Skip to main content

Skillber v1.0 is here!

Learn more

Authentication Fundamentals & MFA

Checking access...

Authentication is the process of verifying that a user is who they claim to be. It is the first line of defence in access control — if authentication fails, nothing else matters. Weak authentication undermines every other security control: no amount of fine-grained authorization, encryption, or monitoring can protect a system if an attacker can simply log in as a legitimate user.

The authentication landscape has changed dramatically in the last decade. The industry is moving from knowledge-based (password) authentication toward possession-based and biometric methods, driven by the recognition that passwords are fundamentally broken as a primary authentication mechanism.

Authentication Factors

Authentication factors fall into three categories, often remembered as “something you have, know, or are”. True multi-factor authentication requires factors from at least two different categories.

Factor TypeExamplesSecurity LevelPhishable?User Friction
Knowledge (something you know)Password, PIN, security questionLowYesLow
Possession (something you have)Phone, hardware token, smart card, TOTP seedMedium-HighDependsLow-Medium
Inherence (something you are)Fingerprint, face, voice, iris, palm veinHighNo (biometric liveness)Low (passive)
Location (somewhere you are)Geo-IP, GPS, network subnet, Wi-Fi SSIDContextualYes (VPN spoofing)None (passive)
Behaviour (something you do)Typing rhythm, mouse movement, gait patternEmergingLowNone (passive)

Single-Factor vs. Multi-Factor

  • Single-factor authentication (1FA) — Uses one factor (typically a password). Compromised if the single factor is stolen or guessed.
  • Two-factor authentication (2FA) — Uses two factors from different categories (e.g., password + TOTP code). Requires the attacker to compromise both channels.
  • Multi-factor authentication (MFA) — Uses two or more factors from different categories. MFA and 2FA are often used interchangeably, but strictly MFA can include more than two factors.

Caution

Using two factors from the SAME category (e.g., password + PIN, or fingerprint + facial recognition) is NOT multi-factor authentication. Both are knowledge factors or both are biometric factors. True MFA requires factors from different categories.

Password Authentication — The Current Reality

Despite decades of advancement in authentication technology, passwords remain the most common authentication method — and the most vulnerable. The challenge is that passwords are both economically and practically difficult to replace at scale.

Password Policy Best Practices — Modern Approach (NIST SP 800-63B)

PolicyTraditional ApproachModern NIST RecommendationRationale
Minimum length8 characters12+ charactersLength is the strongest predictor of password strength against brute force
ComplexityRequire uppercase, lowercase, digit, special characterNot requiredComposition rules encourage predictable patterns (Password1!), not actual strength
ExpirationMandatory 30/60/90 day rotationDo not require periodic rotationUsers choose weaker passwords when forced to change frequently. Only rotate when compromise is suspected
Password historyRemember last 10 passwordsCheck against known breach databases (haveibeenpwned API)A unique but weak password is still weak
Password hintsAllowedProhibitHints == security questions (easily guessed or socially engineered)
Multi-factorOptionalRequired — always enable MFAMFA is the most effective compensating control for password weaknesses

How Attackers Compromise Passwords

AttackMethodMitigation
Brute forceSystematically try all possible password combinationsAccount lockout after N failed attempts, rate limiting, CAPTCHA
Credential stuffingUse username/password pairs from previous breaches against other servicesBreach detection (haveibeenpwned), MFA, unique passwords per service
PhishingTrick user into entering credentials on a fake login pageSecurity awareness training, FIDO2/WebAuthn (phishing-resistant), email filtering
Spear phishingTargeted phishing using personal informationAdvanced email security, hardware token MFA
KeyloggingMalware captures keystrokesEndpoint protection, hardware-based auth (FIDO2), application allowlisting
Pass-the-hashReuse NTLM password hashes to authenticate to Windows systemsCredential Guard, LSA protection, disable NTLM where possible
Rainbow tablePrecomputed hash lookup for common passwordsSalted password hashing (bcrypt, scrypt, Argon2)
Password sprayingTry common passwords against many accountsRate limiting per IP, MFA, monitoring for unusual login patterns

Multi-Factor Authentication (MFA)

MFA significantly reduces the risk of account compromise. According to Microsoft, MFA blocks 99.9% of automated attacks. Organisations with MFA enforcement experience 99% fewer account compromises than those without.

