Discover what’s really driving the shift toward unified security
Discover how geopolitical tensions are fueling advanced cyber campaigns
Is the Quantum Threat Closer Than You Think?
Table of Contents

What is the Evolution of Multifactor Authentication

3 min. read
Table of Contents

The evolution of Multifactor Authentication (MFA) has been driven by the need for heightened security in response to rising cyberthreats. MFA has seen a shift in authentication methods driven by a need for enhanced online security, better user experience, and technology advancements. MFA continues to innovate with the growth of threats and the need for more seamless and secure authentication methods. The future will likely see further advancements in decentralized identities, more sophisticated biometrics, and more reliance on AI-driven security measures.

 

Drivers for the Evolution of MFA

From its inception, MFA was essential to IT and security teams’ arsenal. The following are several primary drivers for this adoption and subsequent evolution of MFA solutions.

Mobile Device Explosion

The broad adoption of MFA as a security staple is closely tied to the mobile device explosion, which played a crucial role in its evolution. The widespread use of smartphones and tablets created a need for enhanced security measures to mitigate vulnerabilities.

Scale and Sophistication of Cybersecurity Threats

Cyberthreats, such as data breaches perpetrated by criminals focused on credit card and identity theft, have driven the need for MFA. As cyberthreats increase in frequency and become more sophisticated, MFA evolves to address new and changing threats.

Today, for example, traditional password-based security measures are enhanced with strong password policies and augmented with sophisticated new factors such as behavioral biometrics and one-time passwords (OPT). This approach reduces phishing and other social engineering risks associated with passwords.

Regulatory Requirements Data Protection

Regulatory compliance has significantly driven the adoption and evolution of multi-factor authentication. Many regulations and industry standards now require MFA implementation, with failure to comply resulting in financial, legal, and operational penalties. These requirements come from both governments and industry groups. In the United States, regulations like CCPA and HIPAA require appropriate authentication controls, including MFA.

The General Data Protection Regulation (GDPR) in the European Union requires organizations to implement appropriate security measures, including MFA, to protect personal information. Industry standards like the Payment Card Industry Data Security Standard (PCI DSS) require financial institutions to use MFA to secure access to systems handling payment information.

Cloud Computing and Changing Workplaces

The move from on-premises software and services to the cloud has expanded organizations’ attack surfaces as the number of tools users log into has exploded.

Each login screen offers attackers a potential point of entry. Suppose an attacker can compromise just one user’s credentials. This trend has driven the growth in scale and strength of multi-factor authentication solutions.

This ability to access cloud services and SaaS tools has facilitated the shift towards remote work. Remote work has spurred the evolution of multi-factor authentication, as online security is required to authenticate users accessing networks from many different locations and devices (e.g., mobile phones, tablets, or laptops).

 

Brief History of Multi-Factor Authentication

While it is disputed who originated the concept, the earliest use of multi-factor authentication dates back to early ATMs. Users had to have a physical card and a PIN to access their accounts. The first ATM came online on June 27, 1967, at a Barclays bank branch in London. The first ATM in the United States debuted on Sept. 2, 1969, at a Chemical Bank branch on Long Island, New York.

