The difference between 2FA and MFA
Delinea Team
Did you know that all two-factor authentication (2FA) is multi-factor authentication (MFA), but not all MFA is 2FA?
You probably did know that but never thought of it that way. Likewise, every nerd is a human, but not every human is a nerd—I love it!
But, back to authentication . . .
What is the difference between 2FA and MFA?
MFA simply uses several forms of authentication for even tighter security
Yup. That’s right. MFA just means using multiple forms of authentication to get access. Wikipedia says (emphasis is mine):
Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism—typically at least two of the following categories:
- knowledge ( something they know)
- possession ( something they have)
- inherence ( something they are)
2FA is a subset of that. Just a type of MFA where you only need two pieces of evidence—two “factors.”
At the ATM, that means your PIN (something you know), and your card (something you have). When you log in to Google, Twitter, or Linkedin, or you make a purchase on Amazon, you can use their two-step validation to require your password (something you know) and a special text sent to your phone (something you have). If you don’t have your password and your phone—you don’t get in.
If you added another factor, say a USB key that you had to stick into your laptop, your phone, and your password, you’d now need three things for access. This isn’t often the case, because it gets cumbersome, which is why we never hear of “3FA” (or 4FA or 5FA). We don’t need those terms because they are rare and because they are implied by the “multiple” in MFA.
Not all MFA solutions are created equal
2FA is a subset of MFA—they actually aren’t that different
People who don’t live and breathe security every day, and those who dare to delve into our world of acronyms, often think 2FA and MFA are more different than they really are—but they aren’t. 2FA is just a subset of MFA. Just like squares are a subset of rectangles, and nerds like me are a subset of humanity.
The good news—whether it’s just two factors, or three or more—MFA in general is the way to make our accounts much much harder for attackers to break into. Using only a single factor—like a password—means that attackers have a very easy way to get in. Steal or crack the password. Done.
When you couple that with another factor, the bad guys have a lot more work to do. And if we in the industry do this well, the users don’t have a lot more to do. That’s the goal. Easy for users, hard for attackers.
That’s why biometrics are becoming popular. We can use something we know and something we are to provide multiple factors. A fingerprint is hard to steal or crack. So is a retina scan. Or the specific way we walk. Or where we go every day. These things can all be used as additional factors to prove our identity, without requiring users to carry something else around like a card or key fob or you name it.
Delinea has a flexible set of factors that can be used to prove identity—with or without a password—to thwart attackers and make employees’ lives easier.
What does cybersecurity like this cost? Not as much as you think