What is MFA
Multi-factor authentication (MFA) is a security process that requires users to verify their identity using two or more distinct factors. Each factor can be from one of the following categories:
- Something you know (e.g., a password)
- Something you have (e.g., a security token or mobile device)
- Something you are (e.g., a biometric such as fingerprint or face recognition)
For an authentication method to be secure, it should validate at least two factors.
Business Value
Multi-factor authentication (MFA) delivers critical business value by significantly strengthening security and reducing the risk of data breaches, phishing, and credential theft, even if passwords are compromised. This protection safeguards not only sensitive company and customer data but also preserves customer trust and brand reputation, which are invaluable assets in today’s digital economy. As remote and flexible work becomes standard, MFA ensures secure access to company systems from any location, enabling productivity without sacrificing security. Beyond risk reduction, MFA also drives cost savings by minimizing fraud, security incidents, and IT support overhead, while integrating seamlessly with existing identity management systems to streamline operations and enhance efficiency. In essence, MFA is a strategic investment that secures assets, supports modern work environments, and protects your bottom line.
Authentication methods
Why multiple options
Offering multiple MFA methods directly addresses both user experience and operational resilience. Users have different preferences and access to devices. Some may prefer the convenience of an authenticator app, while others rely on SMS or biometrics. By providing choices, you reduce friction and increase adoption rates, which is critical for widespread security compliance. At the same time, redundancy ensures that if a user loses access to one method (like a misplaced phone), they aren’t locked out of their account and can fall back on an alternative, such as email verification or a hardware token. This not only keeps productivity high but also aligns with industry best practices and regulatory requirements, helping your product meet security standards without sacrificing usability. In short, it’s about balancing strong security with a seamless experience, which ultimately builds trust and reduces support overhead. idpro-mfa-for-humans
Passkey (WebAuthn / FIDO2)
|———-|————————————-| | Factors | - Something you have (device) | | | - Somehting you know (PIN) |
| - Somethign you are (Biometric) | |
|---|---|
| Security | Very High |
| ———- | ————————————- |
| Features | - Passwordless |
| - Usernameless | |
| - Phising resistant | |
| ———- | ————————————- |
Passkeys are a modern, user-friendly, and phishing-resistant authentication method designed to replace passwords entirely. Built on WebAuthn and FIDO2 standards, passkeys enable passwordless and usernameless logins, relying instead on cryptographic keys stored on the user’s device (e.g., smartphone, laptop, or security key). They simplify the user experience by eliminating the need to remember or enter credentials, while also providing stronger security than traditional passwords.
The AAGUID (Authenticator Attestation GUID) identifies the passkey provider,
use this to display a user-friendly name (e.g., “iPhone Passkey” for better
clarity and management.
Synced passkeys are stored encrypted in the cloud and automatically synchronized across a user’s registered devices, such as through iCloud Keychain or Google Password Manager. This allows users to log in passwordlessly from any of their trusted devices, offering convenience and flexibility.
Essentially passkeys act like a direct interface between the server and the password manager.
Device-bound passkeys are permanently tied to a single device, such as a smartphone, laptop, or hardware security key. They cannot be exported or synced, providing stronger security by ensuring the private key never leaves the device.
Hardware security keys could be provisioned and distributed amongst the users. But this can be expense and time consuming. Most often companies choose to let the user provision their own security key, then it can also be used to access multiple services.
The most known hardware security key is the yubikey, but sold by many vendor such as OneSpan.
TOTP
|———-|———————————–|
| Factors | - Something you have (device) |
|---|---|
| Security | Medium |
| ———- | ———————————– |
| Features | - Commonly used |
| ———- | ———————————– |
TOTP (Time-based One-Time Passcode) is a temporary, time-sensitive passcode generated by an algorithm using the current time and a shared secret key. Each code is valid only for a short period (usually 30 seconds), adding an extra layer of security for authentication.
