Multifactor Authentication (MFA) SHALL be implemented and enforced on all digital platforms used in the business environment.

The traditional username and password combination is no longer sufficient to protect user accounts. Threat actors have become increasingly skilled at compromising passwords, and emerging technologies like quantum computing will only amplify this risk. Today, Multifactor Authentication (MFA) should be a mandatory security measure for every account in every organization, regardless of size.

MFA can be deployed through an organization’s central Identity & Access Management (IAM) platform, such as Microsoft Entra ID or Google Workspace. Smaller businesses without an IAM platform still need to implement MFA directly on individual accounts—for example, via Gmail or iCloud. SaaS applications that allow users to create accounts typically include MFA capabilities, which should always be enabled. Solutions like Duo Mobile allow users to centrally manage authentication factors across multiple independent applications through a single dashboard.

Understanding Authentication Factors

Businesses preparing to implement MFA must understand the different types of authentication factors:

  • Something You Know: Password, PIN, challenge questions
  • Something You Have: Smart card, token
  • Something You Are: Biometrics such as retina scans, facial recognition, fingerprint scans
  • Something You Do: A unique action performed by the user, such as walking through a scanner to analyze their gait

A proper MFA solution requires two factors from different categories. Using multiple authenticators from the same category (e.g., password + PIN) does not qualify as MFA; this is more accurately referred to as 2-Step Verification. Typically, a password is used as the first authentication factor, also called an activation secret, since it is already universally deployed. The most popular choices for secondary authentication factors are listed below:

Tokens (Something You Have)

Tokens are physical or digital devices that generate temporary codes for authentication. There are two main types:

  1. Synchronous Tokens – Use a timer or counter to generate codes.
  2. Asynchronous Tokens – Use a challenge/response mechanism with the authentication server.

Time-Variable Tokens are a form of synchronous token that generate One-Time Passwords (OTPs). Each OTP can only be used once and is valid for a short period (typically a few minutes). The OTP is created using a symmetric encryption key (seed) shared between the token and the authentication server. The token encrypts the current timer value with the seed to generate the OTP. The server can verify the OTP because it shares the seed, ensuring legitimacy.

Challenge-Response Devices are asynchronous tokens. The token sends a request to the authentication server, which generates a challenge (a string of numbers). The user enters this into the token, which encrypts it and returns a response. The server decrypts this response, and if it matches the original challenge, the user is authenticated.

Smart Cards (Something You Have)

Smart cards, also called Integrated Circuit Cards (ICCs), contain a chip that uniquely identifies the owner. Authentication occurs when the card is inserted into or presented to a reader. Types include:

  • Contact Smart Card – Inserted physically into a reader
  • Contactless Smart Card (Proximity Card) – Waved in front of a reader

Biometrics (Something You Are / Something You Do)

Biometrics rely on unique physiological or behavioral attributes:

  1. Physiological Biometrics – Unique physical attributes:
    • Fingerprints
    • Facial features
    • Retina patterns
      Users provide multiple samples during enrollment to create reference profiles. Authentication is validated by comparing user input to these references.
  2. Behavioral Biometrics – Unique patterns of physical behavior:
    • Typing rhythm
    • Gait
    • Handwriting
      These are analyzed over time to generate a profile unique to the user. Behavioral biometrics are categorized under Something You Do.

Senior management and IT teams should evaluate the pros and cons of different MFA strategies. Some MFA solutions are built into existing organizational resources, while others require subscription services or dedicated hardware. Popular platforms include Okta and Duo.

Once an MFA solution is purchased, tested, and deployed, it must be regularly monitored to ensure continued functionality. Many platforms allow centralized management via an admin dashboard, while others rely on users to manage their factors responsibly. Regardless of the approach, management must ensure that the system is well-maintained and that employees handle authentication factors securely.