Guides & tutorials

The complete guide to multi-factor authentication

No items found.
Import this tutorial scenario in your workspace
Table of contents

Multi-factor authentication is one the most used systems to ensure security online and prevent issues such as identity theft, data theft, automated attacks, fraudulent attacks, or account takeovers, among many others.

Simply by combining at least two authentication methods of different kinds, you can be sure your forms are armor-plated against many different types of malicious actions.

Still today, most online sites rely on the combination of email and password to authenticate their users. This vulnerable and improvable method reaches new levels of security when MFA enters the scene. Today, we will cover the MFA methods you can choose to implement in your business flows and in which stages you should implement it in order to protect your users from friction as well.

What is multi-factor authentication (MFA)?

First things first — what is multi-factor authentication? Multi-factor authentication (also known as MFA) is an authentication approach that combines at least two different kinds of authentication systems in order to verify users with different methods or devices and hence prove the identity of the person behind the login or sign up attempt.

Verification types to ensure user identification

Depending on the nature of the verification system, different types can be drawn: 

  • What the user knows: Uses information or data only the user and the server can know. Usually, these data include passwords, one-time codes, answers to security questions, and more.
  • What the user has: Uses identification proof that the user owns, such as identity cards, passports, or verification systems sent physically to the user.
  • What the user is: Uses physical or behavioral patterns that are unique to the user’s nature. This can be physical features such as fingerprints, iris, retina or facial features, or behavioral characteristics, such as voice, typing rhythm, or corporal movement. 
  • When or where the user is: Identifies space and time characteristics such as location, time and frequency to establish security patterns. 

The combination of identity verification methods of different kinds ensures that the identification process doesn’t get breached.

Multi-factor authentication methods you can add to your forms

Any authentication method you can think of can be a part of a MFA system. Here, we will explain some of the most popular authentication methods used in MFA, and that you can easily implement in your Arengu flows without coding. 

1. One-time passwords

One-time passwords (OTPs) are unique codes, from 4 to 10 characters long, that are sent to the user in order to verify their identity. Generally speaking, one-time passwords or one-time codes are sent to the user’s phone number with an SMS containing a text string. Still, these can be sent through different means, like an email, a WhatsApp or Telegram message, or a voice call. OTPs can be sent as a text string, but also as a voice string (in an audio message or a voice call), which makes it a suitable option for the visually impaired. 

As its own name suggests, one-time passwords or one-time codes can only be used once, which adds a certain degree of security. Since only the user and the server can know this code, OTPs are a secure verification system to identify the user’s phone number, email address or directly grant access to a certain platform. 

Among one-time passwords, two different types are distinguished — hash-based OTPs (HOTPs) and time-based OTPs (TOTPs). In the first type, the code comes from a counter, which is activated with every petition to generate a one-time code. This means this code is valid until the same user requests an additional code. In the second type, the validity of the OTP is determined by time. The code is generated with a determined duration in seconds, and once this is surpassed the code will no longer be valid. In general terms, it is advisable to set a determined duration for the OTP, so it is more difficult for external users to access it. Experts agree a duration between 30 and 180 seconds is optimal, but you can customize this duration according to your business and users needs.

Flow with one time password via SMS

2. Magic links

Magic links are authenticating URLs containing auth tokens that verify and authorize the user once they click on the URL. Magic links can be sent through different means, such as email (the most popular option), SMS or even a message in a messaging app, like Telegram or WhatsApp too.

The benefits of magic links are many and of different nature. They reduce friction in signup and login forms, since authentication is granted with one click on the URL. Plus, it is way more secure than passwords, and it also implies email or phone verification. 

Multi factor authentication - Magic links via email

👉 Learn in depth about magic links and their benefits ↗️

3. Integration with your own auth systems: biometric authentication, KYC, etc.

An Arengu form is fully customizable in form and logic, that is why you can add different types of verification to your MFA even if you don’t find native actions among the suite of actions. With an HTTP request you can call any API and link external services or third-party tools, allowing you to use your preferred identity providers, or verification systems such as biometric authentication or know-your-client practices. 

Implementing MFA at the right time

As multi-factor authentication implies additional layers of verification, it necessarily adds more friction to the flow. In order to reduce friction and keep your registration and payment forms smooth and user friendly, MFA can be applied only when it is necessary. 

Tackling the vulnerabilities of your flow or safeguarding the most compromising actions can help you protect your users and business and still maintain a great UX. Let’s see how!

Adaptive multi-factor authentication based on risk

Adaptive forms are a type of form that vary their behavior based on certain rules. The image below represents a form that adapts its behavior based on a risk detected at the very first stage — that is, a risk-based form. The risk can be determined by yourself and include your own rules, so it is fully customizable in the server-side logic as well. For instance, you can apply risk rules based on the email characteristics, IP scoring, location, login frequency, and so on and so forth.

Adaptive multifactor authentication

A risk-based approach allows you to add friction only when a real risk for your users or business is detected. This ensures a good user experience overall and a top-notch security that works when it is most needed.

👉 Learn in depth how adaptive MFA and risk-based flows work ↗️

Multi-factor authentication to safeguard sensitive actions

Another way to implement MFA smartly without hurting UX is to protect certain actions by default. This is an intermediate point that doesn’t trigger MFA at all times, nor uses adaptive flows based on risk

If your business features sensitive actions, you can apply MFA only at this point. This doesn’t mean that a risk is detected, but that you are adding a shield to this action because it can compromise the user’s security.

A good and frequent example of this is a bank transaction. Even if you have correctly logged in, when you want to execute a money transfer, an additional authentication factor is requested. This doesn’t necessarily mean that a risk is detected —like purchasing items in different countries, executing money transfers frequently or accessing from a poor-quality IP address. The multi-factor authentication method is placed here in order to protect every money transfer, because it is a compromised action.

Implementing multi-factor authentication systems with Arengu

As you can see, multi-factor authentication can be applied with different systems, through different means and according to dynamic logic. In Arengu, we believe that is the way it should be implemented, so users can benefit from great user experience and still be sure their security is guaranteed at high levels. Try Arengu for free and start implementing MFA smartly, based on your own business rules and streamline the user experience in this regard. Plus, Arengu works with an embed system and without regard to the tech stack you use, which eases the way you launch your acquisition channels, but also to modify them or iterate them. 

To start implementing MFA with Arengu, take a look at the MFA tutorials:

👉 Learn how to create a multi-factor authentication system for WordPress ↗️

👉 Learn how to create a multi-factor authentication system with Auth0 ↗️

You might like to read

See more tutorials

Getting started with Arengu

Arengu allows you to build all your user flows connected to your current stack, and avoids coding all the UI, complex integrations, validations or logic from scratch. Try it for free and start building faster and scaling your application needs as they grow.