The document summarizes the evolution of multi-factor authentication (MFA). It discusses how MFA began with concepts like using multiple keys and has evolved to incorporate digital methods like passwords and authentication apps on smartphones. Breaches and hacks in the 2000s and 2010s increased calls for stronger authentication, leading to MFA becoming more widely adopted. MFA provides increased security by requiring users to present two or more unique forms of authentication, such as something they know, have, or are, to verify their identity.

1. Evolution of Multi-
factor authentication
(MFA)
Prepared by
Rasha A. Yousef
Israa A. Basheer
Supervised by
Assist.Prpf. Maytham M. Hamod

2. Overview ▫ Multi-factor authentication (MFA)
▫ encompassing two-factor authentication, or 2FA is an electronic
authentication method in which a user is granted access to a website
or application only after successfully presenting two or more pieces of
evidence (or factors) to an authentication mechanism:
▫ Knowledge (something only the user knows)
▫ Possession (something only the user has),
▫ And inherence (something only the user is).
▫ MFA protects user data—which may include personal identification or
financial assets—from being accessed by an unauthorized third party
that may have been able to discover, for example, a single password.
▫ A third-party authenticator (TPA) app enables two-factor
authentication, usually by showing a randomly generated and
frequently changing code to use for authentication.
2

4. History of Multi-Factor Authentication
The first concept of a factored authentication system can actually be traced
back to the Egyptians, who used a wooden pin lock to bar access to specific
structures. When the key was inserted, pins hidden inside the fixture would lift
out of drilled holes, allowing it to move. This is very similar to the current
iteration of the lock and key, except it is now made with metals to be more
durable.
By 1985, Kenneth Weiss, who founded Security Dynamics in 1984, invented and
patented “an apparatus for the electronic generation and comparison of non-
predictable codes.” His invention sparked the first concept of what came to be
known as multi-factor authentication.
4

5. The 1990s-2000s: from 2FA tools to 2FA solutions
2FA’s origins are disputed (AT&T claims to have invented it in the 1990s),
2FA didn’t begin to catch on in the mid-2000s.
This is in large part because consumers found it inconvenient to use, and they
assumed a single form of authentication – passwords – would be enough to
keep their accounts safe.
Although some larger companies and security-conscious organizations
adopted a form of public-key cryptography known as RSA that used two
separate authentication tokens to validate user logins, many businesses found
this kind of solution too costly and complicated to implement at the time.
5

6. The evolution of multi-factor authentication
accelerated in the mid-2000s
when smartphones first began making a splash with consumers.
Because smartphones were also a terrific tool for increasing business
productivity, businesses soon began adopting them.
Some companies even began rolling out bring your own device (BYOD)
programs in which employees were allowed to use their own personal devices
for business purposes.
Once smartphones became ubiquitous at home and at work, large numbers of
people suddenly had access to more convenient 2FA solutions for securing
their online accounts. They could easily receive authentication codes via SMS
or email, which suddenly made the whole idea of 2FA much more palatable.
6

7. The 2000s-2010s : data breaches spur calls for
widespread 2FA and MFA adoption
As consumers and businesses were becoming more open to the idea of using
2FA and MFA on their smartphones throughout the late 2000s and early 2010s,
hacks and data breaches began to emerge as a serious threat to online security
and privacy.
The American public witnessed a wave of serious massive data breaches
affecting private industry, private individuals, defense contractors, and
government organizations alike.
Sony Pictures Entertainment and the U.S. Office of Personnel Management
and Budget (OPM) are just two of the highest-profile examples of breaches that
made stunning headlines during this period.
7

8. Continue
In early 2016, President Obama wrote an editorial for the Wall Street Journal in
which he declared that passwords alone were not enough to protect
consumers and businesses. Noting that 9 out of 10 of Americans said they felt
like they’d lost control of their personal information,
the President announced a new national awareness campaign, #Turnon2FA, to
encourage more Americans to protect themselves online. Before long,
smartphones began supporting biometric authentication techniques like
fingerprint scanning and facial recognition.
This accelerated the evolution of multi-factor authentication once more,
enabling consumers and businesses to begin using a fuller range of MFA
methods to secure their account.
8

