For the best web experience, please use IE11+, Chrome, Firefox, or Safari
OneLogin + One Identity delivering IAM together. Learn more

Multi-Factor Authentication (MFA) Solution Requirements

Traditional password-based authentication relies only on a user’s login credentials (username and password) to provide access to an enterprise system. This “single-factor” authentication method is not secure or reliable, since attackers can easily steal or compromise passwords to gain unauthorized access to an authorized user’s account or device. They can then launch many types of attacks like phishing, credential stuffing, brute force, dictionary, keylogger, and Man-in-the-Middle (MitM), etc.

So how can you protect your organization from these attackers?

One of the best alternatives to password-based security is Multi-Factor Authentication (MFA).

MFA does not rely only on the user’s credentials for authentication. Instead, it asks the user to provide at least one more authentication factor to verify their identity. When the system can verify all the factors, only then does it allow the user to access the system. Thus, MFA helps ensure that a user really is who they say they are. It also provides stronger, more reliable security against cyberthreats compared to password-only systems.

But there are many MFA solutions out there. How do you choose the right solution for your enterprise?

Use the list below to guide your research and investment.

#1. Authentication Methods

Most modern MFA systems require users to use authentication factors from at least two of three different categories:

  • Something the user “knows” (knowledge)
  • Something the user “has” (possession)
  • Something the user “is” (inherence)

Your MFA solution should not make it harder for users to access their corporate solutions. For this, it’s essential that they should be able to use the factors they’re already familiar with, whether these factors are knowledge-based, possession-based, or inherence-based.

Here are some authentication methods you can explore.

Push-based, native, mobile one-time password (OTP) authenticator

A push-based, native, mobile one-time password (OTP) authenticator system sends the user a text message with a numeric code that they must enter before they are granted access to the account or application.

An OTP is a “one and done” kind of authentication factor. Since it can only be used once, threat actors cannot reuse it when a user has already used it. This helps increase security and makes it harder for the adversary to penetrate private accounts. Plus, there’s no need to install any special software and most users are already comfortable with text messaging, making it a convenient and user-friendly authentication mechanism.

The disadvantage of mobile-based OTP is that if the device is stolen, a bad actor can intercept the OTP password to compromise accounts. The privacy and security of SMS messages is not guaranteed by mobile network operators, so threat actors can intercept them for malicious purposes. Moreover, they can also intercept OTP messages by installing malware on a user’s device, especially if the user is accessing the device over an open or unsecured network.

Offline time-based verification codes (TOTP)

Time-based verification codes (TOTP) is a type of OTP authentication in which a temporary passcode is generated using the current time of day as an authentication factor. This passcode expires after a set amount of time and cannot be reused, even if it is intercepted by an unauthorized user.


TOTP is fairly easy and cost-effective to implement and does not always require new hardware. All users need is an authentication app on their device.


Of course, the system is not perfect. If the user loses or misplaces their device, or if the device battery dies, they will not be able to receive the TOTP code. Also, the authentication app and the server share a secret key. If a bad actor manages to clone this key, they can generate new valid TOTP codes and compromise an authorized user’s account. Some TOTP systems lock users out if they make too many login attempts, say, because the code expires too quickly.

Hardware tokens

A hardware token is a small physical device that enables users to access a specific account or application. The Yubico YubiKey is one type of hardware token that provides strong authentication security for various apps and online services. This key-shaped fob plugs into the user’s device to complete authentication after the user has entered their password. Other types of hardware tokens include USB tokens, Bluetooth tokens, and smart cards.


Most tokens combine hardware-based authentication with public key cryptography, making them difficult to compromise. To break into a system, an adversary must physically steal the token, which is not always easy to do if the user is careful. Many hard tokens work even without an Internet connection, eliminating the possibility of Internet-based attacks.

Hardware tokens can prevent remote attacks, and are suitable if you need a high security system that requires network isolation. Some also support password managers for added user convenience. Also, users can unlink the token from their accounts to prevent unauthorized use.


One possible drawback is that the token can be lost or stolen, so they need to be replaced. This can increase costs for the organization. Also, if the token is used for a breach, the breach itself can be very severe if the user uses the same token to access multiple accounts.

