What is a multi-factor authentication (MFA) system?
MFA is the process of identifying a user by validating two or more credentials presented by the user, each from a different category of factors, ensuring that a user is who he/ she claims to be.

There are three basic factors in a MFA system:

    1. Something the user knows e.g. an obscured password or a cell phone information;

    2. Something the user has e.g. a mobile device, smart card, tokens;

    3. Something that is unique to the user e.g. fingerprints, optics or voice.

The principle of MFA is that there is no perfect authentication factor. Any one factor that is implemented will have its strength and weaknesses. The concept of multi-factor authentication is that a second or third factor will compensate for the weakness of the other factors and vice-versa.


Why is MFA important to all level of users in an enterprise?
Up until recently, only the upper echelon users in the company would require higher level of security, because they would either store valuable information and have access to rooms which are considered more important. For example, the head of the finance department may have to both present a key and a pin number, or a fingerprint to access strong rooms. Likewise, the workstation of the head of IT department is protected by both a password and a swipe of an access card on an auxiliary reader attached to his computer.

High costs and complexity of implementing MFA technologies have been cited as reasons to restrict its use to only a small percentage of users in the enterprise. But, the trend is now changing because the threat landscape is also evolving1 through the increasing adoption of connected devices and the growth of cyberspace.

For example, an employee who takes his laptop with remote access on travels for business, could risk an attack on the company’s network if the laptop is stolen and his network access is only protected by a password, which could be compromised by phishing. In this scenario, having a second factor authentication as an added security, such as biometric fingerprint or SMS can be significantly better than the single-factor authentication model. This also applies when protecting certain physical assets or areas such as a hospital’s drug supply room or the records room at a financial institution. Implementing systems which require multi-factor authentication can prevent malicious exploits in these key areas.


The difference between multi-factor and multi-layer authentication
Despite sounding similar, multi-factor authentication is not interchangeable and are often confused with multi-layer authentication. A multi-layer authentication is an approach to access resources sequentially, through multiple layer verifications. Each layer verification grants access to increasingly privileged areas, until access to the desired resources is finally achieved. Alex Tan, Director of Sales, ASEAN at HID Global uses the Pentagon Building metaphor to explain this: “To mitigate the risk of a single point of weakness, a multi-layered defence is built to protect its innermost resources. A perimeter security layer is stacked on top of another security layer to build strengths and redundancies to prevent attacks and bypass. Perpetrators will need to defeat the outer-most layer, before infiltrating the next layer, and subsequent layers after that to reach its core.”

In spite of the above, in theory, a multi-layer system may only use a single factor verification for each layer, thus making the authentication somewhat less secure compared to a multi-factor system. This is because, it would be easier for an adversary to bypass the multi-layer system as there is no single point within the system that uses two or more authentication factors to authenticate the user.

So, a multi-layer authentication system is more likely to be used for consumer-grade applications, while a multi-factor authentication is often used in applications which require more security and protection.


“MFA offers greater security to authenticate and verify that the claimed identity is the legitimate user of the resources. But it is important to note that the factors chosen for the authenticating service must be cross-domain; if the user chooses the combination of fingerprint and voice recognition, then it is not considered as a multi-factor set up. A good example of MFA will be the combination of smart card and biometric fingerprint authentication,”

- Alex Tan, Director of Sales, ASEAN at HID Global


But according to Ryan Tan, Executive Director at Entrypass Corporation Sdn Bhd, the advent of AI technologies has led to users looking for a system that is not only secured, but can also provide smarter applications. “Nowadays, end-users want a system which also looks good and can give a delightful emotional experience. We believe that moving forward, having that consumer-grade experience in an enterprise set-up is important. Which is why, we are constantly looking at ways to integrating AI technologies such as facial recognition with RFID cards in access control, making the system simpler, smarter and highly secured,” said Ryan.



1. One time personal identification number (PIN)
Multi-factor authentication using time-limited one-time PINs, generated by carried devices or physical tokens, is an example of a classical implementation of strong security. This method involves the user authenticating his identity through a password that he already knows, with a PIN that is generated by a device that is connected to the authentication service. The time on both the device and the authentication service are synchronised, and the authentication service would know which one-time PIN should be validated at a particular time. Once the authentication service verifies that all details are correct for that user, it will then grant or deny access to the resources.

The types of physical tokens commonly used are:

• Hardware tokens
The simplest hardware tokens look identical to a USB flash drive or a key fob, and contain a small amount of storage holding a certificate or unique identifier. More complex hardware tokens incorporate LCD displays, keypads for entering passwords, biometric readers, or other additional features to enhance security.

Many hardware tokens contain an internal clock that, when in combination with the device’s unique identifier and an input password, is used to generate a PIN.