MFA Methods Compared in Depth

MethodUser ExperienceSecurity LevelPhishing ResistanceDeployment ComplexityCost
SMS OTPGood — works on any phoneLow — vulnerable to SIM swap, SS7 attacksNone — phishableLow — carrier integrationLow (per-message cost)
Voice OTPModerate — requires phone callLow — similar to SMSNoneLowLow
TOTP (Google/Microsoft Authenticator)Moderate — open app, type codeHigh — seed is local, time-limitedLow — code is phishableLow — QR code setupFree
Push notification (Okta Verify, MS Authenticator)Excellent — tap approve/rejectHigh — app-bound, user must actively approveMedium — MFA fatigue riskMedium — app installation requiredFree–Moderate
FIDO2 / WebAuthnExcellent — touch key or biometricVery high — private key never leaves deviceVery high — origin-bound, cannot be phishedMedium — platform/browser support requiredModerate
Hardware token (YubiKey, Feitian)Good — insert/tap deviceVery high — dedicated hardware, tamper-resistantVery high — origin-boundMedium — token distribution logisticsModerate–High ($20-70/token)
Smart card (PIV/CAC)Moderate — insert + PINVery high — cryptographic key on card, PIN-protectedVery high — origin-boundHigh — PKI infrastructure requiredHigh ($50-100/card + PKI)

MFA Deployment Architecture

User
├── Primary Auth (Password + TOTP)
│ │
│ └── IdP verifies credentials → Issues session token
└── Step-up Auth (FIDO2 hardware key)
└── IdP challenges for high-risk action → Issues elevated token

Primary MFA — Required at every login for every user. Typically TOTP or push notification. Step-up MFA — Additional factor required for high-risk actions (admin console access, password change, large data export) even if the user already has an active session.

MFA Bypass Attack Vectors

Even MFA is not invulnerable. Understanding bypass techniques is essential for IAM professionals:

AttackHow It WorksTargetMitigation
MFA fatigueAttacker repeatedly sends push MFA requests until the user accepts (often dozens of notifications in minutes)Push notification MFANumber matching (user must enter a number shown on screen), rate limiting push requests
SIM swappingSocially engineer mobile carrier to transfer victim’s phone number to attacker’s SIMSMS OTPPort-out PIN, TOTP or hardware token instead of SMS
Session cookie theftSteal post-MFA session cookie via XSS, malware, or proxyAny web-based MFAShort session lifetimes, HTTP-only cookies, device binding, token binding
Man-in-the-middle (evilginx)Proxy authentication flow between user and legitimate site, capturing both password and MFA codeAny phishable MFA (SMS, TOTP)FIDO2/WebAuthn (origin-bound, cannot be proxied)
Adversary-in-the-middle (AiTM)Same as MITM but with real-time session cookie reuseOIDC/SAML-based flowsToken binding, certificate-based authentication
OAuth token replaySteal OAuth access token and replay from attacker’s deviceOAuth-based flowsSender-constrained tokens (DPoP), token binding

Danger

MFA fatigue attacks are increasingly common and effective. In 2024, multiple high-profile breaches were attributed to MFA fatigue. Deploy number-matching push notifications or FIDO2 to mitigate this vector.

Passwordless Authentication

Passwordless authentication eliminates passwords entirely, replacing them with cryptographic key pairs. The goal is to remove both the usability burden and the security risk of passwords.

FIDO2 / WebAuthn — The Passwordless Standard

FIDO2 is the set of specifications developed by the FIDO Alliance that enables passwordless, phishing-resistant authentication. It includes the WebAuthn standard (W3C) and the CTAP protocol (for external authenticators).

