personal details easily gleaned from data breaches or social media, leading to their deprecation in modern standards. The evolution of knowledge factors traces back to the 1960s with the advent of simple passwords for systems on mainframes, such as MIT's CTSS, which evolved in the 1970s through Unix's introduction of hashed storage to mitigate offline attacks. By the 1980s and 1990s, vulnerabilities exposed by events like the prompted enhancements like salting and shadow files, while web proliferation standardized form-based entry but highlighted reuse issues. This progression culminated in advanced KBA systems in the , shifting from basic passwords to dynamic or contextual questions to counter predictability, though persistent threats like data leaks have driven ongoing refinements toward integration in MFA frameworks rather than standalone use.

Possession Factors

Possession factors, often described as "something you have," refer to authenticators that a user physically or digitally possesses to prove control during multi-factor authentication (MFA). These factors rely on the user's access to a specific or that generates or receives , such as cryptographic proofs or temporary codes, through secure protocols. According to NIST guidelines, possession-based authenticators include and software that require the user to demonstrate possession via a challenge-response or generation. Common examples of possession factors encompass hardware tokens like key fobs, smart cards, and USB security keys such as the , which connect via USB, NFC, or Lightning ports to provide cryptographic authentication without transmitting secrets over the network. Software-based options include authenticator apps (e.g., those implementing TOTP) installed on mobile devices, as well as out-of-band methods like SMS-based one-time passwords (OTPs) sent to a registered phone or email verification links delivered to a controlled inbox. These software tokens operate on user-controlled devices, generating codes locally or receiving them via separate channels to verify possession. A key technical aspect of many possession factors, particularly software tokens, involves time-based one-time passwords (TOTP), which extend the (HOTP) algorithm by using the current time as a dynamic input. TOTP employs a key—pre-established between the user’s device and the verifier—combined with the time step (typically 30 seconds) to produce a short-lived code via the HMAC-SHA-1 function, ensuring synchronization without transmitting the secret itself. This approach, standardized in RFC 6238, allows for portable, time-synchronized verification across devices. Possession factors offer advantages such as high portability, enabling users to carry compact hardware tokens or on everyday devices like smartphones without relying on fixed . However, they carry risks including or of the physical item, which could allow an attacker to attempt unauthorized access if not promptly revoked, and dependency on device availability or network connectivity for delivery. In basic MFA setups, possession factors are typically integrated with knowledge factors, such as a , to require demonstration of both.

Inherence Factors

Inherence factors, commonly known as "something you are" in multi-factor authentication frameworks, verify user identity through inherent physical or behavioral traits that are unique and difficult to replicate. These encompass physiological characteristics, such as fingerprints, facial geometry, patterns, and voice , as well as behavioral patterns like or signature analysis. Unlike knowledge or possession factors, inherence relies on immutable or slowly changing attributes tied directly to the individual, making it a robust layer when integrated into protocols. Key technologies enabling factors include optical and capacitive scanners for fingerprints, depth-sensing cameras for recognition, and infrared imagers for scans, which capture and compare trait-specific features against enrolled templates. Voice recognition systems analyze patterns and cadence, while behavioral monitor dynamic inputs like movements or via sensors. To improve reliability, approaches fuse multiple biometric modalities—such as combining fingerprints with scans—yielding significant accuracy gains and lower error rates than single-modality systems, as evaluated under standardized frameworks. These advancements stem from standardized evaluation frameworks that prioritize low error rates for high-security contexts. Practical implementations highlight factors' role in consumer and enterprise authentication. Apple's employs a TrueDepth camera system for , achieving high precision through dot and infrared sensing to distinguish live users. Similarly, Microsoft's Windows Hello integrates recognition via near-infrared cameras and sensors, supporting seamless device unlock while adhering to platform security standards. These examples demonstrate how factors enhance user convenience without compromising core verification integrity. Despite their strengths, inherence factors are susceptible to spoofing attacks, such as presenting printed photos or 3D masks to facial recognition systems, which can bypass basic liveness detection. Physiological changes due to aging, injury, or environmental factors further complicate accuracy, as traits like facial structure or fingerprints may degrade over time, necessitating periodic re-enrollment. Advanced countermeasures, including liveness checks via micro-movements or thermal imaging, address these vulnerabilities but add computational overhead. Privacy issues are paramount with inherence factors, as biometric data cannot be changed if compromised, unlike passwords. Storing raw biometric samples risks permanent identity exposure, whereas hashed or cancelable templates—mathematically transformed to be non-invertible—preserve utility while thwarting reconstruction attacks. Standards like ISO/IEC 24745 recommend such protections to ensure irreversibility and unlinkability across systems, with implementations like those in storing encrypted templates locally on secure hardware enclaves to minimize centralized data risks.

Location Factors

Location factors in multi-factor authentication, sometimes referred to as "somewhere you are" in frameworks like , verify a user's by assessing their physical or network-based position using technologies such as GPS, geolocation, triangulation, or cellular tower data. However, standards like NIST SP 800-63 recognize only three primary authentication factors and treat location as a contextual for risk-based rather than a distinct factor. These methods establish a contextual for expected locations, enabling systems to authenticate or flag access attempts accordingly. In practice, location factors support risk-based authentication by denying or challenging logins from anomalous positions, such as when a banking application blocks access from an unfamiliar foreign that deviates from the user's typical geographic pattern. For instance, often integrate IP geolocation to trigger additional verification if a login originates outside a predefined home country, reducing unauthorized access risks without constant user intervention. However, accuracy varies significantly across methods, with GPS offering high precision of approximately ±5 meters under optimal conditions, while geolocation typically provides coarser estimates with radii up to ±50 kilometers or more, especially in rural areas. This disparity arises because IP addresses are assigned to networks rather than individuals, leading to potential errors in pinpointing exact user locations. Furthermore, the use of virtual private networks (VPNs) can mask true locations by traffic through remote servers, complicating verification and potentially bypassing location checks. In environments, location factors enable geo-fencing for , where virtual boundaries define trusted zones to restrict sensitive resource access, such as limiting VPN connections to corporate offices or approved regions. Tools like policies in systems allow administrators to enforce geo-fencing rules, automatically requiring heightened authentication outside designated areas. This approach strengthens overall multi-factor authentication by layering location context with other factors like or possession-based elements.

