Multifactor Authentication: An Overview

by Yuki Tam (OCIO)

Over the past few decades, systems and their data were protected by usernames (IDs) and passwords. However, this is not considered as safe anymore. An attacker can impersonate a user easily when a password or the password database is stolen. Even if the passwords are safely kept, an attacker can still crack a password by trying many passwords in the hope of guessing a correct one (also known as brute-force attack). Nowadays, the low hardware cost and high hardware performance make password cracking much less tedious than before, for example, cracking a 9-character alphanumeric with special character password would only take few hours.


Instead of using the password alone for authentication, multifactor authentication (MFA) is introduced, where users have to present 2 or more factors during the authentication process. With multifactor authentication in place, the difficulty for an attacker to impersonate a user is significantly increased: even if one authentication factor is compromised, the attacker has to get the rest of the authentication factors correct before he/she can impersonate a user and access the system.

The most common factors are:

  • Knowledge factor (something you know)
    • User name
    • Date of birth
    • Answer to security questions
  • Possession factor (something you have)
    • Hardware token
      A hardware tool that generates a one-time password
    • Software token
      A mobile application installed on smartphone or computer that generates a login request or a one-time password
    • Mobile phone
      To receive a one-time password over SMS
    • Personal certificate
      It is usually stored in a USB drive. User has to insert the USB drive to the device during authentication.
  •  ​Inherence factor (something you are)
    • Fingerprint
    • Hand Geometry
    • Pattern of the retina
    • Pattern of the iris
    • Voice
    • Facial expression

There are also two less common factors:

  • ​Time factor
    Users can only access the system during a specific period, e.g. office hours, or the access rights would be expired after certain period, e.g. 15 minutes.
  • ​Location factor
    Systems can only be accessed from certain countries (e.g. its home country).



As each authentication factor adds an extra layer of protection to the authentication process that can help to defend against impersonation and data theft, multifactor authentication is widely adopted in critical systems.

Examples of use in our daily lives are:

  • Online banking system
    You are asked to provide your account password (something you know), an answer to a security question (something you know) and a one-time password generated by your token (something you have)
  • ​The e-Channel service of the Immigration Department
    You have to present your HKID (something you have) and fingerprint (something you are)

And some single-factor authenticated systems would turn to multifactor authentication systems when abnormal behaviour is detected. For example, when the system receives a logon request originating from a new device or unusual country, the user then has to provide an additional factor for identity verification.

With the growing number of cloud applications as well as the wide adoption of information technology in business, we believe that the application of MFA will become increasingly commonplace and more advanced yet user-friendly authentication factors will evolve in the near future.


  1. ​A tool that estimates the time needed to crack a password (