9. HOW DOES MFA WORK?
MFA requires users to present two or more authentication factors at login to verify their
identity before they are granted access.
Each additional authentication factor added to the login process increases security.
A typical MFA login would require the user to present some combination of the following:
• Something you know: like a password or (PIN) or answer to a security question.
• Something you have: like a smart card, mobile token, or hardware token.
• Something you are: biometric factor (e.g., fingerprint, palm print, or voice recognition or
face, retinal scan).
For example: MFA could require users to insert a smart card or a bank card into a card
reader (first factor) and then enter a password or a PIN (second factor). An unauthorized
user in possession of the card would not be able to log in without also knowing the password.
likewise, the password is useless without physical access to the card.
9

10. 10

11. Examples of multi-factor authentication methods
▫ Any of the following methods can be used in addition to a password to achieve multi-factor
authentication.
▫ Biometrics—a form of authentication that relies on a device or application recognizing a
biometric, such as a person’s fingerprint, facial features or the retina or iris of the eye
▫ Push to approve—a notification on someone’s device that asks the user to approve a
request for access by tapping their device screen
▫ One-time password (OTP)—an automatically generated set of characters that
authenticates a user for one login session or transaction only.
▫ SMS text—a means of delivering an OTP to a user’s smartphone or other device
▫ Hardware token or hard token—a small, portable OTP-generating device, sometimes
referred to as a key fob
▫ Software token or soft token—a token that exists as a software app on a smartphone or
other device rather than as a physical token.
11

12. 12

14. Pros of Using
Multi-Factor
Authentication
14
Almost always
secure
If a hacker has somehow
acquired a user’s password
to a system, they cannot
gain access, as they do not
have the second factor
(which is generally in the
user’s possession or
something that they are).
Protects sensitive
information
Don’t lose sleep over
lost devices
Users are the number one
risk point for a network, so
multi-factor authentication
relieves user and IT admin
anxiety by protecting data
from falling into the hands
of relentless hackers.
Device-based multi-factor
authentication (and paired
with full-disk encryption)
ensures that lost devices do
not lead to compromised
access or data.

15. Cons of Using
Multi-Factor
Authentication
15
Can be expensive
Traditionally, multi-factor
authentication can be quite
expensive if an organization
uses a solution that requires
on-prem hardware and has
to integrate with existing
identity solutions.
Time-consuming Inconsistencies
The time needed to
log in to your system
and verify using a
mobile device or token
can be inconvenient.
It is hard to implement
multi-factor authentication
across an entire
organization, as it is often
left up to the users to
implement it fully. IT
admins may not always
have insight into an
organization’s use of
multi-factor authentication.

16. The future of multi-factor authentication: AI, ML
and more
16
Multi-factor authentication is continually evolving to provide access that’s both more secure for
organizations and less inconvenient for users. Biometrics is a great example of this idea. It’s both
more secure, because it’s tough to steal a fingerprint or face, and more convenient, because the
user doesn’t have to remember anything (like a password) or make any other major effort. The
following are some of the advances shaping multi-factor authentication today.
Artificial intelligence (AI) and machine learning (ML)–AI and ML can be used to recognize
behaviors that indicate whether a given access request is “normal” and therefore does not require
additional authentication (or, conversely, to recognize anomalous behavior that does warrant it).
Fast Identity Online (FIDO)–FIDO authentication is based on a set of free and open standards
from the FIDO Alliance. It enables password logins to be replaced with secure and fast login
experiences across websites and apps.
Passwordless authentication–Rather than using a password as the main method of verifying
identity and supplementing it with other non-password methods, passwordless authentication
eliminates passwords as a form of authentication.
Be assured that multi-factor authentication will continue to change and improve in the quest for
ways people can prove they are who they say they are–reliably and without jumping through hoops.

17. “ Multi Factor authentication
might branch out into newer
forms of authentication which
will be real time and involve
more identical forms of
authentication.
17
qutation

18. Thanks For Attention
18