Multi-Factor Authentication: What It Is and How It Protects Your Customers

Online users want more security. Over the last year alone, major data breaches have affected millions of people. One headliner, the Microsoft Exchange cyberattack, was enough to terrify even casual users of online services.

These breaches have shown how effortless it has become for tech-savvy criminals to steal personal data to use or sell. Business and personal internet users have seen online security measures fail multiple times, putting their finances and reputations at risk. It is no wonder that people don’t trust traditional online safeguards.

Fortunately, better methods already exist. One of the most common ways to increase security is to use multi-factor authentication, the practice of using several methods to verify user identity. Implementing this practice can thwart most hackers, but some people reject it because they think it is inconvenient and harms the user experience.

In reality, MFA safeguards sensitive data with minimal effort for you and you customers. Spending a few extra seconds at login can save your company and your customers from the nightmare of stolen personal information and sensitive company data.

Authentication Factors Explained

The online experience cannot be safe unless users can conclusively prove they are who they claim to be. Trustworthy authentication factors are essential to protecting a user’s information.

The most common security methods include time, location, consumer profile information, personal devices, and biometric items. Some of these methods are vastly more effective than others.


Tracking the time of activities helps businesses determine if fraudsters are actively inside your account. For instance, your financial institution would flag your ATM card if you used it to buy coffee in your hometown only to have it used again ten minutes later in a location 100 miles away. The time frame shows that someone is fraudulently using your card, unless you have mastered time travel.


IP addresses and GPS tracking in mobile phones tie your location to your devices. These measures also help stop cybercriminals. A discrepancy between your smartphone or tablet location with your physical location would trigger security measures to protect your banking account.

Customer Personal Information

In addition, personal information like passwords, PIN information and date of birth are commonly used to authenticate your identity, as are biometric factors like your fingerprint, retinal scan and facial recognition.

Personal Devices

Computing devices such as mobile phones, smart cards and key fobs are also important as authentication methods. Experience has proven that hackers can gain access to your accounts by determining one authenticator.

However, requiring a second factor usually shuts them down, particularly if it requires access to a second device. Precautions such as two-factor authentication and/or using a hardware token to generate security codes protect a user’s identity without seriously affecting the user experience. And these additional measures are necessary since passwords and answers to specific questions are not enough protection anymore.

Why KYC Isn’t Enough

A Guide to Fighting Fraud and Financial Crime from Onboarding to Ongoing Monitoring

Biometric Authentication Explained

Biometric authentication relies on biological traits that accurately identify the user. These traits are unique to the individual and are quite difficult to bypass.

You can set some smartphones to open only by a fingerprint, which effectively protects your device from almost everyone else. Some devices perform retinal scans, which is another highly reliable way to keep others out of your devices and away from your personal data.

In fact, your retina has over 250 distinctive characteristics compared to 40 for fingerprints. Neither of these methods protects 100%, however. Bad actors with access to sophisticated technology can find a way past them, but they have to invest time and effort to do so.

Other biological authentication methods include facial recognition and voice recognition. These methods can work even with identical twins since subtle differences exist between these siblings. However, no one method works all the time, which is why two-factor authentication is so important.

Beating one security system is possible, but defeating two is much more difficult. Cybercriminals will usually seek out the easiest potential targets. When your system has multiple sophisticated security layers, hackers will often give up and look for an easier mark.

Knowledge-Based Authentication (KBA) Explained

Many companies still use knowledge-based authentication, but this once-promising security measure has several fatal weaknesses.

KBA identifies users by asking them specific questions about their personal lives that, in theory, few people would know. Customers may have to name their paternal grandfather or identify the model of their first car. Unfortunately, data breaches from years past may have already uncovered this information. Someone could have sold it to the dark web, exposing their accounts to data breaches.

Frankly, hackers do not have to work that hard to get much of this data. An organizational breach is unnecessary because a simple check of a person’s social media accounts may reveal much of this information. Think of how much sharing we do with people we don’t really know.

Also, users may expose their personal data while having fun online. If you play online games or take online quizzes, you routinely expose your birthdate, home address, and relatives’ names. And even though this information is quite basic, users often forget the answers to the security questions they chose — sometimes in as little as six months.

This means they have to routinely change the verification process because they cannot remember which pet was their favorite. Worst of all, they may recycle questions and answers used in the past on multiple accounts to speed things up. When you take these shortcuts, you make it easy for cyber thieves to steal your data.

