MFA, 2FA, strong authentication: what are the differences?

Definitions and explanations of these fundamental concepts.

Preamble: The 3 authentication families

There are three main families of authentication factors:

The knowledge factor (what I know and that only I know): passwords, PIN codes, secret questions.
The inherent factor (what I am): fingerprint, facial or voice recognition, but also more sophisticated systems such as palm print, iris recognition, breath, DNA, the network of veins, certain behaviors such as the way of typing on a keyboard… All these Elements are biological markers and are therefore unique for each individual on Earth.
The possession factor (what I have): telephone (SMS or app), smart card, certificate, key…

Identification vs. Authentication

Identification consists of recognizing a unique individual by their civil status (surname, first name, date of birth, nationality, etc.). Presenting an identity card or passport allows you to be identified.
Authentication is the act of verifying the legitimacy of a person or system to access a resource. Depending on the context, it will be necessary or not to identify oneself to be authenticated. To open a bank account, you will need to be identified, but to access the customer profile of an ecommerce website, your identity will not be required. In other words, do not confuse identifier with identity.

Multi-factor authentication (MFA or 2FA)

Multi-factor authentication (MFA) is the act of requesting several authentication proofs to strengthen security in the event of compromise of one of the factors. When only 2 proofs are used we also talks about 2FA (2-Factor Authentication in English).

The 2 proofs must belong to different authentication categories (see preamble). When two proofs of the same type are requested, we rather speak of double authentication. By abuse of language, some People talk about double authentication instead of two-factor authentication which is more precise.

Typically, a knowledge factor and a possession factor will be combined. For example possession a credit card + knowledge of a PIN code, or knowledge of a password + possession of a line telephone to receive an SMS.

Strong authentication

Strong authentication should not be confused with multi-factor authentication. The concept of strong authentication corresponds to a system often based on cryptography and which meets certain very specific security criteria defined by ANSSI as follows:

resistance to eavesdropping attacks which consist of an attacker passively listening or observing the communication channel between the prover and the verifier: for example a building PIN code is not resistant to this type of attack because someone observing you can see the secret you are typing and enter the building. Most knowledge-based authentication systems, such as passwords, are not resistant to eavesdropping attacks (at least not without the use of another system security) and are therefore weak authentication systems.
resistance to replay attacks which consist of an attacker replaying a sequence authentication that they observed. The password for example does not resist this type of attack because the Same password is used to log in to each session. Conversely, a single-use link for resetting a password or TOTP code is only valid once and therefore cannot be replayed.
resistance to man-in-the-middle attacks which consist of an attacker intercepting and modify the communications taking place between the prover and the verifier during authentication without being detected. If a hacker calls you and pretends to be your banker to ask for your password, Nothing technically stops you from giving it to him. A strong authentication system would prevent you from disclosing your secret to the wrong person without your knowledge.
non-forgeability: the observation by an attacker of several authentication exchanges of a prover must not allow him to usurp his identity in a new authentication exchange.

The factors used in an MFA, although multiple, are not necessarily considered strong individually. The typical example being a password associated with a temporary code received by SMS, which is not a secure protocol at all.

A strong authentication system does not, in theory, need to be multi-factor. In practice, strong authentication systems are most often based on a possession factor itself locked by a password or biometrics so that it is not compromised in the event of theft.

Examples of strong authentication systems based on a possession factor are:

certificate authentication (on a smart card or USB key)
the FIDO2 and FIDO U2F protocols
TOTP protocols

Conclusion

The choice of a type of authentication must be made in relation to the criticality of the data, the context in which authentication is carried out and the target user profiles. Thus, in 2021, ANSSI recommended in a large number of cases to favor the use of multi-factor authentication, to adapt the strength of a password to its context and use a password vault.