Implementation Methods

Hardware-Based Methods

Hardware-based methods for multi-factor authentication rely on dedicated physical devices that serve as factors, providing a tangible "something you have" to verify user identity beyond passwords or . These devices generate or store authentication credentials securely, often using cryptographic protocols to resist or replication, and are particularly suited for environments requiring robust, tamper-evident security. Common types include smartcards, USB tokens such as Universal 2nd Factor (U2F) keys, RFID badges, and hardware one-time password (OTP) generators. Smartcards, compliant with standards like NIST SP 800-73, integrate microprocessors to store digital certificates and perform cryptographic operations for in physical and logical . USB tokens like U2F keys connect via USB interfaces to authenticate users through , enabling phishing-resistant second-factor verification without transmitting shared secrets. RFID badges facilitate proximity-based by transmitting encrypted identifiers when scanned, commonly used for access but extensible to network logins in enterprise settings. Hardware OTP generators produce time- or event-based codes displayed on built-in screens, serving as standalone authenticators without requiring network connectivity. These devices support standardized protocols, notably those from the Open Authentication (OATH) initiative, including HOTP for event-based OTP generation using an HMAC-based counter mechanism per RFC 4226, and TOTP for time-based OTPs synchronized via shared secrets as defined in RFC 6238. FIDO U2F tokens adhere to the FIDO Alliance's protocol, employing challenge-response signatures to bind credentials to specific origins, enhancing resistance to man-in-the-middle attacks. In deployment, hardware-based methods are prevalent in high-security enterprise and government environments, such as U.S. Department of Defense systems where FIPS-validated tokens like or integrate with identity providers for AAL2 or AAL3 compliance under NIST SP 800-63-3. The employs hardware tokens for claimant authentication in sensitive applications, emphasizing their role in federal compliance. Advantages include offline operation, where tokens function without , and tamper resistance through features like secure elements that erase keys upon physical breach attempts. However, drawbacks encompass higher upfront costs for procurement and distribution, as well as user inconvenience from carrying physical items, potentially leading to loss or damage in mobile scenarios. Specific design elements enhance longevity and security; for instance, OTP generators like FortiToken 210 use non-rechargeable batteries with a minimum 3-year lifespan, including indicators for remaining power, and feature validated tamper-evident packaging to prevent unauthorized access to internals. Similarly, devices such as Protectimus TWO tokens offer 3-5 years of life under normal usage, prioritizing reliability in disconnected operations.

Software and Mobile-Based Methods

Software and mobile-based methods of multi-factor authentication (MFA) rely on digital applications and network-delivered mechanisms to verify user possession of a second factor, typically through smartphones or dedicated software. These approaches prioritize and scalability, allowing users to authenticate via apps installed on personal devices or through short message service () and voice channels. Common implementations include (TOTP) generators in authenticator apps, push notifications for approval-based verification, and one-time passwords (OTPs) sent via or voice calls. Authenticator apps, such as , generate TOTP codes locally on the user's device without requiring network connectivity for code production. These apps implement the TOTP algorithm, which produces a six- to eight-digit code valid for a short window, typically 30 seconds, based on a key provisioned during enrollment. Users scan a containing the secret key to set up the app, after which it independently computes codes matching those generated by the service provider. Push notification methods, exemplified by Cisco Duo's Duo Push, send real-time approval requests to a companion , where users confirm attempts with a tap or biometric gesture, enhancing usability over code entry. SMS and voice OTPs deliver codes directly to the user's registered phone number or via automated calls, though these are increasingly discouraged due to security limitations. The core for many authenticator apps is TOTP, standardized in RFC 6238 as an extension of the HOTP algorithm using time as the advancing . The TOTP value is computed as: \text{TOTP}(K, T) = \text{HOTP}(K, T) where K is the between the client and server, and T is the time step counter defined by: T = \left\lfloor \frac{\text{current [Unix time](/page/Unix_time)} - T_0}{X} \right\rfloor Here, T_0 is the time (default 0, January 1, 1970 UTC), and X is the time step interval (default 30 seconds). HOTP itself applies the HMAC-SHA1 function to the secret K and the dynamic value (counter for HOTP, T for TOTP), truncating the result to a short numeric code. Time is critical, as both the authenticator app and the verifying server must derive the same T; discrepancies arise from , so servers typically validate codes within a tolerance window of one or two steps (±30 or ±60 seconds) to accommodate minor desynchronization without compromising . On mobile devices, these methods integrate with hardware-backed security features to protect secrets and computations. For instance, Android's (TEE), implemented via Trusty OS, isolates sensitive operations like key storage and TOTP generation from the main operating system, using hardware-enforced isolation to prevent extraction of the even if the device is compromised. Similar protections exist on through the Secure Enclave. However, mobile-based MFA introduces risks such as SIM swapping, where attackers socially engineer mobile carriers to port a victim's phone number to a new , intercepting or voice OTPs and bypassing possession verification. App-based methods mitigate this by avoiding network delivery, but they remain vulnerable if the device itself is phished or malware-compromised. By 2025, over 95% of MFA users have adopted software solutions like mobile apps, reflecting their dominance in implementations due to ease of deployment and high user acceptance rates across consumer and enterprise settings.

Biometric Integration

Biometric integration in multi-factor authentication (MFA) systems leverages factors, such as physiological or behavioral traits unique to individuals, to enhance by verifying user identity through biological characteristics. Integration methods for in MFA can be sequential or simultaneous. In sequential approaches, occurs in stages, such as requiring a scan after entering a or PIN, allowing systems to progressively validate factors while maintaining user flow. Simultaneous methods, often involving multi-modal , combine multiple biometric inputs—like facial recognition and voice analysis—processed concurrently to achieve higher accuracy through complementary data sources. Key technologies in biometric MFA include liveness detection to counter spoofing attacks, where fake representations like photos or masks attempt to deceive the system. For instance, 3D mapping in recognition uses depth sensors to analyze facial contours and detect , ensuring the presented biometric originates from a live rather than a static . metrics are critical for evaluating these systems; the false rejection rate (FRR), which measures the percentage of legitimate users incorrectly denied access, typically ranges from 1% to 5% in biometric implementations, balancing with . Practical examples of biometric MFA include passwordless systems like , which combines a PIN with biometric options such as facial recognition or fingerprint scanning to authenticate users without traditional passwords. However, challenges arise in diverse populations, where accuracy can drop for certain ethnic groups; for example, facial recognition systems exhibit higher error rates for individuals with darker skin tones due to training data biases. Hardware for biometric integration includes embedded sensors in smartphones, such as readers and front-facing cameras for facial or scanning, enabling seamless MFA on devices. Dedicated readers, like standalone or scanners, are used in settings for higher-security environments requiring robust, non- authentication.

