6th Mar 2019

MFA vs. 2FA: Making payments securely

New solutions are being developed all the time to help organisations handle private information safely. Two making waves right now are multi-factor authentication (MFA) and two-factor authentication (2FA). They sound similar – both offer an extra layer of security at the point of login – but they’re not exactly the same.

In order to benefit from this extra layer of security, you’ll need to know the difference. So here, AccessPay looks at the issue of MFA vs. 2FA and how both can help you make payments securely.

At the point of login

Organisations traditionally use passwords to secure the systems that hold private information such as online folders, social media profiles, hand-held devices etc. If this data is compromised – say a hacker breaks into your devices – the consequences will be serious. Figures show that the average cost of a data breach globally can now run as high as US$3.86 million for corporates. However, the costs can run far, far higher – under GDPR you can be fined as much as €20 million for a breach.

Passwords aren’t that secure. They can be guessed or accidentally leaked to cyber-criminals – hacked passwords are known to cause 81% of data breaches. It doesn’t help that people can be careless. Evidence suggests that 73% of users have the same password for multiple accounts.

There are solutions that your organisation can use to address this issue. This includes systems such as LastPass, which use a secure vault (which can only be accessed with one complex master password) where a user can access all their passwords. It’s also a good idea, however, to use these systems in tandem with other security tools so you’re not just relying on passwords.

PSD2: Boosting security

The EU’s Second Payments Services Directive (PSD2) has addressed the concerns many have with existing security measures like passwords, by bringing in new security rules for payments. These are its Strong Customer Authentication (SCA) guidelines, and they could prove to be game-changing.

SCA outlines three things for users to present in order to prove their identity at the point of login. These are…

  • Knowledge (something you know, such as a password)
  • Inherence (something you are that’s unique to you, such as a fingerprint)
  • Possession (something you have, such as a physical security token)

This is where MFA and 2FA come in, as they help you fulfill your organisation’s SCA requirements for processing payments. As a side note, there are exemptions from SCA (e.g. transactions under €30, as well as subscriptions/recurring payments of a fixed amount from the second transaction onward).

Dispelling the Myths Around UK Payments – The UK payments landscape is changing rapidly. To dispel any myths, we’ve put together a FREE eBook that offers straightforward guidance and insight.

What is MFA?

The brings us to MFA vs. 2FA. Let’s start by defining MFA. This is a multi-layered authentication system for granting access to devices, apps, files etc. It fulfills the requirements of SCA by asking users for something they know, something they have and something they are at the point of login.

What is 2FA?

It’s important to note 2FA is MFA, but not all MFA is 2FA. Confused? Let’s define 2FA to clear things up. 2FA is an authentication system, where you need to present two forms of I.D. (out of the three mandated by SCA) at the point of login. So 2FA is essentially a type of MFA; it allows you to make payments securely while offering some flexibility over how you access payment systems.

The good and the bad

There are advantages to using these forms of I.D. verification to protect your systems. By requiring users to present something that’s inherently unique to them (e.g. voice) and/or a physical piece of kit like a security token at the point of login, it’s harder for fraudsters to hack your systems. Also, 2FA and MFA make it easier to comply not just with PSD2 but with GPDR (which requires you to protect personal customer data in your systems or face those harsh financial consequences mentioned earlier) too.

The Essential GDPR guide for Finance Directors – CEO & Marketing Director from AccessPay sat down with data experts from Manchester-based solicitors Turner Parkinson, to discuss the implication GDPR will have on finance professionals.

This sounds great – or for the cynical among you, too good to be true. So are there any downsides? Well MFA and 2FA aren’t perfect – nothing is – but they are pretty secure. Cost of implementation could be an issue though. Figures show that companies already spend 19% of expenditure on IT, so the upgrade costs involved in rolling out MFA and 2FA might be too much for some organisations.

You have to weigh up the cost of implementation, against the projected financial gains, to really understand the value of these authentication features. A study from Grand View Research shows that the global MFA market will experience a Compound Annual Growth Rate of 15.07%, to reach US$17.76 billion by 2025. A staggering 75% of this revenue growth will come from 2FA alone.

Secure your finances with AccessPay

So where does that leave us? MFA and 2FA are similar – both are security solutions for confirming the identity of a user at the point of login. 2FA is now a popular form of authentication for many organisations, as it allows them to take advantage of MFA tech to protect sensitive details – especially those associated with making payments, but it provides a level of flexibility too.

AccessPay offers 2FA as part of our comprehensive security solution for payments. You can use our tech to make sure everyone is who they say they are when logging in to make payments on your behalf, placing another security layer between you and fraudsters. Together with tools such as data masking, 4/6-eye approvals and PGP encryption, we use this to make sure your data is always safe.