IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cyber Refresher: Understanding Multifactor Authentication

Multifactor authentication is a key part of zero-trust security, and a method promoted by the likes of CISA. It aims to block out hackers who — in this age of data breaches — manage to steal users’ passwords.

Business, technology, internet and networking concept. Young businesswoman working on his laptop in the office, select the icon security on the virtual display.
Multifactor authentication (MFA) often features in experts’ lists of low-hanging fruit cybersecurity improvements that agencies could adopt to make themselves harder targets.

The Cybersecurity and Infrastructure Security Agency (CISA)’s recent 'Shields Up' notice urges organizations to use MFA for verifying remote access and high-level access requests, as part of better protecting the nation against potential Russian cyber attacks. President Biden’s May executive order also directed federal agencies to adopt MFA, and Massachusetts senators last year mulled requiring agencies to do the same. Plus, using MFA is part of the increasingly popular zero-trust approach to cybersecurity.


MFA recognizes that asking users to verify themselves with just a username and password offers little resistance against hackers. Plenty of passwords have been exposed in data breaches, stolen via phishing scams or simply cracked by malicious actors using powerful computing tools.

Organizations adopting MFA instead require individuals to use multiple methods to demonstrate they are who they claim to be. MFA that only uses two methods is also called two-factor authentication.

Authentication methods would include at least two of the following:

  • Asking users for something they know, such as a password or PIN.
  • Asking for something they possess, such as a smart card (which can be tapped at a building’s entrance) or a phone (which can receive a texted one-time password or call up an authenticator app).
  • Asking for something they are, such as biometric information (which might be provided via fingerprint or facial scan or voice recognition).

The idea is that an attacker who compromises one method of authentication remains locked out if they cannot also compromise the additional method(s). A hacker who steals an employee’s password still cannot get into the system if they fail to also provide the one-time code displaying on that employee’s authenticator app or lack a keycard to swipe as well, for example.


MFA cannot guarantee safety, but it puts another obstacle in front of hackers. It makes them work harder if they want to get in — just like locking a home’s windows in addition to locking the front door reduces the easy options for would-be burglars. And some bad actors will decide its simply not worth the effort.

While MFA is generally an improvement, some choices can give stronger results.

Agencies may need to consider how their selection of authentication methods creates or avoids friction for employees. Speaking during a panel last month, Delaware Chief Security Officer Solomon Adote said that workers who find MFA processes too cumbersome may adopt unsafe workarounds, such as storing official files on personal devices to let them skip login procedures entirely. Adote suggested that letting workers “accept the connection” on smartphones or smartwatches is one way to create a smooth MFA experience that personnel would be unlikely to try to skirt.

Organizations must also weigh the cyber threats facing each type of authentication, as malicious actors continue evolving their strategies.

Scammers using SIM swapping — also known as SIM splitting and SIMjacking — attacks gain control over mobile phones and can intercept text and phone calls sent to the victim’s phone number. This then undermines authentication measures that confirm identities by texting one-time passwords.

However, using phone-based authentication apps instead can avoid the risk of intercepted communications, reports Vox’s Recode. Such apps generate new codes that change quickly — about every 30 seconds — which users then must key into the application they wish to access, or the apps may pop up alerts asking users to tap to confirm that they’re the ones behind the access requests.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.