Multi-factor authentication
What is MFA?
Multi-factor authentication (MFA) is a security method that adds an extra layer of protection during the login process. It requires users to provide multiple credentials to establish their digital identity.
There are two primary types of authentication:
- SFA/1FA (Single-Factor Authentication): This is the initial login method, typically requiring a username/email/phone and password.
- MFA/2FA (Multi-Factor Authentication/Two-Factor Authentication): MFA mandates at least two different verification methods for accessing your account, effectively strengthening your defense against unauthorized access.
Authentication factors are the measures that verify your identity. There are various factors categorized by attributes to choose from:
| Types | What it means | Verification factors (Logto supported) |
|---|---|---|
| Knowledge | Something you know | Password, Email verification code, and Backup codes |
| Possession | Something you have | SMS verification code, Authenticator app OTP, Hardware OTP (Security key) |
| Inherence | Something you are | Biometrics like fingerprints, face ID |
In an MFA flow, the second authentication step must employ a different attribute type (Knowledge/Possession/Inherence) than the first. For example, using "Password (Knowledge)" as the first factor and "Authenticator app OTP (Possession)" as the second factor can effectively mitigate various attack vectors.
Why do we need an MFA?
MFA is a vital security measure, particularly for B2B and B2E services. It is widely adopted in today's digital landscape for multiple reasons:
- Account hacking: Unauthorized account access remains a significant security threat. However, MFA offers strong protection, effectively blocking 99.9% of account hacks, particularly those stemming from password breaches. It serves as a cost-effective enhancement to security, supplemented by strategies like passwordless logins, robust password policies, password managers, and protective measures against attacks.
- SaaS adoption: Many enterprises are increasingly implementing MFA to protect their employees and secure sensitive company data and assets. According to a survey by LastPass, 57% of global businesses now utilize MFA, reflecting a 12% increase from the previous year.
- Regulatory compliance: MFA assists organizations in maintaining compliance with data protection regulations such as GDPR and NIST, thereby ensuring the security of user data.
Logto Support
Logto simplifies the MFA activation process with a one-click toggle, removing the need for complex configurations. Start with our quick guide on enabling verification factors.
Supported MFA factors
- Authenticator app OTP: Use a time-based one-time password (TOTP) generated by an authenticator app like Google Authenticator or Authy.
- Passwkeys (WebAuthn): Use a security key or biometric authentication for a passwordless experience.
- Backup codes: Generate one-time-use backup codes for emergency access.