Fluent Commerce Logo
Docs
Sign In

Multi-factor authentication (MFA)

Essential knowledge

Author:

Fluent Commerce

Changed on:

24 Jan 2024

Overview

Multi-factor authentication (MFA) is used to ensure that digital users provide at least two pieces of evidence to prove their identity. Each piece of evidence must come from a different category, something they know, have, or something they are.

Traditionally, authentication mechanisms or factors have been categorized as belonging to one of three groups:

  • Something you know (for example, a password or a PIN).
  • Something you have (for example, a mobile phone or a token).
  • Something you are (for example, a fingerprint or other biometric data).

In best practice, though, MFA goes beyond 2FA by requiring a user to authenticate via two or more authentication factors from different categories (e.g., a “something you know” combined with a “something you have”). The goal of having two or more authentication factors from different categories is to reduce the likelihood of an impostor gaining access.

Key points

  • MFA Categories: OTP, delivered through various means, offer time-limited codes effective against online attacks.
  • OTP Options: SMS, Voice, Email, and Application/Soft Tokens provide versatile MFA choices.
  • Authentication Methods: Mobile Apps, Authentication App (TOTP), Email, and SMS come with specified security settings for password limits, block duration, and passcode refresh.

Supported MFA Categories

  • One-time Passcodes (OTP) One-time passcodes are the most popular additional security factor today, in part because they can be delivered in a wide variety of ways to meet user needs. This possession factor enables the user to receive the OTP and enter it into an application, proving that the user owns or controls the device or method of OTP delivery. OTPs are time-limited, and servers can restrict the number of instances a user can attempt to enter the correct OTP, making it an effective defense against the online credential stuffing attacks used to compromise passwords.
  • SMS OTP SMS OTP is delivered via SMS to a user’s mobile phone. SMS OTP option has the advantage of not requiring a user to own a modern smartphone that supports mobile applications.
  • OTP via Voice Voice OTP delivery happens via phone call to a number already associated with a user.
  • OTP via Email OTP delivered via email is a viable second factor. It requires the user to switch to their email application from whatever application they were authenticating to and either remember the OTP code or copy and paste it into the authenticating application. Because of these limitations, email-based OTP is typically used to reset forgotten passwords. The user can prove they own the email account by responding to a time-limited link within the email.
  • OTP Application/ Soft Tokens OTP Application/Soft Tokens are a software-only variant of the RSA/OATH tokens. They use the same interface as the hard tokens so that a single server-side implementation can leverage both hard and soft tokens. The software provides a rolling series of OTPs and can run as a mobile or desktop application.
Allowed Authentication methods

Mobile Applications

Password Failure Limit

Block Duration

Passcode Refresh Duration

Passcode Lifetime

Mobile Applications

3

2 minutes

30 seconds

Not available

Authentication App (TOTP)

3

2 minutes

Not available

Not available

Email

3

0 minutes

Not available

30 minutes

SMS

3

0 minutes

Not available

30 minutes

Fluent Commerce

Fluent Commerce

Copyright © 2024 Fluent Retail Pty Ltd (trading as Fluent Commerce). All rights reserved. No materials on this docs.fluentcommerce.com site may be used in any way and/or for any purpose without prior written authorisation from Fluent Commerce. Current customers and partners shall use these materials strictly in accordance with the terms and conditions of their written agreements with Fluent Commerce or its affiliates.

Fluent Logo