FIDO2 Registration Flow

  1. User navigates to service and initiates registration
  2. Service generates a random challenge and sends it to the user’s device
  3. User’s device creates a public-private key pair
  4. User verifies identity using a local gesture (biometric scan, PIN, or device unlock)
  5. Device signs the challenge with the private key and sends the public key to the service
  6. Service stores the public key associated with the user account
  7. Result: Private key never leaves the device. Public key is stored server-side.

FIDO2 Authentication Flow

  1. User attempts to log in by providing username
  2. Service sends a challenge to the user’s device
  3. Device prompts user for local gesture (biometric or PIN)
  4. Device signs the challenge with the private key
  5. Service verifies the signature using the stored public key
  6. Result: No password transmitted. No shared secret. Phishing-resistant because the private key is bound to the origin domain.

Why FIDO2 Is Phishing-Resistant

Traditional MFA (SMS, TOTP) can be phished — the attacker’s fake site captures both the password and the one-time code. FIDO2 prevents this because:

  • The private key is bound to the origin (the domain name) at registration time
  • The browser enforces this binding — the private key is only released to the correct origin
  • A phishing site at evil.example.com cannot use the credential registered for example.com
  • The credential cannot be phished, stolen from the server, or replayed

Passwordless Deployment Considerations

FactorConsideration
User enrollmentUsers need a FIDO2-compatible authenticator (platform: Touch ID, Windows Hello; or roaming: YubiKey)
Fallback mechanismTOTP or recovery codes for lost devices or unsupported platforms
Recovery flowHow does a user regain access if they lose their FIDO2 key? (Recovery codes, admin reset, secondary email)
Platform supportFIDO2 is supported in all major browsers (Chrome, Edge, Firefox, Safari) and platforms (Windows, macOS, iOS, Android)
Hardware distributionFor enterprise roaming keys, plan distribution logistics, initial setup, and key replacement processes

Risk-Based Authentication (Adaptive Authentication)

Risk-based authentication (RBA) evaluates the risk level of each authentication attempt and adjusts the required authentication strength accordingly:

Risk FactorLow RiskHigh Risk
DeviceKnown, corporate-managed deviceUnknown device, personal device
LocationCorporate office, home officeForeign country, known high-risk region
TimeBusiness hours, normal work hours3 AM, outside normal pattern
NetworkCorporate VPN, trusted IP rangePublic Wi-Fi, Tor exit node, data centre IP
BehaviourNormal application usage patternLarge data download, first-time admin access
Credential typePassword + MFAOnly password (prompt for MFA)

Low risk → Passwordless or password + device trust (seamless experience) Medium risk → Standard MFA (TOTP or push) High risk → Step-up MFA with FIDO2 hardware key + justification required

Authentication Protocol Comparison

ProtocolAuth TypeToken FormatUse CasePasswordless?
Password-basedTraditionalSession cookieLegacy web appsNo
SAML 2.0FederatedXML assertionEnterprise SSO, governmentYes (with FIDO2)
OAuth 2.0Delegated authorizationBearer tokenAPI access, app permissionsN/A (authorization, not auth)
OpenID Connect (OIDC)Federated identityJWT (ID token)Modern web and mobile SSOYes
WebAuthn (FIDO2)PasswordlessPublic key cryptographyPasswordless, phishing-resistantYes
KerberosNetwork authenticationTicketWindows domain authYes (with smart card)

Key Takeaways

  • Authentication factors must come from different categories (knowledge, possession, inherence) for true MFA — using two factors from the same category is not MFA
  • Password policies should prioritise length (12+ characters) and MFA enablement over complexity rules and periodic rotation per NIST SP 800-63B
  • MFA blocks 99.9% of automated attacks — it is the single most impactful security control an organisation can deploy
  • MFA is not invulnerable — understand bypass vectors (MFA fatigue, SIM swap, session token theft, Adversary-in-the-Middle)
  • FIDO2/WebAuthn provides phishing-resistant, passwordless authentication using public-key cryptography — the private key is bound to the origin domain and never leaves the user’s device
  • Risk-based authentication adjusts auth requirements based on contextual risk factors (device, location, time, behaviour) to balance security and user experience
  • The industry is moving toward passwordless as the long-term authentication goal, with FIDO2 as the leading standard