What Are Use Cases for Multi-Factor Authentication?

You need multi-factor authentication any time that theft of information would cause your customers harm or vulnerability. This means MFA is a good idea for most accounts.

Perhaps the most important case would be for bank or financial services transactions using mobile and online logins. If a personal bank account only requires KBA to reset a password, the funds are vulnerable. Hackers would only need basic information, such as a mother’s maiden name and the name of your customer’s hometown, to gain access to their account.

If they use services like PayPal, hackers can quickly get information from less-secure vendors unless their account is set to require MFA. In that case, the cyber thief could not enter a special code sent to the user on a mobile device.

They certainly would not have access to your customer’s fingerprint or another biometric factor for user authentication. This simple two-factor authentication can save your customers from unauthorized purchases charged to their accounts or a devastating funds transfer.

Multi-factor authentication methods also protect social media accounts, which are frequently hacked and used to get personal information. Hackers can then use this stolen data to access more crucial information, such as accounts at financial institutions, insurance policies and businesses.

Enhanced security measures can also protect usernames or passwords from being changed by hackers and keep others from altering accounts on other sites. End-users need MFA and methods such as one-time passwords to keep their online accounts and transactions safe from fraud.

Using one-time passwords (OTPs) may seem inconvenient, but generating these single-use passwords makes hacking your customer’s account incredibly difficult. They only lose a minute, if that. But those 60 seconds are enough to drive away cybercriminals and make your website, app or platform safer for users.

How Effective Is MFA?

You may wonder if adding multi-factor authentication is worth the effort. Yes, MFA is certainly effective in most cases, if done correctly.

Research shows that multi-factor authentication solutions thwart most hacking attacks. For example, a 2019 Microsoft report found that MFA stopped 99.9% of these attempts, which means this method stopped all but the most sophisticated cybersecurity attacks.

While the account password is often the weak link, hackers who have that knowledge won’t be able to access your account and sensitive data if authentication requires:

  1. Entering a security code sent to the phone number associated with your smartphone OR
  2. Using an authentication app to generate one-time access codes

How Users Can Make MFA More Effective

You should consider installing an app for access codes if you do not always have your smartphone with you or if you travel where the service is spotty. Multiple apps for MFA security means adding that layer of protection is easy, but you must use MFA on all your outlets.

As an example, you may have your major accounts covered but forget to protect your Twitter account. In that case, hackers can hold your social media hostage and do extensive damage to your company’s reputation or even try to get you to pay a ransom. Do not let your social media presence be your company’s weak link.

Some people balk at adding this extra protection for their personal information because it is inconvenient for the user. However, after going through the process once, you will usually get a prompt asking if the device you are on can be trusted.

Once you enter “yes,” you won’t have to go through two steps when you log in on the same device in the future. If you change devices, you will need to verify your identity in at least two ways once again. You can enable your home computer and smartphone in this way, but you should not trust a public computer or other open devices.

This precaution can reduce phishing risks and protect against attempts to steal your personal and business data when you are online at a coffee shop or in a retail store.

The Future for Authentication Methods

Multi-factor authentication will be a huge part of future online security, but one prominent factor — the password — may not be.

Many experts are embracing the idea of passwordless security. Although complex passwords are a strong security measure, too many people choose simple passwords because they are easier to remember. Of course, they are easier for hackers, too.

Biometric security measures such as facial and retinal scans used with a secondary authentication method may be the best choice for businesses and individuals. Cyber thieves are praying you do not upgrade to these methods so they can count on you being lax with your security.

Automated Identity, KYC & AML Solutions

Tech experts are improving authentication methods at a rapid pace and now offer several extremely secure options. Unfortunately, cybercriminals are finding new ways to compromise security almost as rapidly.

To maintain your company’s online security, you need access to the most advanced methods. Jumio is constantly evolving its technologies to provide forward-looking authentication solutions for all types of businesses and industries. Contact us today to protect your business and your clients with sophisticated security methods that can block hackers from accessing your sensitive data as well as your customers’.


Get the latest updates from the Identity and Beyond blog, delivered to your inbox.

    Yes, I would like to receive periodic updates from the Jumio blog as well as marketing communications regarding Jumio products, services, and events. I can unsubscribe at any time.

    Jumio values your privacy. To learn more, visit our Privacy Statement.