Hybrid Approaches

Hybrid approaches in multi-factor authentication (MFA) integrate multiple authentication factor types—such as , , , and —into dynamic systems that adapt to contextual risks or user behavior, enhancing security beyond static combinations. These methods evaluate signals like value, , or geolocation to determine the appropriate authentication strength, often stepping up factors only when necessary. For instance, risk-based triggers in platforms assess fraud indicators and enforce additional factors for high-risk activities, such as transactions exceeding $25 or anomalous user behavior. Adaptive MFA exemplifies this by dynamically adjusting authentication requirements based on a computed score, combining factors like passwords with hardware tokens or only for elevated threats. In such systems, a engine analyzes elements including , device print, and behavioral patterns to trigger secondary factors, such as FIDO Universal Second Factor (U2F) via a for suspicious logins. This approach reduces unnecessary prompts for low-risk access while maintaining robust verification for sensitive operations. Continuous authentication using behavioral biometrics extends hybrid methods by providing ongoing verification throughout a session, rather than a one-time check at login. Techniques like , touch patterns on mobile devices, or mouse movements generate user-specific profiles analyzed via algorithms, such as support vector machines or neural networks, to detect deviations in . For example, systems monitor via smartphone accelerometers or in text inputs, achieving accuracies up to 94% in some implementations while passively confirming identity without user intervention. In zero-trust models, hybrid approaches combine knowledge, possession, and location factors through adaptive policies that enforce continuous verification regardless of network location. Okta's implementation, for instance, uses context-aware MFA to assess user behavior, device health, and geolocation before granting access, aligning with the "never trust, always verify" principle by integrating with risk-based multi-factor checks. This setup protects against credential theft by requiring layered factors, such as a password plus a possession-based token, only when risk signals warrant it. These hybrid methods offer benefits like reduced user friction—through seamless behavioral monitoring or conditional prompts—while upholding against evolving threats, with studies showing up to 20% higher success rates in flows compared to traditional passwords. However, challenges include increased from real-time processing and potential concerns from continuous on behaviors like touch dynamics. Emerging passwordless hybrids, such as those enabled by the standard, further advance these approaches by replacing passwords with cryptographic passkeys stored on devices, often combined with biometric or PIN verification for multi-factor assurance. integrates for browser-based authentication and the Client-to-Authenticator Protocol for device interactions, supporting hybrid setups like cross-device sign-ins via proximity checks that blend possession and factors. This standard facilitates phishing-resistant, passwordless experiences in zero-trust environments, with adoption driven by its open, license-free framework developed by the .

Security Considerations

Advantages and Effectiveness

Multi-factor authentication (MFA) significantly strengthens postures by requiring multiple methods, thereby mitigating risks associated with compromised credentials. A comprehensive study found that MFA reduces the overall risk of account compromise by 99.22 percent across the population and by 98.56 percent for accounts with leaked credentials. Furthermore, more than 99.9 percent of compromised accounts lacked MFA, demonstrating its role in blocking the vast majority of automated attacks, including account takeovers. MFA proves highly effective against by necessitating additional factors that attackers cannot replicate from a single interaction, such as a one-time or biometric scan. The analysis showed that MFA-protected accounts experienced a 98.6 percent prevention rate against attacks on leaked credentials, underscoring its value in layered defenses. Similarly, for —where stolen username-password pairs are tested across services—MFA acts as the primary barrier, invalidating access even with correct initial credentials. The Foundation identifies MFA as the most robust defense against such attacks, far surpassing password-only measures. From a return-on-investment perspective, MFA delivers measurable savings by averting costly data breaches. The IBM Cost of a Data Breach Report 2025 reported a global average breach cost of $4.44 million (as of August 2025), with credential-related incidents among the most expensive; however, organizations deploying MFA can avoid many such events, yielding substantial financial benefits. Beyond direct security gains, MFA supports regulatory compliance and fosters user confidence. The NIST Special Publication 800-63 recommends MFA for authenticator assurance levels 2 and 3, ensuring robust identity verification in federal and commercial systems. Implementation also enhances user trust, as a study on FinTech platforms revealed increased perceptions of security and reliability following MFA rollout, with users reporting higher confidence in data protection.

Vulnerabilities and Attacks

Multi-factor authentication (MFA) systems, while more secure than single-factor authentication by requiring multiple verification methods, shift the rather than eliminating it entirely, exposing users to sophisticated exploits targeting each factor. In single-factor setups reliant solely on passwords, attackers focus on credential theft via or ; MFA forces adversaries to compromise additional elements like or factors, but this often leads to targeted social engineering or bypasses. One common vulnerability involves man-in-the-middle (MITM) attacks on one-time passwords (OTPs), where attackers intercept communication between the user and service during transmission, capturing the temporary code without alerting the victim. For instance, in real-time phishing kits like Evilginx, the attacker proxies the to relay credentials and OTPs to the legitimate site, bypassing MFA checks seamlessly. SIM swapping poses a significant to mobile-based MFA, particularly SMS or app notifications, as attackers socially engineer mobile carriers to transfer a victim's phone number to a fraudulent , thereby intercepting verification codes. This exploit has been documented in financial sectors, where fraudsters gain unauthorized access to investment accounts by hijacking -delivered MFA prompts. Biometric factors are susceptible to spoofing attacks, including those leveraging deepfakes to replicate facial or voice patterns for unauthorized authentication. technology enables attackers to generate synthetic biometric data that fools facial recognition systems, as seen in rising cases where AI-generated videos mimic authorized users during remote verification. MFA fatigue attacks exploit user psychology by bombarding victims with repeated push notifications or approval requests, prompting accidental or frustrated approvals that grant access. This social engineering tactic, also known as MFA bombing, has been used in high-profile breaches, such as the 2023 Resorts incident where attackers overwhelmed casino executives with prompts to infiltrate networks. Session hijacking occurs post-initial MFA, allowing attackers to steal active session cookies or tokens after legitimate authentication, enabling persistent access without re-triggering factors. Techniques like browser-in-the-middle attacks capture these artifacts during transmission, bypassing subsequent MFA prompts in web sessions. Supply chain risks affect tokens used in MFA, where compromised or distribution introduces backdoors or devices that undermine possession-based . For example, tampered tokens from untrusted vendors can leak cryptographic keys, exposing organizations to widespread compromise if deployed at scale. According to 2024 cybersecurity reports, approximately 20% of confirmed data breaches involved social engineering tactics, highlighting the persistence of human-targeted exploits. SMS-based MFA remains particularly vulnerable due to Signaling System 7 (SS7) flaws, which allow global interception of text messages without user awareness, as exploited in nation-state and operations.

Mitigation Strategies

To mitigate known threats to multi-factor authentication (MFA), organizations should enforce phishing-resistant methods, such as FIDO2-compliant keys, which utilize to bind authentication credentials to specific domains, thereby preventing interception and replay by adversaries. These approaches surpass vulnerabilities inherent in or email-based one-time passwords (OTPs) by avoiding shared secrets that can be phished or intercepted via network attacks. The FIDO2 standard, developed by the , supports this through protocols like , enabling seamless integration across browsers and platforms while maintaining cryptographic isolation. Implementing on MFA prompts is essential to counter attacks, where attackers flood users with repeated approval requests to exploit or annoyance. By capping the number of prompts within a defined timeframe—such as no more than three per hour—and incorporating progressive delays or secondary verification for suspicious patterns, systems can reduce the success rate of such social engineering tactics. User education complements this technical control; comprehensive training programs should emphasize verifying the legitimacy of prompts through channels, recognizing indicators, and reporting anomalies promptly to minimize inadvertent approvals. For account recovery, organizations should provision backup codes as look-up secrets with at least 20 bits of , designed for single-use to prevent reuse attacks, and advise users to store them securely offline or in encrypted password managers. Continuous monitoring of anomalous behavior, including geolocation mismatches, unusual device fingerprints, or elevated prompt frequencies, enables risk-based interventions like stepped-up authentication or session termination. Transitioning to FIDO2-based systems further strengthens defenses by adopting asymmetric , which eliminates shared secrets and supports phishing-resistant workflows without compromising usability. On the policy front, mandating MFA across all access points with audited opt-out exceptions ensures broad coverage, while regular key rotation—typically every 90 to 180 days for elements—limits exposure from potential compromises. These practices align with NIST Special Publication 800-63B guidelines for Authenticator Assurance Level 2 (AAL2), which require multi-factor authenticators with replay resistance and approved to achieve moderate baselines.

