🔐 Multi-Factor Authentication (MFA)
🔄 Authentication Process Flow
1
User Login Request
User enters credentials to access protected system
2
Primary Authentication
Verify username/password (Something You Know)
Valid?
→
❌ Deny
|
✅ Continue
3
Risk Assessment
Analyze login context: IP, device, location, behavior
4
MFA Challenge
Trigger second factor: SMS, app, biometric, hardware key
5
Second Factor Verification
User provides additional authentication proof
MFA Valid?
→
❌ Block
|
✅ Grant Access
🔑 Authentication Factors
Something You Know
• Passwords
• PINs
• Security Questions
• Passphrases
• PINs
• Security Questions
• Passphrases
Something You Have
• SMS Codes
• Hardware Tokens
• Mobile Apps
• Smart Cards
• Hardware Tokens
• Mobile Apps
• Smart Cards
Something You Are
• Fingerprints
• Face Recognition
• Voice Patterns
• Iris Scans
• Face Recognition
• Voice Patterns
• Iris Scans
Somewhere You Are
• GPS Location
• IP Geolocation
• Network Position
• Bluetooth Proximity
• IP Geolocation
• Network Position
• Bluetooth Proximity
🛡️ Security Strength Levels
Low Security
SMS OTP only
SIM swap vulnerable
SIM swap vulnerable
Medium Security
TOTP Apps
Time-based codes
Time-based codes
High Security
Hardware Keys
Phishing-resistant
Phishing-resistant
✅ Best Practices
Multiple Methods
Offer backup authentication options
Risk-Based
Adaptive MFA based on context
User Education
Train users on MFA importance
Regular Audits
Monitor and review MFA usage
⚡ Common Threats & Attacks
SIM Swapping
Hijacking phone numbers to intercept SMS codes
Phishing
Fake sites capturing MFA codes in real-time
Social Engineering
Manipulating users to reveal MFA codes
Man-in-Middle
Intercepting authentication communications
Prompt Bombing
Overwhelming users with push notifications
Malware
Stealing tokens and bypassing app security
