Creating Robust Multi-Factor Authentication (MFA) for Web Apps



Multi-factor authentication (MFA) is the process of proving your identity. This article first details the available “factors” and introduces typical attack strategies, then explains how to implement a thorough MFA strategy in web applications.

The Three Primary Authentication Factors

MFA Factor 1: Something You Know

The most common authentication method in the digital world is something you know, including:

  • Username
  • Password
  • PIN
  • Security question

Things you know are, notoriously, the easiest to compromise.

For example, email addresses are in the public domain. That means any website you log in to with an email address and a password has one safe authentication factor: the password. To complicate things further, weak or reused passwords are way too common.

Common attacks on things you know include:

  • Dictionary
  • Brute force
  • Password spraying
  • Credential stuffing

The software world is trying to mitigate attacks on things you know. The current trend is moving towards password managers, passwordless sign-on, and usernames instead of email addresses.

MFA Factor 2: Something You Have

Smartphones allow “something you have” to mean “the phone in your pocket” 99% of the time. Items used for authentication include:

  • Smartphone
  • USB key
  • Token device

In the case of smartphones, authentication checks can use a mobile authenticator app or a code sent via text message. Physical theft can occur, but it’s generally less of a concern for web applications.

Common attacks on things you have include:

  • Physical theft
  • MFA bombing or spamming
  • Brute force code entry

Software designers rely heavily on “something you have” for MFA since it’s generally trustworthy for everyday civilian purposes.

MFA Factor 3: Something You Are

Smartphones are, once again, the primary enabler for authentication by something you are. Biometric authentication for web apps includes:

  • Fingerprint
  • Facial recognition
  • Voice recognition

For web applications, theft of biometric data is uncommon. Techniques for stealing data include:

  • Biometric cloning
  • Biometric data theft
  • Brute force biometric forgery

Biometric authentication is less common in web applications and is generally reserved for protecting sensitive financial or healthcare information.

Additional Authentication Factors

A quick Google search about multi-factor authentication informs you that the three methods we’ve covered are the only ones available – but that’s not true. This section details other authentication checks at your disposal.

MFA Factor 4: Where You Are

A user’s physical location plays a crucial role in determining authenticity.

For example, if a web application login occurs in the USA, but the mobile authentication occurs in Europe, that can indicate some type of compromise. In that case, you may want to run an additional check to see if either (or both) IP addresses are using proxies. If one of the user’s devices is logged into a Virtual Private Network (VPN), you may choose to accept the authentication.

It’s also possible to analyze the physical location associated with an IP address and decide if it matches the user’s expected profile.

MFA Factor 5: What You’ve Done

Distinguishing manual and physical inputs from digitally automated inputs is another form of authentication.

reCAPTCHA is the most well-known technique for proving the user is human. It requests the user to complete some action, such as checking a box or selecting every image showing a fire hydrant.

Another example is analyzing the timestamps of actions. For example, some software will lock your account after too many failed attempts in a specific period. To avoid locking out a target user, an attacker may automate one login attempt to occur every certain number of minutes. In this case, repeated attempts at suspiciously uniform intervals could cause the user’s authentication to be rejected.

Designing a Robust MFA Architecture

Security’s effectiveness depends on adoption. As a result, your MFA design must be both robust and usable. The general rule of thumb is: The more critical the information, the more security steps users are willing to navigate.

A username, password, and mobile verification (either text or push notification) are generally sufficient for non-critical web applications.

When programming more confidential web apps (e.g., banking or stock brokerage), it’s helpful to include multiple factors before authorizing sensitive behavior.

An example may look like:

  1. Login authenticated by username, password, and mobile push.
  2. Transaction (like a bank transfer) requires additional facial recognition via smartphone.

Please share the video above with anyone who will benefit from learning about MFA. And feel free to reach out to me directly if you want to chat further about authenticating users.

Did you find this blog helpful or interesting?

Click the social media button of your choice to share the blog with you friends and colleagues.

See a Live Demo of the Bionic Platform