• Software Tokens
Software tokens are applications running on a computer, usually mobile devices. Modern operating systems allow complex and powerful applications to be created for mobile devices. Software tokens can provide additional features such as multiple profiles, Quick Response (QR) code-based enrolment, and cloud backup.


2. Biometrics
This multi-factor authentication method uses biometrics such as a fingerprint or iris scan, as a second factor. When the user enrols into the authentication service, they provide a scan of the appropriate biometric as a reference point for the authentication service to compare to. During authentication, the user provides a password along with their biometric data. The authentication service then verifies both the password and the biometric data with those provided during enrolment, and grants or denies access to resources.

It should be noted though, that the effectiveness of biometrics is reliant on the quality of the biometric sensors and its minutiae capturing algorithm. Sometimes, it is better to have a system that gives false rejections (denying access when it should be allowed) at the expense of unnecessary inconvenience to a few users, than have false positives (granting access when it should have been denied), to upkeep the security integrity.

Alex explains that users should look for a biometric reader that provides reliable, quick and efficient authentication. For example, a reader with multi-spectral imaging technology could capture images from both the surface and sub-surface of the skin so that all types of fingerprints, from people of any age, can be read quickly and reliably in all types of challenging environmental conditions. In addition to that, a reader which has liveness detection could validate that fingerprints are genuine and belong to a living person who is physically present at the authentication point, thus preventing spoofed authentication.


3. Smart cards
A smart card, resembling a credit card in size and shape, contains an embedded microprocessor which can store tamper-proof data such as a user’s private key. Used with a device such as a smart card reader, the smart card can only be unlocked by entering the user’s password or PIN. When the smart card is successfully unlocked, the software on the device verifies the user’s identity by signing an authentication request with the user’s private key. The user will be granted access when the authentication service verifies that the authentication request is signed by the valid and correct private key.

“To various degrees, the use of smart cards can enhance security systems throughout several key applications such as access management, public transportation, healthcare, and banking. The latest evolution of smart cards come with many robust features which offer more security, identity confidentiality and convenience,” said Ryan.

The future of smart card technology is looking bright and positive. The scope of its use to improve security and increase efficiencies is virtually unbounded.

However, like biometrics, this multi-factor authentication method has a potential security vulnerability due to the software involved in interacting with the smart card. Thus good software engineering with high and smart encryption is a key area for manufactures to focus on in minimising this risk.


“A good software architecture in a total security management solution using smart cards, should be able to implement multiple applications that are not only customisable, but is also scalable for future smart environments,”

- Ryan Tan, Executive Director at Entrypass Corporation Sdn Bhd


4. SMS messages or Emails
This authentication method involves a second factor which the user would already have, usually a mobile phone. When the user enrols into the authentication service, they would provide a phone number or an email address, so that the system can send them a one-time PIN in order to complete the authentication process.

Although the advantage of this method is cost minimisation to the owner’s authentication service, there are a number of disadvantages namely:

• Poor telecommunication network
Depending on location and service provider, the user may experience degraded or no service at all, which may affect the availability to receive the one-time PIN.

• Unsecured personal devices
Use of devices for web browsing or reading emails may mean that an SMS message or email containing the one-time PIN may no longer be secure.

• Interception of SMS
Telecommunication networks do not provide end-to-end security so SMS messages and emails may be intercepted by motivated and competent adversaries, particularly when travelling overseas.


Benefits of MFA
As discussed above, the principle of MFA is that each factor compensates for the weakness of other factors. For example, if something you know (like a password) can be susceptible to attacks such as phishing, the user can supplement the authenticating process with a factor that they have (like a mobile device) or unique to them (like a biometric fingerprint).

The convergence of physical and logical security has become an operational concern for organisations in most industries today. More organisations now rely on information technology to provide a platform for doing business, so it comes as no surprise that improved security initiatives such as MFA can deliver a strong value towards compliance-related governance. This is especially true when it comes to protecting sensitive data.


Working in partnership, integrators, physical security personnel and the IT department can leverage the investment in the physical access control system into one that brings a higher level of security by tapping into the logical side as well. This is truly a case of if one is good, two is better.


“A multi-factor authentication infrastructure enables stronger authentication. It adds another layer of protection from the kinds of damaging attacks that could cost organisations millions,” says Alex. “MFA can also offer higher security without compromising user experience. Organisations can make it easier for users by providing them with a choice of factors to choose from, such as biometric fingerprint authentication with smart card or passcodes; adding additional factors only when it is necessary.”

However, choosing the right authenticating factors should also be a priority. The National Institute of Standards and Technology (NIST) states that out-of-band verification methods using PSTN (Public Switched Telephone Network), SMS or voice calls are best avoided due to the risk of SMS or voice calls being susceptible to interception2. Whatever MFA methods chosen must be currently recommended and always have the goal of physical and data security in mind.