In the late 1990s and early 2000s, early adopters – banks and financial firms in particular – were using 2FA or MFA primarily through physical “tokens,” USB key fobs or cards that randomly generated a new PIN with the push of a button. Passing out hard tokens for authentication was a little cumbersome but far more flexible than allow-/deny-listing IP addresses on a static access control list (ACL) for each customer.
Before 2FA was commonplace or user friendly, there were, and still are, ACLs. IP ACLs work by granting access to a system only if the user’s communications originate from a pre-determined, trusted IP address. Anyone not connecting from one of these “allowlisted” IP addresses is denied access, which can cause problems for employees working from anywhere other than their corporate network or through a VPN.
As most of the internet-using world now knows, today MFA is available from any device, on any network and requires users to provide two or more pieces of “evidence” they are a trusted user before granting access to a system or website. So, even if a password is compromised or stolen, bad actors still can’t access an MFA-protected account or system without also somehow obtaining additional factors.
Those “factors” are divided into the categories of something the trusted user knows, like a password or the answer to a predetermined question; something the trusted user has, like a “token” or card with ever-changing, algorithmically derived codes; and something the trusted user is, their biometrics, like a fingerprint, face or eye scan, or their voice.
And take note: using two factors from the same category doesn’t count – a password and the answer to a question both come from the “something a user knows” category and therefore is still single-factor authentication. A password plus a token-generated code, however, would be something the users know and something they have.
Generating and delivering those single-use codes to the right trusted user is considerably easier and less expensive in 2023 than it was in 2009. Now, additional authentication factors are often delivered by mobile phone, via text message or with an authenticator app.