Regulation and Compliance

European Union

In the , multi-factor authentication (MFA) is regulated through several key directives and regulations aimed at enhancing security in digital services and data protection. The General Data Protection Regulation (GDPR), under Article 32, mandates controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks posed by processing, with MFA widely recognized as a recommended measure to prevent unauthorized access and support , , and resilience of systems. The Revised (PSD2), Directive () 2015/2366, introduces (SCA) requirements for electronic payment services, mandating the use of at least two independent factors—categorized as (e.g., ), possession (e.g., ), or (e.g., biometric)—for initiating payments and accessing accounts, particularly for remote electronic transactions exceeding low-value exemptions such as those under €30 for certain contactless payments as specified in regulatory technical standards. This framework applies to payment service providers across the , ensuring secure authentication for transactions over €30 while allowing risk-based exemptions for smaller amounts to balance security and usability. The updated 2.0 Regulation (EU) 2024/1183, entering into force in May 2024, further strengthens MFA requirements by defining "strong user " as the use of at least two independent factors from , , or categories to protect and trust services at high assurance levels. It mandates MFA for high-assurance schemes, including the and use of European Digital Identity Wallets, which entities in sectors like banking and must accept for purposes within 36 months of related implementing acts. Non-compliance with these regulations is enforced through significant penalties, including administrative fines under GDPR of up to €20 million or 4% of the undertaking's total worldwide annual turnover, whichever is higher, as outlined in Article 83. PSD2 enforcement falls to national competent authorities, which can impose fines or other sanctions for breaches of SCA requirements, while 2.0 allows for similar administrative penalties up to at least €5 million or 1% of global turnover, whichever is higher. National implementations vary; for instance, Germany's (BSI) provides standards such as Technical Guideline TR-03166, which details MFA processes using factors from , , and to align with directives and enhance cybersecurity in public and private sectors. As of 2025, these frameworks integrate with the , Regulation (EU) 2022/2065, which requires online platforms to conduct risk assessments for systemic risks including unauthorized access, encouraging the adoption of MFA as a technical measure to mitigate harms and ensure secure user interactions on intermediary services. This alignment promotes cross-border consistency in digital authentication practices across the EU.

United States

In the , multi-factor authentication (MFA) is mandated through federal legislation and guidelines to enhance security in government and financial systems. The Federal Information Security Modernization Act (FISMA) of 2014, which updated the original 2002 legislation, requires federal agencies to implement information security programs that include MFA for protecting federal information systems and assets. FISMA directs agencies to comply with standards set by the National Institute of Standards and Technology (NIST), particularly , Revision 5, where control IA-2 specifies multi-factor authentication requirements for both privileged and non-privileged accounts to verify user identities using at least two distinct factors. In the financial sector, the Federal Financial Institutions Examination Council (FFIEC) provides key guidance promoting MFA adoption. The 2011 supplement to the FFIEC's Authentication in an Internet Banking Environment emphasized layered security measures, including MFA, for high-risk online transactions to mitigate authentication risks. This was further strengthened in the 2021 FFIEC guidance on Authentication and Access to Financial Institution Services and Systems, which mandates MFA as a core component of risk-based authentication for user access to financial institution services, particularly for sensitive operations like fund transfers. At the state level, regulations such as New York's Department of Financial Services (NY DFS) Cybersecurity Regulation (23 NYCRR Part 500), effective since 2017 and amended in 2023, require covered financial entities to implement MFA for non-console administrative access, privileged accounts, and any access to internal or external networks as part of multi-layered cybersecurity controls. Executive actions have also driven MFA implementation across . President Biden's Executive Order 14028, issued in May 2021, directs federal agencies to adopt MFA for all users accessing federal systems and encourages owners to implement zero-trust architectures that incorporate phishing-resistant MFA to bolster national cybersecurity. As of 2025, MFA adoption has surged in response to 2024 (CISA) alerts highlighting MFA bypass techniques, such as push bombing and , prompting federal agencies and financial institutions to prioritize phishing-resistant methods like hardware-based authenticators.

Other Regions

In , the () established guidelines in 2016 mandating an additional factor of authentication—such as OTP or —for card-not-present digital payment transactions to enhance in electronic banking. These requirements evolved, with the RBI's 2025 framework reinforcing two-factor authentication (2FA) for all domestic digital payments effective April 1, 2026, requiring at least one dynamic factor like , tokens, or passphrases while allowing flexibility beyond OTP. , the national biometric identification system managed by the Unique Identification Authority of India (UIDAI), integrates seamlessly into MFA for financial services, supporting biometric authentication alongside demographic or OTP verification in systems like the () for secure, contactless transactions. In China, the People's Bank of China (PBOC) requires financial institutions to implement multi-factor authentication or secondary authorization for accounts accessing highly sensitive data, as outlined in its 2025 data security measures to protect personal financial information and prevent unauthorized access in apps and platforms. Complementing this, the Cyberspace Administration of China (CAC) enforces multi-factor authentication under broader data privacy and cybersecurity regulations, mandating it for all external or privileged access to systems handling personal information to mitigate risks in network data processing. Australia's (APRA) promotes multi-factor authentication as a core control for banking entities to safeguard and systems, with 2023 guidance clarifying its mandatory application for high-risk activities like privileged , and 2025 updates requiring self-assessments and reporting of implementation gaps to bolster . On a global scale, the ISO/IEC 27001 standard for systems encourages widespread MFA adoption by specifying controls for secure to networks and services, influencing regulations in emerging markets through its emphasis on multi-layered authentication to address evolving threats.

Intellectual Property

Key Patents

One of the earliest foundational patents in multi-factor authentication (MFA) is US Patent 4,720,860, issued on January 19, 1988, to inventor Kenneth P. Weiss and assigned to Security Dynamics Technologies, Inc. (later ). This patent describes a method and apparatus for positively identifying an individual using a combination of a static secret code and a dynamic time-based to generate non-predictable codes for challenge-response , laying the groundwork for token-based MFA systems. Building on this, US Patent 5,168,520, issued on December 1, 1992, also to Kenneth P. Weiss and assigned to the same entity, advanced time-synchronized technology central to the system. The patent outlines a personal identification method where a portable generates pseudorandom codes based on shared time intervals and a secret , requiring the to enter both a PIN and the current code for , which became a widely adopted for MFA until the early 2010s. In more recent developments, US Patent 9,542,543 B2, issued on January 10, 2017, to Koichiro Niinuma and assigned to Limited, addresses biometric MFA by introducing a device and method for dynamic updating of registered biometric data (such as fingerprints) to maintain matching accuracy over time, effectively fusing biometric factors with adaptive quality controls for robust multi-factor verification. Complementing this, FIDO-related patents post-2012, such as US Patent 10,917,405 B2 issued in 2021 to International Inc. and others, describe systems for providing FIDO-compliant authentication services using on user devices, enabling phishing-resistant MFA without shared secrets. The expiration of key 1990s patents, including those by Weiss (typically after 17 years from issuance under pre-1995 law), around 2005–2009, facilitated the development of open-source MFA alternatives like the standards for HOTP and TOTP algorithms, democratizing token-based authentication beyond proprietary systems. Ongoing litigation in the 2020s, such as Proxense's patent enforcement actions—including settlements with and as of January 2025, pending cases against , , , and , and a federal circuit appeal filed in October 2025—over biometric authentication technologies integrated into MFA, highlights continued disputes shaping the evolution of device-bound and wireless MFA methods.

