Multi-factor authentication (MFA) is a method that requires electronic authentication of two or more factors such as a password or fingerprint for a user to access an application, website, email, etc.
The main objective of this authentication method is that we prevent unauthorized access to our accounts if the password has been exposed, in the same way we prevent access to a physical location, another computing device, a database, among others. In the event that the attacker compromises a factor, he will encounter another barrier that must be broken to achieve his objective.
These are the authentication factors that exist:
Something that is known (knowledge factor): This refers to a password, PIN or phrase, a set of security questions and the answers that only the person knows. It works in the way that the end user must correctly enter information that matches each detail that was previously stored.
Something you have (possession factor): Refers to a smartphone or a USB secure key.
Something that is (inherence factor): This is an individual's biometric data such as a fingerprint, retina scans, facial recognition, voice recognition, and more.
Somewhere you are: It is related to the physical location. Some methods that detect a user's location may be through IP (Internet Protocol), their media access control (MAC) address, or the geolocation of their phone or mobile device.
Something that is done (habits and behaviors): Although it is one of the least used due to little knowledge, this type of authentication includes: how fast you write, mouse movements, typing dynamics, signature dynamics, gestures and touches, speech patterns and more.
That's how it works:
Suppose you log in to a work, school, university or personal account, you will have to enter your details such as username and password. If this is all they ask for, anyone with an email and password can access our accounts from anywhere they are.
But if you have multi-factor authentication enabled, it would be different since when you enter your username and password, you will be asked to enter your second factor to verify your identity.
It should be noted that if someone tries to log in like us, they will type username and password and when you ask for this second factor, it will stay there. Unless they have our smartphone, they will have no way to get that code or that authentication key to type.
References