  1. Password-Based Authentication (1970s-1980s):
    • Initial Approach: Early computer systems relied solely on passwords for user authentication
    • Limitations: Passwords are often weak, easily guessable, and vulnerable to phishing attacks and brute-force hacking
  2. Two-Factor Authentication (2FA) Emergence (1990s):
    • Concept Introduction: Introduced the practice of combining two different factors, usually something the user knows (password) and something the user has (hardware token)
    • Hardware Tokens: Physical devices, such as RSA SecurID tokens, generated time-based or sequence-based OTP (One-Time Passwords)
  3. Software-Based 2FA (2000s):
    • Mobile Authentication: Smartphones enabled software-generated OTPs, reducing the need for hardware tokens. Apps like Google Authenticator became popular
    • SMS-Based 2FA: Sending OTPs via SMS provided a convenient way to deliver secondary authentication tokens. However, vulnerabilities such as SIM swapping and intercepting messages emerged
  4. Biometric Authentication (2010s):
    • Enhanced Security: Introduction of biometric factors like fingerprints, facial recognition, and retinal scans. Devices like smartphones, equipped with biometric sensors, made this more accessible
    • Multi-Factor Systems: Combining biometrics with traditional methods (passwords and OTPs) for stronger authentication
  5. Adaptive and Risk-Based Authentication (Mid-2010s-Present):
    • Contextual Factors: Use additional parameters such as device fingerprinting, geolocation, and user behavior analytics to assess the risk level of authentication attempts
    • Dynamic MFA: Authentication methods dynamically change based on the assessed risk. For example, a low-risk login requires only a password, while high-risk logins require additional factors
  6. Passwordless Authentication (Late 2010s-Present):
    • Evolution Beyond Passwords: Moving towards eliminating the password. Solutions include biometric authentication, push notifications to a trusted device, and FIDO (Fast Identity Online) standards
    • FIDO2 and WebAuthn: Adopting protocols that support secure, passwordless authentication involving cryptographic keys
  7. Beyond Authentication – Continuous Authentication (2020s and Beyond):
    • Continuous Verification: Instead of one-time authentication at login, systems continuously verify user identity during the session using contextual and behavioral analytics
    • AI and Machine Learning: Leveraging advanced algorithms to detect anomalies and potentially fraudulent activities in real time

 

The Future of Authentication

MFA is poised to remain part of organizations’ security postures. Experts expect to see the use of AI and machine learning to expand. Other innovations to look for include blockchain and quantum-resistant MFA.

AI and Machine Learning

Existing MFA solutions are expected to continue to expand their use of AI and machine learning. Areas to look for further use of AI and machine learning include identifying deep fakes attempting to trick MFA controls, enhancing adaptive authentication, expanding anomaly detection based on user and entity behavior and other factors, and increasing threat detection and response automation capabilities.

Blockchain

Blockchain will be used to support decentralized and tamper-proof storage of authentication data. This will allow security teams to ensure data integrity and reduce the risk of centralized attacks.

Quantum-Resistant MFA

Experts anticipate using quantum computing to evade traditional cybersecurity solutions, including multi-factor authentication. To maintain the integrity and efficacy of MFA solutions, quantum-resistant algorithms will be added to existing solutions.

 

Evolution of MFA FAQs

MFA significantly enhances protection against phishing attacks because even if a phisher manages to steal your password, they still need a second factor (like a code from your phone or a biometric scan) to gain access to your account. This makes it much harder for attackers to compromise your accounts even if they successfully trick you into revealing one piece of your credentials.
While SMS-based MFA (receiving a code via text message) is better than no MFA, it is generally considered less secure than other methods like authenticator apps or security keys. This is because SMS messages can be vulnerable to attacks like SIM swapping, where an attacker transfers your phone number to a device they control, allowing them to intercept your authentication codes.
2FA (Two-Factor Authentication) is a specific type of MFA that uses exactly two authentication factors. MFA (Multi-Factor Authentication) is a broader term that encompasses any authentication method requiring two or more independent factors. So, while all 2FA is a form of MFA, not all MFA is 2FA (it could involve three or more factors).
While MFA offers significant security benefits, some common challenges include user inconvenience (requiring an extra step during login), potential for lockout if a user loses their second factor (e.g., their phone), the cost and complexity of implementation for organizations, and the need for user education and support to ensure adoption and proper usage.
Related Content
What are Examples of Multi-Factor Authentication?
Learn about key multi-factor authentication examples that are essential for strengthening security and safeguarding sensitive information from unauthorized access.
Cortex XDR
Cortex XDR delivers enterprise-wide protection by analyzing data from any source to stop sophisticated attacks.
Cortex XDR Datasheet
Download the datasheet to learn the key features and benefits of Cortex XDR.
Cortex XDR Endpoint Protection Overview
Cortex XDR brings powerful endpoint protection technology together with critical endpoint detection and response (EDR) capabilities in a single agent.
Previous What is Multifactor Authentication?
Next What is Multifactor Authentication (MFA) Implementation?

Get the latest news, invites to events, and threat alerts