What is MFA, and why does your app need it?

According to the Verizon Data Breach Investigations Report, 83% of breaches involved external actors, and 49% used stolen credentials. Implementing MFA is a big step toward preventing these attacks and securing your app.

In this article, we’ll discuss:

• What is MFA, and what is its role in security?
• How MFA works
• The challenges and best practices for implementing MFA
• How WorkOS can help you integrate MFA into your app

What MFA stands for & why it’s important

MFA stands for Multi-Factor Authentication. It’s an added layer of security that requires users to verify their identity using two or more different factors before gaining access. 

This can prevent some breaches because passwords are inherently insecure. They’re stealable, hackable, brute-force able, forgettable, and, in most cases, short and poorly chosen (only 1 in 3 Americans uses a password manager). 

However, even if a password is compromised, MFA will protect your account using 3 authentication factors.

How MFA works: The three authentication factors

MFA works by layering multiple verification forms to ensure that the person accessing an account is who they claim to be. Instead of just relying on one form of identification, MFA requires users to provide additional evidence from three categories of authentication factors:

1. Knowledge factors (something you know): This is the information that only you should know, like a password, PIN, or security question answer. It's the most common factor in authentication processes, but relying on this alone isn't enough anymore with the rise of phishing and data breaches. 
2. Possession factors (something you have): This is something physical that you own, like your phone or a hardware security key. Think about when you get a one-time code sent to your phone to log in — that’s something you have.
3. Inherence factors (something you are): This refers to your biometrics — your fingerprint, facial recognition, or even voice. These are unique to you and much harder for someone else to fake.

Common MFA methods for mobile apps

SMS based authentication

SMS is probably the most popular method listed here. Though there are exceptions, such as virtual numbers and text forwarding, generally, if you can get an SMS at the specified number, you want to have that device (usually your phone) on hand. 

It’s far from foolproof and less secure than you might think (WorkOS no longer supports SMS-based MFA due to known security issues).

There are plenty of ways for hackers to access your MFA code, such as smishing or SIM swaps, precisely what happened to Reddit a few years ago with their data breach.

Mobile authentication apps

TOTP stands for Time-Based One Time Password, and it’s the scheme that underlies authentication apps like Authy and Google Authenticator. The basic gist is that you use cryptography to generate a secure code and input that code into the app you’re trying to sign into.

TOTP was first proposed as a spec from the IETF (Internet Engineering Task Force) in 2011 and has since become quite popular.A little more on what’s going on under the hood: When you sign up for whatever app you’re using initially, it will display a QR code you scan with your phone. That code generates a cryptographic secret stored on your device while a corresponding one sits on the app server.

And when you combine that secret with the current time of day using some special cryptographic functions, you get a code. Input that code into the app, which shares the same secret and time of day, and it will authenticate you.

What makes TOTP so secure is that nothing is getting sent — through the magic of cryptography, the app knows what the code needs to be separately from your device. You can think of it as two doors with the same lock and key. So, there’s no chance of someone intercepting your MFA codes since they’re never sent over the internet (like in SMS or Email-based MFA). This is what MFA does: It adds an extra security barrier that’s difficult for attackers to bypass.

Pro tip: An even more secure authentication method is to go passwordless, which avoids the risk of exposed passwords altogether.

Biometric authentication

Biometric authentication leverages your unique physical characteristics, such as fingerprints, facial recognition, or voice patterns, to verify your identity. Many smartphones today come equipped with these features, making it a popular and convenient option for MFA.

Biometrics stand out because they rely on something inherent to you — something that can’t easily be lost, stolen, or guessed, like a password or device. When you use biometric authentication, your device scans your fingerprint or face and compares that scan to a stored version on your phone. If they match, access is granted.

Biometrics are considered highly secure because replicating someone’s physical traits is incredibly difficult. However, no system is flawless — there are rare cases where biometrics can be spoofed (for example, using a high-quality fingerprint replica). Still, these attacks require significant effort and are far less common than phishing or SIM-swapping attacks seen with other methods like SMS.

Challenges and best practices for implementing MFA

MFA is essential when securing access to sensitive data, especially in industries requiring compliance with standards like SOC 2. However, implementing it comes with a few challenges:

User experience and adoption

MFA can be a pain for users. Users might be less likely to adopt if the setup is too complicated or the process feels like a chore (for example, clunky OTP forms or needing to switch between multiple apps). 

Balancing security and usability 

Not all MFA methods are created equal. SMS might be the easiest for users, but it’s also the least secure. On the other hand, TOTP (using an app like Google Authenticator) is far more secure, but it requires an extra step, like downloading an app and scanning a QR code. Finding the sweet spot between security and ease of use is critical for keeping users happy while maintaining robust protection.

Device loss and recovery

What happens when users lose access to their phone or the device they’ve set up for MFA? Without a solid recovery plan, they could be locked out of their accounts. Offering backup options, like recovery codes or alternative authentication methods, can help ensure they’re not stuck in a frustrating loop.

Clock skew and time sync issues

When using TOTP, you must manage time synchronization between your servers and the user’s device. If there's a slight mismatch, users might get frustrated when their codes don’t work. To prevent this, allow a rolling window of OTP validity to account for small differences in time.

Implementation complexities

Implementing MFA in-house can be tedious and complex. You’ll need to adjust user tables to track who has MFA enabled, securely store secrets, and manage expiration timestamps for one-time passwords (OTPs). 

If you opt for TOTP, you must also generate QR codes and account for time synchronization issues between servers and devices. 

On the front end, you have to integrate MFA seamlessly into the login flow in a way that gives users a good user experience without causing frustration. WorkOS simplifies this entire process. 

How WorkOS helps integrate MFA into your app

MFA is included with WorkOS User Management and can be enabled in just a few steps. With just a single API, you can set up TOTP or SMS passcodes in an existing app. 

You also have the flexibility to enforce MFA for all users or make them opt-in, and you can customize SMS messages to match your brand. 

For sensitive actions, WorkOS lets you require extra authentication from your users. Best of all, it's free for up to 1 million MAUs.

If you need extra incentive, consider enterprise readiness. The sooner you can demonstrate your commitment to security with features like MFA, the sooner you can close bigger deals.

Sign up for WorkOS today, and start selling to enterprise customers tomorrow.