OATH (Initiative for Open Authentication) is an industry standard that defines protocols for TOTP. It ensures compatibility and interoperability between servers and authenticator apps. It is supported by all authenticator apps such as:
- Aegis Authenticator
- Google Authenticator
- Microsoft Authenticator
To set up TOTP, users scan a QR code with their authenticator app and enter the
generated code to confirm it works. On mobile devices, since scanning a QR code
displayed on the same screen isn’t practical, use an otpauth:// URL to
directly open and configure the authenticator app.
The authentication server should implement an OTP window, a setting to account for clock synchronization differences. This improves user experience by accepting codes generated in the previous, current, and next time intervals. This flexibility accounts for minor clock differences between the server and user device, reducing failed logins.
SMS OTP (One time passcode)
|———-|———————————————-|
| Factors | - Something you have (Phone with number) |
|---|---|
| Security | Low |
| ———- | ———————————————- |
| Features | - Commonly used |
| - No onboarding | |
| ———- | ———————————————- |
SMS OTP (One-Time Password) is a widely used multi-factor authentication method where a temporary, numeric code is sent to a user’s mobile phone via text message after they enter their username and password. This code, typically 4–6 digits long, is valid for a short period (often a few minutes) and must be entered into the login prompt to complete authentication.
Attackers may perform SIM swaps to intercept SMS-based OTP codes.
Email OTP
|———-|———————————————-|
| Factors | - Something you have (access to mailbox) |
|---|---|
| Security | Very low |
| ———- | ———————————————- |
| Features | - Commonly used |
| - No onboarding | |
| ———- | ———————————————- |
Email OTP sends a one-time code to the user’s inbox for login verification. If self service password reset is enabled, email OTP results in only one factor.
Magic links a passwordless authentication method that sends users an URL, allowing them to log in securely by clicking the link instead of entering the OTP code. Consider using this to improve user experience in combination with the OTP code.
Mobile App Push notifications
|———-|————————————————|
| Factors | - Something you have (smartphone with app) |
|---|---|
| Security | High |
| ———- | ———————————————— |
| Features | - Easy to use |
| ———- | ———————————————— |
Mobile App Push Notifications authenticate users by sending an approval push notification to a smartphone app. This method is user-friendly, as it only requires a tap to approve or deny login attempts. It also encourages app adoption.
Attackers can use MFA fatigue attacks exploit push notifications by overwhelming users with repeated authentication prompts until they accidentally approve one.
Backup security codes
|———-|————————————————–|
| Factors | - Something you have (a note with the codes) |
|---|---|
| Security | Low |
| ———- | ————————————————– |
| Features | - Possible offline backup |
| ———- | ————————————————– |
Backup Security Codes are single-use, one-time passcodes (OTPs) provided as a last-resort authentication method when other MFA options are unavailable. They should be displayed only once, never sent via email, and users should be allowed to regenerate them if needed. It’s best to notify users (via email or SMS) whenever a backup code is used. However, these codes should be avoided if alternative MFA methods are available, as users often do not store them securely.
External Authentication
External authentication delegates user verification to a trusted third-party service or identity provider (Idp).
Itsme
Belgian eID
|———-|————————————-| | Factors | - Something you have (eID card) |
| - Something you know (PIN) | |
|---|---|
| Security | High |
| ———- | ————————————- |
| Features | - All Belgian citizens have one |
| - Validate identiy information | |
| ———- | ————————————- |
Authentication with Belgian eID cards is a secure method exclusively for Belgian citizens, using their national electronic identity card. It requires a card reader and the user’s PIN code, though many users forget or don’t know their PIN. Web authentication relies on mutual TLS (mTLS), ensuring encrypted communication between the card and the server. Organizations must maintain the PKI infrastructure, including government-issued CA certificates and support for evolving cryptographic schemes, to ensure compatibility and security.
Federation with the company Idp
|———-|———————-|
| Factors | - Depends on the Idp |
|---|---|
| Security | High |
| ———- | ———————- |
| Features | - Very user friendly |
| ———- | ———————- |
Federation with a client’s company Identity Provider (IdP), such as Microsoft
Entra ID, allows users to authenticate directly through their organization’s
system. This setup enables Single Sign-On (SSO), making it user-friendly by
letting employees log in with their corporate credentials. Federation is
typically based on the user’s email domain, automatically redirecting them to
their company’s login portal. In OpenID Connect (OIDC), you can use the
acr_values parameter to request specific authentication assurance levels. A
direct link specific for the company should also be created so it can be shown
on the company’s webportal.