Standards and Protocols

Multi-factor authentication (MFA) relies on a variety of industry standards and protocols to ensure , , and across diverse systems and devices. These specifications define mechanisms for generating, verifying, and exchanging authentication factors, enabling seamless integration in enterprise, web, and mobile environments. Key efforts focus on open, vendor-neutral frameworks that support both traditional one-time passwords and advanced cryptographic methods for . The Open Authentication (OATH) initiative, established to promote interoperable authentication solutions, developed foundational standards for event- and time-based one-time passwords used in MFA. The (HOTP) algorithm, specified in 4226 and published in December 2005, generates OTPs using a key and an incrementing event counter, truncated from an HMAC-SHA-1 computation to produce a 6- to 8-digit code resistant to offline guessing attacks. Building on HOTP, the (TOTP) algorithm, defined in 6238 and released in May 2011, replaces the counter with a time step (typically 30 seconds) derived from , allowing synchronized OTP generation without needing counter resynchronization. Both HOTP and TOTP support HMAC-SHA-256 and SHA-512 for enhanced security and are widely implemented in software tokens and hardware authenticators for second-factor verification. FIDO2, finalized as a proposed standard in 2019 by the , represents a shift toward passwordless MFA through , combining the Web Authentication () API and the Client to Authenticator Protocol (CTAP). , advanced to W3C Recommendation status on March 4, 2019, provides a web browser API for creating and using strong, attested public key credentials, enabling phishing-resistant authentication via user gestures like or PINs without transmitting secrets over the network. CTAP, published by the on January 30, 2019, defines the low-level protocol for communication between platforms and external authenticators (e.g., via USB, , or ), implementing WebAuthn's abstract operations to support roaming devices in passwordless scenarios. Together, these enable high-assurance MFA by binding credentials to specific origins and requiring proof-of-possession. For federated environments, and OAuth 2.0 provide protocols that incorporate MFA into identity federation and delegated authorization. , an standard ratified in March 2005, facilitates cross-domain by exchanging XML-based authentication assertions between identity providers and service providers, supporting MFA through conditional assertions that require additional factors (e.g., OTPs or ) before granting access. OAuth 2.0, outlined in RFC 6749 and published in October 2012, serves as an authorization framework for access, with MFA extensions integrated via flows like the authorization code grant, where identity providers enforce multi-step challenges during token issuance to enhance security in delegated scenarios. The National Institute of Standards and Technology (NIST) provides authoritative guidelines for MFA in its Special Publication 800-63 series on . SP 800-63-3, released in June 2017 and updated through 2023, defines Assurance Levels (AAL), with AAL3 mandating the highest assurance through phishing-resistant MFA using hardware cryptographic authenticators (e.g., FIDO2 devices) or multi-factor combinations like a single-factor OTP device paired with a cryptographic software , requiring FIPS 140-validated modules, replay resistance, and reauthentication every 12 hours. The framework emphasizes approved cryptography and protected channels to mitigate impersonation risks. In July 2025, NIST issued the final version of SP 800-63-4, modernizing these guidelines with modular assurance levels that prioritize user-centric, phishing-resistant MFA while incorporating emerging threats like risks. As of 2025, the (IETF) is advancing (PQC) drafts to ensure MFA protocols resist quantum attacks. Draft-ietf-emu-pqc-eapaka-00, published in July 2025, specifies PQC key encapsulation mechanisms (e.g., hybrid ML-KEM) for the EAP-AKA authentication protocol, enabling quantum-resistant in mobile and network environments. Similarly, draft-ietf-uta-pqc-app, updated in September 2025, recommends PQC algorithms for TLS-based applications, including those supporting MFA, to protect credential exchanges against harvest-now-decrypt-later threats using hybrid key exchanges. These drafts promote gradual migration to PQC while maintaining compatibility with classical .

