π Multi-Factor Authentication (MFA)
π Authentication Process Flow
1
User Login Request
User enters credentials to access protected system
2
Primary Authentication
Verify username/password (Something You Know)
Valid?
β
β Deny
|
β
Continue
3
Risk Assessment
Analyze login context: IP, device, location, behavior
4
MFA Challenge
Trigger second factor: SMS, app, biometric, hardware key
5
Second Factor Verification
User provides additional authentication proof
MFA Valid?
β
β Block
|
β
Grant Access
π Authentication Factors
Something You Know
β’ Passwords
β’ PINs
β’ Security Questions
β’ Passphrases
β’ PINs
β’ Security Questions
β’ Passphrases
Something You Have
β’ SMS Codes
β’ Hardware Tokens
β’ Mobile Apps
β’ Smart Cards
β’ Hardware Tokens
β’ Mobile Apps
β’ Smart Cards
Something You Are
β’ Fingerprints
β’ Face Recognition
β’ Voice Patterns
β’ Iris Scans
β’ Face Recognition
β’ Voice Patterns
β’ Iris Scans
Somewhere You Are
β’ GPS Location
β’ IP Geolocation
β’ Network Position
β’ Bluetooth Proximity
β’ IP Geolocation
β’ Network Position
β’ Bluetooth Proximity
π‘οΈ Security Strength Levels
Low Security
SMS OTP only
SIM swap vulnerable
SIM swap vulnerable
Medium Security
TOTP Apps
Time-based codes
Time-based codes
High Security
Hardware Keys
Phishing-resistant
Phishing-resistant
β
Best Practices
Multiple Methods
Offer backup authentication options
Risk-Based
Adaptive MFA based on context
User Education
Train users on MFA importance
Regular Audits
Monitor and review MFA usage
β‘ Common Threats & Attacks
SIM Swapping
Hijacking phone numbers to intercept SMS codes
Phishing
Fake sites capturing MFA codes in real-time
Social Engineering
Manipulating users to reveal MFA codes
Man-in-Middle
Intercepting authentication communications
Prompt Bombing
Overwhelming users with push notifications
Malware
Stealing tokens and bypassing app security
