Authentication is simply proving that you are who you say you are, and it’s a vital part of logging in to any account. We have to be able to trust that you're the user who owns the account and you have the right to access the data.
I’ve no doubt you’ll be very familiar with using a username and password to authenticate, but you might not know what multi-factor authentication (MFA) or two-factor authentication (2FA) is. This article will explain.
There are three ways to authenticate:
- What you know
- What you have
- What you are
A username and password belong to the first type. This is a unique combination that (theoretically) only you know. This is the first ‘factor’.
Multi-factor (or two-factor) also encompasses at least one of the other two types.
What you have
‘What you have’ usually refers to a physical device that can only be in one place at a time - ordinarily your smartphone.
If we combine this ‘factor’ with your username and password as part of a login procedure, any would-be hacker must both know what you know and have what you have in order to impersonate you. This is infinitely more difficult than simply brute-forcing (using a computer to guess over and over again) your email and password combination.
What you are
What you are, we assume, is a human being, and every human is (practically) unique in a few useful ways…at least for authentication and identification purposes.
Your fingerprint, iris, retina, hand geometry, voice and face can all be used for authentication with varying degrees of accuracy and security.
Each of these factors is fallible on their own, as anyone who has ever had their phone stolen or email account hacked can attest. It is their use in combination, however, that makes them powerful.
At Applied, we use a two-factor approach that combines a username and password with a one-time passcode generated by the user’s mobile device.
If you’d like to explore enabling multi-factor authentication for your organisation, please reach out to your Customer Success Manager or firstname.lastname@example.org