References

  1. [1]
    multi-factor authentication - Glossary | CSRC
    An authentication system that requires more than one distinct authentication factor for successful authentication.
  2. [2]
    Multi-Factor Authentication | NIST
    Jan 10, 2022 · MFA is an important security enhancement that requires a user to verify their identity by providing more than just a username and password.
  3. [3]
    Authentication - OWASP Cheat Sheet Series
    Multi-Factor Authentication¶. Multi-factor authentication (MFA) is by far the best defense against the majority of password-related attacks, including brute ...Multifactor Authentication · Password Storage · Session Management
  4. [4]
    One simple action you can take to prevent 99.9 percent of attacks on ...
    Aug 20, 2019 · You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing.
  5. [5]
    Multifactor Authentication - OWASP Cheat Sheet Series
    Multifactor Authentication (MFA) requires more than one type of evidence to authenticate, such as something you know, have, are, somewhere you are, or do.
  6. [6]
    Has MFA Had Its Day? - Cyber Defense Magazine
    Sep 9, 2023 · 2FA and MFA: A Brief History. The predecessor of MFA, two-factor authentication (2FA), has been around – believe it or not – since 1986, when ...
  7. [7]
    What is the Evolution of Multifactor Authentication - Palo Alto Networks
    While it is disputed who originated the concept, the earliest use of multi-factor authentication dates back to early ATMs. Users had to have a physical card and ...
  8. [8]
    [PDF] Biometric Identification Evolves to Provide Unprecedented Security ...
    In the 1990s, popularity of biometrics gave rise to improved technology and faster, more accurate results. The first semi-automated facial recognition system ...
  9. [9]
    https://worldwide.espacenet.com/publicationDetails/originalDocument?FT=D&date=19980113&DB=worldwide.espacenet.com&locale=en_EP&CC=US&NR=5708422A&KC=A&ND=4
  10. [10]
    How technology and the world have changed since 9/11 | Brookings
    Aug 27, 2021 · Some of this means better digital hygiene, password protection, and two-factor authentication. But it also involves stronger systems that ...
  11. [11]
    [PDF] Government Deployments and Recognitions - FIDO Alliance
    The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy ...
  12. [12]
    Yahoo's March 2025 Class Action: Lessons for CISOs from the ...
    Apr 25, 2025 · A few months later, in December 2016, Yahoo revealed the 2013 breach ... The absence of multi-factor authentication (MFA) as a default on Yahoo ...
  13. [13]
    The Future of MFA: Adaptive Authentication and Other Trends
    Apr 29, 2025 · One trend we see influencing the evolution of MFA is more organizations using passwordless methods to improve user experiences. For example ...
  14. [14]
    NIST Special Publication 800-63B
    Summary of each segment:
  15. [15]
    Multifactor authentication implementation | Internal Revenue Service
    Mar 21, 2025 · Something you know: password, Personal Identification Number (PIN), challenge question, or pattern. · Something you have: hardware or software ...
  16. [16]
    Use Two-Factor Authentication To Protect Your Accounts
    Authentication factors fall into three categories: Something you know, like a password, a PIN, or the answer to a security question. Something you have ...
  17. [17]
    Authenticators - NIST Pages
    Pre-registered knowledge tokens—sometimes referred to as security questions or knowledge-based authentication (KBA)—an authenticator (token) type that existed ...
  18. [18]
    [PDF] An empirical study of authentication methods to secure e-learning ...
    Jan 1, 2016 · Due to the ease of use and high user acceptance, single-factor authentication such as username/password, a token, or a biometric is most.
  19. [19]
    [PDF] Passwords and the Evolution of Imperfect Authentication
    Theory on passwords has lagged behind practice, where large providers use back-end smarts to survive with imperfect technology. Simplistic models of user.
  20. [20]
    https://www.yubico.com/resources/glossary/what-is-passwordless-security/
  21. [21]
    What is Passwordless Security? - Yubico
    Possession factors. ... Users authenticate by inserting a physical smart card into a reader or by using a hardware token with a secure element such as a YubiKey.
  22. [22]
    RFC 6238: TOTP: Time-Based One-Time Password Algorithm
    ### Summary of TOTP from RFC 6238
  23. [23]
    https://www.ibm.com/think/topics/biometric-authentication
  24. [24]
    What is Biometric Authentication? - IBM
    Inherence factors, also called physical factors, are physical traits unique to a person, such as the pattern of blood vessels in their retina. Biometric ...<|separator|>
  25. [25]
    Biometric Authentication: Advanced Security Solutions | Okta
    Sep 14, 2024 · Biometric authentication is a security process that uses unique biological characteristics like fingerprints, eye patterns, facial recognition, and voice ...
  26. [26]
    [PDF] Combining COTS Finger and Face Biometrics for Identify Verification
    Our work is the first to demonstrate that multimodal fingerprint and face biometric systems can achieve significant accuracy gains over either biometric alone, ...
  27. [27]
    [PDF] HOLISTIC EVALUATION OF MULTI-BIOMETRIC SYSTEMS
    Apr 5, 2021 · If a multi-biometric system is resulting in improved accuracy, it is likely that the uniqueness of the overall feature set in question is more ...
  28. [28]
    Biometric Login Explained: Methods, Benefits & Risks
    Jun 17, 2025 · Modern biometric systems (like Face ID or Windows Hello) store encrypted templates locally within a secure enclave on your device, so your ...
  29. [29]
    What is BIometric Spoofing and How To Prevent It - Facia.ai
    Sep 6, 2023 · Biometric spoofing is the act of imitating a person's unique biological characteristics, like fingerprints, facial patterns, iris scans, or even voice patterns.Effects of Presentation Attacks... · Can Biometric Spoofing Be...
  30. [30]
    How aging, injury and capture impact the challenge of change in ...
    Dec 25, 2023 · Biometrics are unquestionably more secure than a paper ID document that can be lost or stolen. It is not easy to steal someone's face. However, ...
  31. [31]
    [PDF] Biometric Template Security - Computer Science and Engineering
    One of the most potentially damaging attack on a biometric system is against the biometric templates stored in the system database. Attacks on the tem- plate ...
  32. [32]
    [PDF] ISO/IEC 30136
    Is the stored template irreversible, i.e., how difficult is it for an a@acker to recover the biometric from the template? • How much storage do the templates ...
  33. [33]
    What is multi-factor authentication (MFA)? - Box
    Location-based authentication (somewhere you are). Geolocation: Verification of the user's location via GPS or IP address to confirm a login attempt comes ...How To Enable Mfa Setup In... · 1. Select Your Multi-Factor... · 5. Adopt Other Mfa Best...
  34. [34]
    What is Multi-Factor Authentication (MFA)? | Silverfort Glossary
    D. Location Factor (Somewhere You Are). The location factor takes into account the user's physical location or context. Geo-location and IP address verification ...Understanding Authentication · What Are The Factors Of... · Types Of Mfa Solutions
  35. [35]
    Types of Multi-Factor Authentication (MFA) - Keeper Security
    Jun 27, 2023 · 4. Location: Somewhere you are. In a zero-trust cybersecurity environment, your physical location can be an authentication factor. Some apps and ...Mfa Examples · 2. Sms Text Message Token · 5. Biometric Authentication
  36. [36]
    Risk-Based Authentication: What You Need to Consider - Okta
    Sep 14, 2024 · Risk-based authentication assesses the probability of account compromise with each login. If the request seems unusual or suspect, the user must do something ...
  37. [37]
    Risk-Based Authentication Explained in Simple Words | EnKash
    Protection through location-based authentication uses GPS or IP addresses to determine where the login is coming from. If the login happens from an unfamiliar ...
  38. [38]
    Improve Security with Risk-Based Authentication - Ping Identity
    Risk-based authentication (also known as context-based authentication) is the process of verifying a user as they sign on and scoring them against a set of ...