Federation with de facto standard and social Idp’s
|———-|———————-|
| Factors | - Depends on the Idp |
|---|---|
| Security | High |
| ———- | ———————- |
| Features | - Very user friendly |
| ———- | ———————- |
Federation with de facto standard and social IdPs (like GitHub, Google, Microsoft, Facebook, or LinkedIn) lets users log in to your service using their existing social or professional accounts.
Considerations when implementing MFA
Temporarily trust a device for a set number of days to skip MFA prompts.
- Trusted Browsers: Use a secure cookie to maintain trust.
- Mobile Apps: Store an OIDC refresh token securely, avoiding indefinite reuse.
- Desktop Apps: Trust mechanisms vary by implementation.
Registration
If MFA is mandatory, provide a simple, step-by-step setup wizard to guide users through the configuration process.
Managing MFA methods
Enable users to manage their authentication methods through self service. They should be able to view their recent logins, including location, IP, and method used, as well as see when each authentication method was created and last used, for example, “Passkey (Windows): Created on 2025-10-13 00:11, last used on 2025-10-13 00:11.”
Allow users to add, reset, or remove authentication methods, and ensure they can clearly see which account they are modifying by displaying their username, email, and other account information. Before permitting any changes, verify the user’s identity with a high level of assurance.
Support the creation of multiple authentication methods of the same type, such as several authenticator apps or passkeys, to provide flexibility and backup options.
Password reset
Don’t forget to aks for a second factor after letting the user reset their password. This prevents malicious actors from gaining access to an account by doing a password reset.
Helpdesk support
Allow helpdesk to help a user get access to their account. But avoid social engineering attacks. Make sure that the user is thoroughly identified by the helpdesk.
Audit logging
Robust MFA audit logging is essential. Track when users add or use an authentication method, capturing key details like time, device, IP, location, and method type. This visibility helps detect anomalies, supports compliance, and enables quick incident response.
Consider setup up authentication
To improve user experience we don’t have to ask the user to authenticate with multiple factors during their initial login. We can provide limit access to the application with an easy to use method such as a simple password, magic link or trusted device. But only show less sensitive data and allow limited actions. If the user want’s to take sensitive actions, we can increase or ‘set up’ our assurance level by requesting that the user authenticates using a second factor.
Ideally the fine grained authorization policy engine can handle policies where
a certain assurance level is required. In OIDC the amr and acr claims can
be used to check te assurance level.
Rollout
A phased rollout of multi-factor authentication (MFA) ensures a smoother, more effective implementation by allowing users to adapt gradually, reducing the risk of disruptions, and giving your IT and support teams the bandwidth to address issues as they arise. Starting with high-priority systems or user groups lets you focus resources where they’re needed most, while gathering feedback at each stage helps refine the process before wider adoption. This approach not only minimizes operational risks and user resistance but also ensures that security improvements are sustainable and aligned with both business needs and user experience. Ultimately, it’s about achieving strong security without compromising productivity or overwhelming your teams.
Prepartion
When preparing for an MFA rollout, it is important to:
Ensure each user has only one account to avoid confusion or duplication. Verify that user contact details, such as phone numbers and email addresses, are accurate and up to date. Confirm that your Identity and Access Management (IAM) system fully supports the authentication methods you plan to implement.
Phase 0: Enable MFA
Phase 1: Focus group
Learn lessons to improve user experience.
Phase 2a: Recommend MFA for critical accounts
Phase 2b: Enforce MFA for critical accounts
Phase 3a: Recommend MFA for everyone ## Phase 3b: Enforce MFA for everyone
Non-human account access delegation
Allow services to access API’s on the users behalf using a dedicated API security mechanism, preferably [[OAuth]]. Often people want to use automations, the non-human service should not use the users credentials.
Sources
https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html https://www.cyber.gc.ca/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105