Two-Factor vs. Multi-Factor Authentication

When I was a kid, I remember arguing with friends about… everything. I’m difficult that way. But in this specific argument, we were arguing about amounts. If I can recall, my seven-year-old stance was this:

  • “A couple” meant two. Period. Always. No matter what.
  • “A few” could mean two, or it could mean more, but it was always less than “a lot.”
  • “A lot” was — well, you know, as many as you can grab.

My buddy was sure that “a few” meant three, like “a couple” meant two. We argued, and used examples, and then probably picked up sticks and pretended they were weapons and got on with being seven years old.

The next time I remember a similar argument, I was a little older. I heard, “every square is a rectangle, but not every rectangle is a square.” My mind was racing. What else can fit this paradigm, that sounds like an impossibility, but is indeed true? Lots of stuff. Every car is an automobile, but not every automobile is a car. Holy cow. Every good joke is funny, but not everything funny is a good joke. I became a little obsessed with finding subsets — and I’m embarrassed to admit I still am. Weird.

Indeed, all these many (MANY) years later, here’s the next version of my favorite subset paradigm:

All two-factor authentication (2FA) is multi-factor authentication (MFA), but not all MFA is 2FA.

MFA for Bill's blog

MFA Simply Uses Several Forms of Authentication for Even Tighter Security

Yup. That’s right. MFA just means using multiple forms of authentication to get access. Wikipedia says (emphasis is mine):

Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).

2FA is a subset of that. Just a type of MFA where you only need two pieces of evidence — two “factors.” At the ATM, that means your PIN (something you know), and your card (something you have). When you log in to Google, Twitter, or Linkedin, or you make a purchase on Amazon, you can use their two-step validation to require your password (something you know) and a special text sent to your phone (something you have). If you don’t have your password and your phone – you don’t get in. 

If you added another factor — say, a USB key that you had to stick into your laptop, your phone and your password, you’d now need three things for access. This isn’t often the case, because it get cumbersome, which is why we never hear of “3FA” (or 4FA or 5FA). We don’t need those terms because they are rare, and because they are implied by the “multiple” in MFA.

2FA is a Subset of MFA — They Actually Aren’t That Different

People who don’t live and breathe security every day, and those who dare to delve into our world of acronyms, often think 2FA and MFA are more different than they really are — but they aren’t. 2FA is just a subset of MFA. Just like squares are a subset of rectangles, and nerds like me are a subset of humanity. (Every nerd is a human, but not ever human is a nerd — I love it!)

The good news — whether it’s just two factors, or three or more — MFA in general is the way to make our accounts much much harder for attackers to break into. Using only a single factor — like a password — means that attackers have a very easy way to get in. Steal or crack the password. Done.

When you couple that with another factor, the bad guys have a lot more work to do. And if we in the industry do this well, the users don’t have a lot more to do. That’s the goal. Easy for users, hard for attackers. That’s why biometrics are becoming popular. We can use something we know and something we are to provide multiple factors. A fingerprint is hard to steal or crack. So is a retina scan. Or the specific way we walk. Or where we go every day. These things can all be used as additional factors to prove our identity, without requiring users to carry something else around like a card or key fob or you name it.

Centrify has a flexible set of factors that can be used to prove identity — with or without a password — to thwart attackers, and make employees’ lives easier. And I love that it follows my subset name-game.

Really, I do love this line of thought. The comparison between what’s meant, and what’s understood. I studied English in college, and had many late-night arguments about denotation and connotation, about signifier and signified, and about how language always fails us, because it can’t be specific enough. When I say tree, you think “Alder” and I mean “Pine” and it’s hopeless, and can’t we all just get along?

But I’ll save those stories for another blog…

Learn more about how MFA Strengthens Security in our executive brief.