Multifactor Authentication Process 

Written By Stephane Larue

 

There is a lot of talk in the last years around multi factor authentication, but seldom the authentication process behind most MFA solution is explained clearly. In this post we want to show a standard MFA authentication process steps. These MFA solutions even if not perfect are cornerstone to improve your security posture but have flaws that will be subject of another of our blog post. 

If you have questions or want need consultancy on implementing MFA in your organisation do not hesitate to contact us at info@srity.be 

 

Step 1 - Access request  

The user is trying to access a protected resource (for example, a website or an application). 

Step 2 - Entering credentials 

The user enters their credentials, usually a username and password. 

Step 3 -  Transmission of credentials  

Credentials are sent to the authentication server over a secure connection (such as HTTPS). 

Step 4 -  Credential verification   

The authentication server compares the credentials provided with those stored in its database. 

Step 5 – Initial  validation 

If the credentials match, the server validates this first step of authentication. 

Step 6 - MFA triggering  

The server requests a second authentication factor. This can be a code sent by SMS, a push notification on an authenticator app, or biometric data (fingerprint, facial recognition). 

Step 7 - Entering the second factor 

The user provides the required second authentication factor. 

Step 8 - Second Factor Verification 

The server verifies the validity of the second factor. 

Step 9 - Final validation 

If the second factor is correct, the server validates the multi-factor authentication. 

Step 10 - Session Token Generation  

If successful, the server generates a unique session token for the user. 

Step 11 - Sending the token  

The session token is sent to the client (browser or application) and stored, often in the form of a cookie. 

Step 12 – Authorized Access 

The client uses the session token to access protected resources without having to reauthenticate with each request. 

Step 13 - Token Expiration 

The session token has a limited lifetime. Once expired, the user must reauthenticate. 

Stephane Larue
Previous

Cloud Auhtentication Models
Next

Windows 11 2024 Update