  39. [39]
    GPS vs Geolocation: Understanding Their Impact on Your App
    Rating 5.0 (5) Feb 22, 2024 · GPS location is often more accurate or precise than IP-based location because GPS signals happen in real time. How GPS-Based Location Services ...Introduction To... · Applications Of Ip... · Case Studies And Real-World...
  40. [40]
    How accurate is IP geolocation? - MaxMind
    Jul 1, 2021 · All of our IP geolocation data comes with an accuracy radius field. The actual geolocation of the IP address is likely within the circle with its center at the ...Is Ip Geolocation About A... · Understanding Ip Addresses · Residential And Business Ip...
  41. [41]
    GPS for Authentication: Is the Juice Worth the Squeeze?
    Apr 19, 2021 · This paper will compare the precision of IP address location data to that of GPS coordinates, to determine if the increased available precision ...Missing: accuracy | Show results with:accuracy
  42. [42]
    Inside Secrets About IP Address Geolocation Accuracy
    For example, city-level accuracy may range from 50–80%, and rural or mobile IPs are often much less precise. Factors such as VPNs, proxies, mobile carrier ...Is Geolocation Your Exact... · Where Does Geolocation Data... · How Geolocation Accuracy Can...
  43. [43]
    Conditional Access - Block access by location - Microsoft Entra ID
    Jul 24, 2025 · With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user.Missing: enterprise | Show results with:enterprise
  44. [44]
    Geofencing: IAM Policy - LastPass
    Geofencing gives IT complete control to define where user access is granted. Defined Green Zones enable access while Red Zones prevent unwanted logins.
  45. [45]
    Knowing where access attempts come from, the key to MFA
    Dec 17, 2021 · But these geofencing measures must be combined with advanced multi-factor authentication (MFA) solutions that offer risk-based authentication ...Missing: control | Show results with:control
  46. [46]
    [PDF] nist.sp.800-73-4.pdf
    Jul 15, 2024 · FIPS 201 defines the requirements and characteristics of a government-wide interoperable identity credential. FIPS 201 also specifies that this ...
  47. [47]
    Universal 2nd Factor (U2F) Overview - FIDO Alliance
    Apr 11, 2017 · The specs for U2F are in two layers. The upper layer specifies the cryptographic core of the protocol. The lower layer specifies how the user's ...
  48. [48]
    Smart Card Authentication - Thales
    Thales' smart cards offer a single solution for strong authentication and applications access control, including remote access, network access, password ...
  49. [49]
    [PDF] FortiToken Mobile and 210 Data Sheet - Fortinet
    • Long-life lithium battery. • Tamper-resistant/tamper-evident packaging. • Battery Life Indicator. • OTP Timer. • FTK-210 is FIPS 140-2 compliant. FortiToken ...
  50. [50]
    [PDF] Selecting Secure Multi-factor Authentication Solutions - DoD
    Jul 31, 2024 · The authenticator type can be implemented in a hardware device (e.g., a key-chain fob) or by software installed on a mobile device. Single ...
  51. [51]
    Two factor authentication hardware TOTP token Protectimus Two
    The Protectimus TWO token is OATH compliant and runs on the TOTP algorithm. It is ideal for any two-factor authentication system based on the OATH standards.
  52. [52]
    Duo Push Allows Users to Verify With a Tap
    Quickly verify your users' identity with two-factor authentication from Duo Push. Our solution is safe and easy to use with just one tap on their device.
  53. [53]
    What is a Time-based One-time Password (TOTP)? - Twilio
    The TOTP algorithm ... The TOTP algorithm follows an open standard documented in RFC 6238 . The inputs include a shared secret key and the system time. The ...
  54. [54]
    Add TOTP multi-factor authentication to your web app - Firebase
    With many authenticator apps, users can quickly add new TOTP secrets by scanning a QR code that represents a Google Authenticator-compatible key URI. To ...Enable TOTP MFA · Enroll users in TOTP MFA · Sign in users with a second...
  55. [55]
    Duo Mobile App | Secure Mobile Authentication
    MFA is an access security solution. There are multiple ways to verify with MFA (push notifications, biometrics, location, etc.). MFA is often used in ...Duo Push · Duo 2FA · MFA Evaluation Guide · Tokens and Passcodes
  56. [56]
    The Vulnerabilities of SMS Two-Factor Authentication by Lucie Cardiet
    Jan 24, 2024 · Unlike app-based or phishing-resistant authentication, SMS one-time passcodes (OTPs) can be intercepted, redirected, or hijacked.Real World Example: Why is... · Typical attacker progression...
  57. [57]
    Trusty TEE - Android Open Source Project
    Jun 18, 2025 · Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android.
  58. [58]
    Understanding and Preventing SIM Swapping Attacks | Bitsight
    Jul 2, 2025 · SIM swapping, also known as SIM hijacking, is a type of identity theft in which attackers deceive or bribe mobile carriers into transferring a victim's phone ...How SIM swapping works and... · Which threat actors leverage...
  59. [59]
    2025 Multi-Factor Authentication (MFA) Statistics & Trends to Know
    Jan 3, 2025 · In medium-sized firms (26-100 employees), MFA usage is 34%. Smaller businesses (up to 25 employees) have a lower MFA adoption rate at 27%.
  60. [60]
    Biometric multi‐factor authentication: On the usability of the ...
    Nov 10, 2022 · During authentication, the system verifies the user's identity sequentially by using the fingerprint as the first factor and the PIN as the ...
  61. [61]
    Beyond Fingerprints: Power of Multimodal Biometric Authentication
    Learn how multimodal biometric authentication enhances security using fingerprint, face, and voice for seamless, passwordless access control.
  62. [62]
    What is liveness detection? A complete guide - Incognia
    Liveness detection, also known as anti-spoofing, ensures authenticators read a true biometric source, like an actual eye or face, not a false image.
  63. [63]
    The Effectiveness of Depth Data in Liveness Face Authentication ...
    Apr 24, 2019 · Moreover, the technique of using real depth data in 3D liveness detection is not commonly implemented in face recognition devices and systems.
  64. [64]
    Fingerprint authentication accuracy, FAR% and FRR%, in the three ...
    Experimental results demonstrate a low False Acceptance Rate (FAR) of 0.5%–3% and a False Rejection Rate (FRR) of 1.8%–5%, with significantly reduced execution ...
  65. [65]
    Passwordless authentication options for Microsoft Entra ID
    Mar 4, 2025 · A user signs into Windows using biometric or PIN gesture. The gesture unlocks the Windows Hello for Business private key and is sent to the ...
  66. [66]
    NIST Study Evaluates Effects of Race, Age, Sex on Face ...
    Dec 19, 2019 · A new NIST study examines how accurately face recognition software tools identify people of varied sex, age and racial background.
  67. [67]
    Racial bias in facial recognition algorithms
    Facial recognition is less accurate in identifying people with darker skin tones—especially women. This can result in the misidentification of Black protesters ...
  68. [68]
    Exploring Mobile Biometric Authentication Solutions - LoginRadius
    Apr 28, 2021 · Utilizes built-in hardware sensors on the device such as fingerprint readers, facial recognition cameras, and voice recognition microphones.Biometric Authentication For... · Mobile Biometric... · FaqsMissing: dedicated | Show results with:dedicated
  69. [69]
    BIOMETRIC READERS: Multi-factor Solutions for Enterprise ...
    Sep 25, 2018 · Tx Systems offers many different biometric solutions from top rated manufacturers such as SecuGen and Identos to secure your desktop ...Missing: dedicated | Show results with:dedicated
  70. [70]
    [PDF] Multifactor Authentication for E-Commerce: Risk-Based, FIDO ...
    MFA uses something you know, have, and are, and is triggered by risk elements, to reduce e-commerce fraud. It uses FIDO U2F and risk-based triggers.
  71. [71]
    [PDF] Implementing Resiliency of Adaptive Multi-Factor Authentication ...
    In this paper, the graphical user interface application is designed to add more resiliency to the existing Adaptive Multi-Factor Authentication (A-MFA) method ...
  72. [72]
    Security, Privacy, and Usability in Continuous Authentication: A Survey
