Home/Blog/Cyber Security: All About Multi-Factor Authentication/
Cyber Security: All About Multi-Factor Authentication

Cyber security begins and ends with users, so the ability to verify their identity is crucial to protecting your networks. Multi-Factor Authentication, or MFA, requires each user to use more than a username and password for login. There are several types of MFA requiring a variety of verification factors, but they all fall into three main categories: knowledge, like a password or PIN; a possession, like a badge or a smartphone, or inherence, like voice recognition or fingerprints.

Why do you need MFA?

Though usernames and passwords are still valuable, they can be stolen by third parties and are vulnerable to brute force attacks. Compromised credentials are one of the biggest problems in the cyber security industry. Not only because they allow cyber criminals into your network, but because their actions are difficult to track when they are using legitimate credentials. Requiring users to provide credentials beyond a username and password to access your network dramatically enhances its security.

The Three Types Of MFA

Knowledge Factors

Knowledge factors are things that you know, such as answers to personal security questions, a PIN, or a password. One of the most ubiquitous factors used for MFA is one-time passwords, or OTP. An OTP is a 4-8 digit code based upon a seed value assigned to the user at registration, plus another factor that could be something like a time value or counter. OTPs are generated either each time an authentication request is submitted or periodically, and are typically sent via SMS, email, or a mobile app. An OTP is really both a knowledge factor and a possession since you need something like your phone or computer to retrieve the code.

Possession Factors

OTPs that count as possession factors include those provided via text or email and generated by smartphone apps. Others include USB devices, Smart Cards, access badges, fobs, and security keys. Software tokens and certificates fall under possession as well.

Inherence Factors

Inherence factors include biometrics such as fingerprints, voice or eye scanning, and facial recognition. They may include complex artificial intelligence, or AI, that analyzes user behavior such as the way they move their mouse or type, the sorts of information they access, and their location.

Adaptive/Risk-Based Authentication

Adaptive authentication or risk-based authentication uses context and behavior to authenticate users, and frequently assigns a level of risk associated with the login attempt using these values. For example, if a user tries to log on from an unusual place at a time they usually do not on a public network, the risk level is calculated and the user may be prompted for another authentication factor or be prevented from accessing the network entirely.

RAVENii Cyber Security

RAVENii’s Virtual Chief Information Security Officer consulting service helps organizations by steering them in the right direction; helping them create and facilitate a full suite of security programs. Our consulting services are proactive – seeking out the gaps where our clients are most exposed by using our rigorous step-by-step methodology. This helps evaluate what’s merely a nominal vulnerability versus what represents a true critical risk to an organization.

“Maturity Modeling” is the process RAVENii uses to identify the “gaps” between where a client’s security posture is currently positioned versus where it “should be” within their business vertical. This process gives our customers the ability to quickly and accurately apply the security resources required to close the gaps… freeing them to focus on their core business operations:

  • Identification of priority action items to close gaps quickly
  • Actionable data for a proactive plan
  • Strategic Roadmaps with Level of Effort (LOE)
  • Consistent and meaningful metrics
  • Maturity modeling gaps to help show business context
  • Risk methodology to compare to peers

RAVENii’s team of experts includes former CISOs in the financial, healthcare, manufacturing, transportation, and utility industries.

RAVENii’s vCISO program is customized to serve your security needs and could include the following:

  • vCISO Consulting
  • Security and Network Assessments
  • Vulnerability Assessments – Internal and External
  • External and Internal Application Testing
  • Wireless Security Assessments
  • Social Engineering
  • Transaction Security
  • Security Program Evaluation
  • Security Program Development
  • Vendor Management Program
  • Regulatory and Compliance Issues
  • Critical Security Controls
  • GLBA/Banking IT Controls
  • PCI - External Vulnerability Assessments

For more information about cyber security solutions from RAVENii in Kansas City and nationwide, click here or call (844) 317-0944 today.


For more information about our services or to ask a question, please use this form. One of us will contact you soon.