Q Whenever I set up a new online account these days, I’m often asked to set up ‘twofactor authentication’. I understand why companies do this, even if I find it annoying. Recently, however, while reading about Microsoft 365 I learned that this now uses ‘multi-factor authentication’, and that sent my head into a spin. Does this mean Microsoft 365 requires more than two forms of identification? And if so, how many? How does Microsoft’s system differ from others? Where will it all end?
Derek Spencer
A Let’s start with the basics, which is that both two-factor and multi-factor authentication add extra layers of security to your accounts. So, rather than using just a password to log in, you might also need to type a one-time code that the website sends to your phone as a text message. It’s clear you already understand this much from your experience, and most of your fellow readers do too because, as you note, these systems have become ubiquitous.
However, two-factor authentication – or 2FA, as it’s often abbreviated – is really just a subset of multi-factor authentication (MFA). 2FA involves two means of authentication – typically something only you know, like your password, and something only you have, such as your smartphone. The ‘factors’ could be different, but with 2FA there are only ever two of them.
That should give you a clue about the difference between 2FA and MFA, which is simply that the latter could (and often does) involve more than two authentication factors. So as well as a password and one-time code, a system based on MFA might ask for a third or fourth method of ID. This could be a face-recognition system, for example, or a fingertip pressed against a fingerprint sensor. Some businesses even make their employees use physical security devices, such as a smart card or USB dongle.