Multifactor Authentication
Multifactor Authentication (MFA) is a security mechanism that requires two or more different types of authentication factors to verify a user’s identity.
Primary Types of Authentication Factors:
Something You Know: Information that only the user knows, such as a password or PIN.
Something You Have: A physical item the user possesses, such as a smartphone, security token, or smart card.
Something You Are: Biometric data unique to the user, such as a fingerprint, facial recognition, or voice recognition.
Additional Contextual Factors:
Location: The user’s IP address or physical location.
Time: The time of day or expected usage patterns.
Assurance Levels Supported by Our System
Our platform offers three levels of authentication, each designed to meet different security needs. Low, Medium, and High levels vary based on the number and type of factors used to verify a user’s identity.
Low:
Requires the user to authenticate with one factor from any of the following categories:
Something You Know (e.g., password, PIN)
Something You Have (e.g., security token, smartphone)
Something You Are (e.g., fingerprint, facial recognition)
Note: Low mode is not recommended for critical or high-risk systems, as it provides only basic security. It is more suitable for low-risk environments or non-sensitive applications.
Medium:
Requires the user to authenticate with two factors from any of the following combinations:
Something You Know & Something You Have (e.g., password + OTP)
Something You Have & Something You Are (e.g., security token + fingerprint)
Something You Are & Something You Know (e.g., facial recognition + password)
Medium mode provides an enhanced level of security, making it suitable for most general use cases where moderate security is necessary.
High:
Requires the user to authenticate with three factors from the following categories:
Something You Know (e.g., password)
Something You Have (e.g., smartphone, hardware token)
Something You Are (e.g., biometrics like fingerprint or facial recognition)
High mode offers the strongest security and is ideal for high-assurance environments, where protecting sensitive or critical data is essential.
Assurance Levels Mapping Across Frameworks
Below is a table showing how the Low, Medium, and High modes map to the authentication requirements in different compliance and security frameworks:
Framework | Low | Medium | High |
NIST SP 800-63B | AAL1: Single-factor authentication (e.g., password, fingerprint, or OTP). | AAL2: Requires two distinct factors (e.g., password + OTP). | AAL3: Cryptographic or hardware-based MFA with biometrics. |
eIDAS | Not compliant for secure transactions. | SCA-compliant for standard transactions. | Required for high-assurance transactions (biometric-based MFA). |
PCI DSS | Not compliant for systems handling sensitive data. | Required for access to cardholder data and admin access. | Recommended for securing sensitive payment data. |
ISO/IEC 27001 | Suitable for basic access control (low-risk systems). | Recommended for privileged accounts and sensitive systems. | MFA with biometrics for critical systems or data. |
NIS2 Directive | Not recommended for critical systems. | MFA required for critical and essential sectors. | MFA with biometrics or hardware tokens for high-risk sectors. |
SOC 2 | Not compliant for systems managing sensitive data. | Required for securing systems with customer data. | Adds extra security for sensitive customer data environments. |
ISAE 3402 | Suitable for basic assurance engagements. | Demonstrates secure access controls for data protection. | Enhances assurance by combining MFA with biometrics for critical use cases. |
GDPR | Single-factor insufficient for Article 32 compliance. | Meets access control requirements for protecting personal data. | Strengthens compliance for systems handling sensitive personal data. |
HIPAA | Not sufficient for protecting ePHI. | Helps meet HIPAA’s technical safeguards for access control of ePHI. | Ideal for protecting ePHI with biometrics for enhanced security. |
Last updated