    Sep 6, 2021 · Continuous authentication with physiological and behavioral biometrics utilizes user-specific biometric information (referred to as templates) ...
  73. [73]
    A Review of Continuous Authentication Using Behavioral Biometrics
    The present study carries out a literature review on the topic of Continuous Authentication (CA) using behavioral biometrics. CA systems have been proposed ...Missing: papers | Show results with:papers
  74. [74]
    (PDF) Continuous Authentication using Behavioural Biometrics
    In this paper, we demonstrate a new way to perform continuous authenti- cation using Mouse Dynamics as the behavioural biometric modality.
  75. [75]
    Zero Trust framework: A comprehensive, modern security model - Okta
    Apr 19, 2024 · A Zero Trust framework is a security model that acts on the principle of never trust, always verify, requiring strict Identity confirmation for every human and ...Why Zero Trust Matters In... · Zero Trust For Compliance... · Balancing Security And Ux
  76. [76]
    Passkeys: Passwordless Authentication - FIDO Alliance
    A passkey is a FIDO authentication credential that allows users to sign in to apps and websites using their device unlock method, instead of passwords.
  77. [77]
    What Is FIDO2? | Microsoft Security
    What is FIDO2 and how does it work? FIDO2 is an open, license-free standard for multifactor passwordless authentication in mobile and desktop environments.
  78. [78]
    [PDF] How effective is multifactor authentication at deterring cyberattacks?
    Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials.<|separator|>
  79. [79]
    Credential Stuffing Prevention - OWASP Cheat Sheet Series
    Multi-factor authentication (MFA) is by far the best defense against the majority of password-related attacks, including credential stuffing and password ...
  80. [80]
    [PDF] Cost of a Data Breach Report 2023 - Cloudfront.net
    Average total cost of a breach​​ The average cost of a data breach reached an all-time high in 2023 of USD 4.45 million. This represents a 2.3% increase from the ...
  81. [81]
    Enhancing User Trust in FinTech: A Multi-Factor Authentication Study
    Empirical findings revealed a notable increase in user trust and confidence levels following the introduction of MFA. Users exhibited heightened perceptions of ...Missing: studies | Show results with:studies
  82. [82]
    More than a Password - CISA
    Users who enable MFA are significantly less likely to get hacked. Why? Because even if a malicious cyber actor compromises one factor (like your password), they ...
  83. [83]
    Vulnerabilities in multi-factor authentication | Web Security Academy
    In this section, we'll look at some of the vulnerabilities that can occur in multi-factor authentication mechanisms.Vulnerabilities in other... · Lab: 2FA simple bypass · Lab: 2FA broken logic
  84. [84]
    Prevent MITM Phishing Attacks with MFA - IS Decisions
    Aug 17, 2023 · Man-in-the-middle (MiTM) phishing attacks on MFA exploit gaps in MFA implementation. Here's what you need to know to defend against MiTM MFA ...
  85. [85]
    How MFA can be hacked - Resilience
    Mar 19, 2025 · The primary vulnerability comes in the form of SIM swapping attacks. In these scenarios, attackers use social engineering tactics to convince ...Don't Let Mfa Lure You Into... · Sms-Based Mfa Weaknesses · 1. Evilginx
  86. [86]
    [PDF] Implementing Phishing-Resistant MFA - CISA
    Push bombing, SS7, and SIM swap attacks are not applicable. App-based authentication: • One-time password (OTP). • Mobile push notification with.
  87. [87]
    SIM Swapping Risks to Investors | FINRA.org
    Oct 29, 2024 · Thus, SIM swapping has a lot of potential for harm, as does port-out fraud, which is a related tactic that involves bad actors deceptively ...
  88. [88]
    White Papers 2024 Examining Authentication in the Deepfake Era
    Jul 29, 2024 · Deepfakes enable more advanced spoofing attacks, in which false biometrics are presented to security systems. This is not limited to creating a ...Evolution And Challenges · Advancements In... · Emerging Technologies
  89. [89]
    Preventing Biometric Spoofing with Deepfake Detection - Pindrop
    Dec 11, 2023 · Biometric spoofing is a common tactic used by scammers to manipulate biometric traits in order to impersonate innocent targets.How Deepfake Detection Tools... · Understanding Deepfake... · How Do Deepfakes Work?
  90. [90]
    Beware MFA Fatigue Attacks - RSA Security
    Dec 15, 2024 · MFA fatigue is a type of phishing attack. In the MITRE ATT&CK framework, it's defined as a way to “bypass multi-factor authentication (MFA) mechanisms.
  91. [91]
    MFA Fatigue Attack: Definition & Defense Strategies | BeyondTrust
    MFA fatigue attacks flood users with login prompts to force approval. Learn how they work, how to detect them, and how to stop them with layered defenses.
  92. [92]
    Session Hijacking - How It Works and How to Prevent It - Ping Identity
    Aug 15, 2024 · It allows black hat hackers to completely bypass secure authentication mechanisms, including multi-factor authentication (MFA) and others.
  93. [93]
    BitM Up! Session Stealing in Seconds Using the Browser-in-the ...
    Mar 17, 2025 · The browser in the middle technique can enable compromises, especially if defenses and MFA aren't properly implemented.
  94. [94]
    Supply Chain Security: Critical Challenges and Vulnerabilities
    Another major risk arises from counterfeit hardware components. Attackers infiltrate hardware supply chains by substituting legitimate components with rogue ...
  95. [95]
    Trusted Connections, Hidden Risks: Token Management in the Third ...
    Sep 12, 2025 · Effective OAuth token management is crucial for supply chain security, preventing breaches caused by dormant integrations, insecure storage ...
  96. [96]
    85+ Social Engineering Statistics to Know for 2026 - Secureframe
    Oct 29, 2025 · The average cost of a social engineering attack was $130,000 in 2024. (CRC Group). 83. 20% of confirmed data breaches involve social engineering ...
  97. [97]
    [PDF] Digital Identity Guidelines: Authentication and Lifecycle Management
    Jul 24, 2025 · Threat Mitigation Strategies. Related mechanisms that assist in mitigating the threats identified above are summarized in Table 8-2. Table 8 ...
  98. [98]
    Multifactor Authentication | Cybersecurity and Infrastructure ... - CISA
    MFA is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a ...
  99. [99]
    Regulation - 2016/679 - EN - gdpr - EUR-Lex
    Summary of each segment:
  100. [100]
    Directive - 2015/2366 - EN - Payment Services Directive - EUR-Lex
    Summary of each segment:
  101. [101]
    Regulation - EU - 2024/1183 - EN - EUR-Lex
    Summary of each segment:
  102. [102]
    https://csrc.nist.gov/topics/laws-and-regulations/laws/fisma
  103. [103]
    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
  104. [104]
    [PDF] NIST.SP.800-53r5.pdf
    Sep 5, 2020 · NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems ...
  105. [105]
    [PDF] Supplement to Authentication in an Internet Banking Environment
    Oct 12, 2005 · The Guidance provided minimum supervisory expectations for effective authentication controls applicable to high-risk online transactions ...
  106. [106]
    Iranian Cyber Actors' Brute Force and Credential Access Activity ...
    Oct 16, 2024 · Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) 'push bombing' to compromise user accounts and obtain ...
  107. [107]
    Method and apparatus for positively identifying an individual
    An apparatus for the electronic generation and comparision of non-predictable codes. The appartus of the invention comprises a first mechanism for ...
  108. [108]
    https://patents.google.com/patent/US10917405B2/en
  109. [109]
    Methods and systems for providing FIDO authentication services
    Thus, FIDO specifications support multifactor authentication (MFA) and public key cryptography. A major benefit of FIDO-compliant authentication is the fact ...
  110. [110]
    Google follows Samsung in settling patent dispute with biometrics ...
    Jan 14, 2025 · Former operating company Proxense is enforcing biometric authentication and recently also wireless communications patents against major technology companies.Missing: push notification MFA 2020s<|control11|><|separator|>