When additional user authentication is required, MFA is what you need.
MFA — a.k.a. Multi-factor Authentication, or 2-factor Authentication (2FA) — complements first-factor authentication to provide additional user security.
Hi, I’m Peter Fernandez, and as a CIAM expert, I want to share my experience building modern MFA into modern applications.
MFA typically employs an additional user authentication mechanism — also known as a factor — in an attempt to improve the odds of someone actually being who they say they are. MFA is an excellent deterrent against malicious attacks, where someone else pretends to be a legitimate user.
By complementing the typical first-factor authentication mechanism (i.e. Login using a UserID and Password, Social, Federated, or Passwordless workflow), MFA, or 2FA — i.e. 2-factor Authentication where only one additional factor is required — provides a further level of authentication via the use of an additional factor.
What’s in a Factor?
In essence, “factor” is the term given to any mechanism for user authentication. First-factor authentication, for example, typically refers to the initial Login via something like UserID and Password, Social, and/or Federated authentication. The use of additional factors like Biometrics and OTPs, is typically referred to as MFA — a.k.a. Multi-factor Authentication, or 2FA where only one extra (i.e. second) factor is desired.
Factor Combination
Any number of factors can be combined as part of the user authentication process, and in any permutation too. The challenge is to combine the use of factors in a way that maximizes security whilst minimizing impact on usability. For example, Passkeys provide a first-factor authentication method that seamlessly combines Biometrics as a 2nd factor to provide an intuitive secure Login experience with minimal friction.
Upstream Augmentation
Leverage MFA to augment the authentication provided by the upstream IdPs used in Social or (Enterprise) Federation scenarios. Even if those systems don’t provide MFA — or you want to add an additional layer of protection, say, even on top of SSO — a flexible implementation should allow you to add MFA adaptively, in either a step-up manner or as part of the initial Login.
Step-Up Authentication
Whilst MFA can be applied as part of the Login process, Step-up Authentication puts a user through MFA at some point in time after the first-factor workflow. Step-up Authentication is typically transactional-driven, e.g. occurs during some financial transactions, or the like — such as payment processing where verifying the request to make a purchase is important.
An Adaptive Approach
MFA can also be applied electively, and using more than one additional factor too. With adaptive MFA techniques, progressively roll out MFA in a tiered fashion, rather than forcing everyone to use MFA all at once, so that users only need to go through additional levels of security when and where those additional levels of security are required.
Buy vs DIY
You could build an in-house custom solution yourself…it’s certainly an option. Particularly if you have a team with the time, capacity, knowledge, and expertise to develop SSO; deploy and maintain Attack Protection; leverage OIDC and/or SAML for Authentication, Social and/or (Enterprise) Federation; implement Passwordless, Passkeys and/or MFA, and/or optionally OAuth 2.0 for API Authorization.
The alternative is to integrate with a SaaS solution provided by one of the popular vendors, and the cost of subscribing to one of these typically depends on the features you use and the number of active consumer identities you have.
With vendor-based CIAM the cost is typically associated with the platform hosting the backend service(s) that deliver Authentication, Authorization, Management and Protection from attack. With consumer-oriented software, much of this infrastructure is already in place: cloud-based “compute”, database, network resources, etc. could be a necessity for your solution, and delivering these at scale may be something you also need to do.
Deploying a standards-based open-source DIY solution within your existing infrastructure might provide a more cost-effective approach — delivering secure and robust CIAM without the need to build everything yourself and with the added benefit of more flexibility and control.
Got questions?
Feel free to reach out!
