Which is a two step authentication that uses a device in addition to the password used to authenticate a user?

Skip to main content

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

• Article
• 08/25/2022
• 2 minutes to read

In this article

Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.

If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.

Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods:

• Something you know, typically a password.
• Something you have, such as a trusted device that's not easily duplicated, like a phone or hardware key.
• Something you are - biometrics like a fingerprint or face scan.

Azure AD Multi-Factor Authentication can also further secure password reset. When users register themselves for Azure AD Multi-Factor Authentication, they can also register for self-service password reset in one step. Administrators can choose forms of secondary authentication and configure challenges for MFA based on configuration decisions.

You don't need to change apps and services to use Azure AD Multi-Factor Authentication. The verification prompts are part of the Azure AD sign-in, which automatically requests and processes the MFA challenge when needed.

Note

The prompt language is determined by browser locale settings. If you use custom greetings but don’t have one for the language identified in the browser locale, English is used by default. Network Policy Server (NPS) will always use English by default, regardless of custom greetings. English is also used by default if the browser locale can't be identified.

Available verification methods

When users sign in to an application or service and receive an MFA prompt, they can choose from one of their registered forms of additional verification. Users can access My Profile to edit or add verification methods.

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:

• Microsoft Authenticator app
• Windows Hello for Business
• FIDO2 security key
• OATH hardware token (preview)
• OATH software token
• SMS
• Voice call

You can use security defaults in Azure AD tenants to quickly enable Microsoft Authenticator for all users. You can enable Azure AD Multi-Factor Authentication to prompt users and groups for additional verification during sign-in.

For more granular controls, you can use Conditional Access policies to define events or applications that require MFA. These policies can allow regular sign-in when the user is on the corporate network or a registered device but prompt for additional verification factors when the user is remote or on a personal device.

Next steps

To learn about licensing, see Features and licenses for Azure AD Multi-Factor Authentication.

To learn more about different authentication and validation methods, see Authentication methods in Azure Active Directory.

To see MFA in action, enable Azure AD Multi-Factor Authentication for a set of test users in the following tutorial:

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.

Why is MFA Important?

The main benefit of MFA is it will enhance your organization's security by requiring your users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties. Enforcing the use of an MFA factor like a thumbprint or physical hardware key means increased confidence that your organization will stay safe from cyber criminals.

How Does MFA work?

MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are one-time passwords (OTP). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value.

Three Main Types of MFA Authentication Methods

Most MFA authentication methodology is based on one of three types of additional information:

• Things you know (knowledge), such as a password or PIN
• Things you have (possession), such as a badge or smartphone
• Things you are (inherence), such as a biometric like fingerprints or voice recognition

MFA Examples

Examples of Multi-Factor Authentication include using a combination of these elements to authenticate:

Knowledge

• Answers to personal security questions
• Password
• OTPs (Can be both Knowledge and Possession - You know the OTP and you have to have something in your Possession to get it like your phone)

Possession

• OTPs generated by smartphone apps
• OTPs sent via text or email
• Access badges, USB devices, Smart Cards or fobs or security keys
• Software tokens and certificates

Inherence

• Fingerprints, facial recognition, voice, retina or iris scanning or other Biometrics
• Behavioral analysis

Other Types of Multi-Factor Authentication

As MFA integrates machine learning and artificial intelligence (AI), authentication methods become more sophisticated, including:

Location-based

Location-based MFA usually looks at a user’s IP address and, if possible, their geo location. This information can be used to simply block a user’s access if their location information does not match what is specified on a whitelist or it might be used as an additional form of authentication in addition to other factors such as a password or OTP to confirm that user’s identity.

Adaptive Authentication or Risk-based Authentication

Another subset of MFA is Adaptive Authentication also referred to as Risk-based Authentication. Adaptive Authentication analyzes additional factors by considering context and behavior when authenticating and often uses these values to assign a level of risk associated with the login attempt. For example:

• From where is the user when trying to access information?
• When you are trying to access company information? During your normal hours or during "off hours"?
• What kind of device is used? Is it the same one used yesterday?
• Is the connection via private network or a public network?

The risk level is calculated based upon how these questions are answered and can be used to determine whether or not a user will be prompted for an additional authentication factor or whether or not they will even be allowed to log in. Thus another term used to describe this type of authentication is risk-based authentication.

With Adaptive Authentication in place, a user logging in from a cafe late at night, an activity they do not normally do, might be required to enter a code texted to the user’s phone in addition to providing their username and password. Whereas, when they log in from the office every day at 9 am they are simply prompted to provide their username and password.

Cyber criminals spend their lives trying to steal your information and an effective and enforced MFA strategy is your first line of defense against them. An effective data security plan will save your organization time and money in the future.

What's the Difference between MFA and Two-Factor Authentication (2FA)?

MFA is often used interchangeably with two-factor authentication (2FA). 2FA is basically a subset of MFA since 2FA restricts the number of factors that are required to only two factors, while MFA can be two or more.

What is MFA in Cloud Computing

With the advent of Cloud Computing, MFA has become even more necessary. As companies move their systems to the cloud they can no longer rely upon a user being physically on the same network as a system as a security factor. Additional security needs to be put into place to ensure that those accessing the systems are not bad actors. As users are accessing these systems anytime and from anyplace MFA can help ensure that they are who they say they are by prompting for additional authentication factors that are more difficult for hackers to imitate or use brute force methods to crack.

MFA for Office 365

Many cloud based systems provide their own MFA offerings like AWS or Microsoft’s Office 365 product. Office 365 by default uses Azure Active Directory (AD) as its authentication system. And there are a few limitations. For example, you only have four basic options when it comes to what type of additional authentication factor they can use: Microsoft Authenticator, SMS, Voice and Oauth Token. You also might have to spend more on licensing depending on the types of options you want available and whether or not you want to control exactly which users will need to use MFA.

Identity as a Service (IDaaS) solutions like OneLogin offer many more MFA authentication methods when it comes to authentication factors and they integrate more easily with applications outside of the Microsoft ecosystem.

What are the two steps of authentication?

What is a two

What are three examples of two

Is PIN and password two