BiologyDropOut

MFA & 2FA

Multi-Factor Authentication (MFA): Far Beyond a Simple Constraint

As IT professionals, we’ve all experienced that moment when a user complains about the « useless 6-digit code » that complicates their life. Yet, multi-factor authentication (MFA) – or its predecessor 2FA – represents one of the most effective defenses against account compromises. Let’s dissect the real advantages of this technology from a technical perspective.

The Fundamental Problem: Passwords Are Broken

Let’s start with a brutal fact: the password-only authentication model is inherently vulnerable. The statistics speak for themselves:

  • 81% of data breaches involve stolen or weak credentials
  • Brute force attacks can test millions of combinations per second
  • Compromised password databases contain several billion entries
  • Phishing remains effective even against trained users

Facing these threats, a simple password – even a complex one – is no longer sufficient. This is where MFA comes in.

The Three Authentication Factors

MFA is based on the principle of combining at least two of the following three factors:

1. Something You Know (Knowledge)

Password, PIN code, answer to a security question. This is the traditional factor, but the weakest as it’s easily shareable, stealable, or guessable.

2. Something You Have (Possession)

Phone, hardware token (YubiKey), smart card, authenticator app. This factor is more robust as it requires physical access or device theft.

3. Something You Are (Inherence)

Fingerprint, facial recognition, iris, voice. The hardest to impersonate, but potentially bypassable and raising privacy concerns.

Technical Advantages of MFA

Protection Against Replay Attacks

TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password) codes generate single-use tokens. Even if an attacker intercepts a code, it becomes unusable after 30 seconds (TOTP) or a single use (HOTP).

// TOTP generation example (RFC 6238)
function generateTOTP(secret, timestamp) {
    const counter = Math.floor(timestamp / 30);
    const hmac = HMAC_SHA1(secret, counter);
    const offset = hmac[19] & 0xf;
    const code = (hmac[offset] & 0x7f) << 24
        | (hmac[offset + 1] & 0xff) << 16
        | (hmac[offset + 2] & 0xff) << 8
        | (hmac[offset + 3] & 0xff);
    return (code % 1000000).toString().padStart(6, '0');
}

Resilience Against Phishing

Hardware tokens based on FIDO2/WebAuthn use public key cryptography with origin verification. A phishing site cannot reuse credentials because the cryptographic signature is bound to the legitimate domain.

// Simplified WebAuthn
const credential = await navigator.credentials.create({
    publicKey: {
        challenge: new Uint8Array(32),
        rp: { name: "MyApp", id: "example.com" },
        user: { id: userId, name: username, displayName: displayName },
        pubKeyCredParams: [{ alg: -7, type: "public-key" }],
        authenticatorSelection: {
            authenticatorAttachment: "cross-platform",
            userVerification: "required"
        }
    }
});

Defense in Depth

MFA integrates into a defense in depth strategy. Even if one factor is compromised, the others remain active:

  • Database stolen? Password hashes alone aren’t enough
  • Successful phishing? The second factor blocks access
  • Keylogger installed? The hardware token remains out of reach
  • SIM swap? FIDO2 keys are unaffected

Traceability and Anomaly Detection

MFA generates detailed logs enabling detection of suspicious behavior:

  • Authentication attempts from inconsistent geographic locations
  • Repeated second factor validation failures
  • Use of an unregistered device
  • Unusual temporal patterns
{
  "event": "mfa_challenge",
  "user_id": "user_123",
  "method": "totp",
  "timestamp": "2026-01-29T14:32:11Z",
  "ip": "203.0.113.42",
  "user_agent": "Mozilla/5.0...",
  "location": {
    "country": "FR",
    "city": "Paris"
  },
  "device_fingerprint": "a3f8d9e2...",
  "result": "success"
}

Comparison of MFA Methods

SMS/Phone Calls

Advantages: Universally accessible, easy to deploy
Disadvantages: Vulnerable to SIM swap attacks, SS7 interception, no origin validation
Verdict: ⚠️ Acceptable as backup, avoid as primary method

Authenticator Apps (TOTP)

Advantages: Offline, no network dependency, standardized (RFC 6238)
Disadvantages: Vulnerable to phishing if user enters code on fake site
Verdict: ✅ Good security/usability compromise

Push Notifications

Advantages: Excellent UX, contextual validation possible
Disadvantages: Internet dependency, approval fatigue (users validating without thinking)
Verdict: ✅ Convenient but requires user training

Hardware Security Keys (FIDO2/WebAuthn)

Advantages: Phishing-resistant, cryptographic origin validation, no shared secret
Disadvantages: Hardware cost, loss risk, variable compatibility
Verdict: ⭐ Gold standard for high-value accounts

Biometrics

Advantages: Optimal UX, difficult to share
Disadvantages: Impossible to revoke if compromised, false positive/negative rates, privacy concerns
Verdict: ✅ Excellent in combination with another factor

Implementation: Best Practices

Recovery Code Management

// Secure backup code generation
function generateRecoveryCodes(count = 10) {
    const codes = [];
    for (let i = 0; i < count; i++) {
        const code = crypto.randomBytes(8).toString('hex').toUpperCase();
        const formatted = code.match(/.{1,4}/g).join('-');
        codes.push(formatted);
    }
    return codes;
}

// Example: A3F8-D9E2-7B4C-1F6A

Intelligent Rate Limiting

// Brute force protection on MFA codes
class MFARateLimiter {
    constructor() {
        this.attempts = new Map();
    }

    async checkAttempt(userId) {
        const key = `mfa:${userId}`;
        const attempts = this.attempts.get(key) || { count: 0, resetAt: Date.now() + 3600000 };

        if (Date.now() > attempts.resetAt) {
            attempts.count = 0;
            attempts.resetAt = Date.now() + 3600000;
        }

        if (attempts.count >= 5) {
            throw new Error('Too many MFA attempts. Account temporarily locked.');
        }

        attempts.count++;
        this.attempts.set(key, attempts);
    }
}

Trusted Device Management

Allowing certain devices to be marked as « trusted » for 30 days reduces friction without sacrificing security:

// Cryptographically signed cookie
const deviceToken = jwt.sign(
    {
        userId: user.id,
        deviceId: generateDeviceFingerprint(),
        exp: Math.floor(Date.now() / 1000) + (30 * 24 * 60 * 60)
    },
    SECRET_KEY
);

// httpOnly, secure, sameSite to protect the cookie
res.cookie('trusted_device', deviceToken, {
    httpOnly: true,
    secure: true,
    sameSite: 'strict',
    maxAge: 30 * 24 * 60 * 60 * 1000
});

MFA and Regulatory Compliance

MFA is no longer optional in many contexts:

  • PCI DSS 4.0: Mandatory MFA for all administrative and remote access
  • GDPR: Considered an appropriate security measure for sensitive data
  • NIS2: Explicit requirement for essential service operators
  • SOC 2: Evaluation criterion for certification
  • European Payment Services Directive (PSD2): Mandatory Strong Customer Authentication

Going Further: Adaptive MFA

Modern MFA is no longer binary. Adaptive authentication systems adjust requirements based on context:

function calculateRiskScore(context) {
    let risk = 0;

    // Unusual location
    if (context.location !== user.usual_location) risk += 30;

    // Unusual time
    if (context.hour < 6 || context.hour > 22) risk += 20;

    // New device
    if (!context.device_known) risk += 40;

    // Unrecognized network
    if (!context.network_trusted) risk += 25;

    // Sensitive action (password change, transfer, etc.)
    if (context.action_sensitive) risk += 35;

    return risk;
}

// If risk > 50: MFA required
// If risk > 80: MFA + manual validation
// If risk > 100: temporary block

The Future: Passwordless and FIDO2

The future is moving toward complete password abandonment in favor of standards like WebAuthn/FIDO2:

  • No shared secret between client and server
  • Native phishing resistance
  • Simplified UX (a simple touch on the security key)
  • Native support in modern browsers
// Complete passwordless authentication
async function authenticate() {
    const assertion = await navigator.credentials.get({
        publicKey: {
            challenge: await getChallenge(),
            rpId: "example.com",
            allowCredentials: [{
                type: "public-key",
                id: storedCredentialId
            }],
            userVerification: "required"
        }
    });

    // Server verifies signature with stored public key
    return await verifyAssertion(assertion);
}

Conclusion

Multi-factor authentication is no longer an option but a necessity in today’s threat landscape. As IT professionals, we must not only implement it correctly, but also evangelize its use among users and decision-makers.

The advantages are clear:

  • Drastic reduction in compromise risk (up to 99.9% according to Microsoft)
  • Facilitated regulatory compliance
  • Improved anomaly detection
  • Protection against the most common attacks

The challenge now? Choose the right MFA methods for each context, implement them correctly, and most importantly, educate users so they understand that these « few extra seconds » can save their digital identity.

Technical Resources

W3C WebAuthn Specification

FIDO Alliance – FIDO2/WebAuthn Standards

RFC 6238 – TOTP: Time-Based One-Time Password Algorithm

RFC 4226 – HOTP: An HMAC-Based One-Time Password Algorithm

Claude AI

In