Software tokens

A software token is a digital authentication key. It requires an app or software installed on a physical device, such as a smartphone. It sends a one-time-use authentication code to the device or may accept biometric data like fingerprint scans or facial recognition for authentication.


Like hard tokens, soft tokens also increase security and limit the possibility of unauthorized access. They are also easy to use, low-maintenance, and less expensive than hardware tokens. Many are even free to use.


However, a software token also has its disadvantages. For one, it is susceptible to remote cyberattacks since it relies on an Internet connection and software to work. If the connection is compromised, the token could be exposed as it is being stored or transmitted. But despite these drawbacks, soft tokens are still a big security upgrade over password-only systems.

Before choosing your MFA method, make sure to consider all the features, pros, and cons given above. Ideally, look for a system like OneLogin MFA that offers multiple authentication factors for enhanced flexibility, such as:

  • OTP
  • Email
  • SMS
  • Voice
  • WebAuthn for biometrics
  • Third-party options like Google Authenticator, Yubico, Duo Security, and RSA SecurID

#2. Enterprise Access

Your MFA solution should work seamlessly with all your network access systems. For instance, if you use Virtual Private Networks (VPN) to encrypt your data, and provide remote users with a secure connection over the Internet, the solution should work with the VPN. It should also “harden” the VPN to prevent data breaches, and ensure that only authorized users have access.

Similarly, if you may use Secure Socket Shell (SSH) to access remote Linux systems or Remote Desktop Protocol (RDP) to remotely connect to other computers, you should be able to use the MFA solution with these systems. Further, the solution should be able to prevent account hacking attacks on these systems.

Also check if your VPN solution integrates with Remote Authentication Dial-In User Service (RADIUS), and communicates directly with your MFA solution using standard RADIUS protocols.

Does the MFA solution support current (or future) network access systems?

  • VPN access
  • Wi-Fi access
  • SSH/RDP access
  • RADIUS integration

#3. Application Integration

If your organization has a Lightweight Directory Access Protocol (LDAP) directory, the MFA solution should integrate with it, either as a software agent installed on your local network, or through LDAP over SSL (LDAPS). Ideally, the solution should also offer tight integrations with other security products and identity solutions to help authenticate users, and simplify network security management.

Also, look for a solution that supports custom integrations with applications and services, both on-premises and in the cloud. It should integrate with these apps via an API, and without the need to rip and replace other solutions?

Does the MFA solution work with all business-critical apps?

  • Integration with cloud applications
  • Integration with on-premises applications
  • Integration with Human Resource Management Systems (HRMS)
  • Directory integration, such as Active Directory (AD) or LDAP
  • Integration with other identity solutions like password managers and endpoint security

#4. Flexible Authentication Policies

Deploy an MFA solution that allows you to configure granular policies at various levels: per-user, per-application, per-group, and also globally.

Application and group-level policies are important, because they allow you to configure specific protective policies for sensitive applications, or high-risk users. With global policies, you can apply the desired security threshold or baseline across the enterprise.

Also check what kind of admin controls are available. The solution should help admins to better control access to corporate systems, applications, and data, particularly in a zero-trust security environment.

Does the MFA solution enable flexible and sophisticated authentication policies at a granular level?

  • Granular policies for different identities, apps, devices, browsers, communities, and contexts
  • Allows definition of which factors can be used to verify identities
  • Customizable authentication flow
  • Intuitive, user-friendly admin console
  • Risk-based flow
  • Includes documentation around policy configurations

#5. Open Standards Support

The MFA solution must support modern open standards for authorization and authentication. For instance, Security Assertion Markup Language (SAML) allows users to access multiple web applications using one set of login credentials. It can also be used to configure MFA between different devices. Choose a solution that works with SAML to provide an additional authentication measure for authorized users.

Similarly, the OAuth 2.0 (Open Authorization) standard provides an authorization process, so users can seamlessly move between services. It also protects the user’s login credentials. However, it regulates only user authorization, not authentication, so password only-based systems are still vulnerable to cyberattacks. MFA adds one or more authentication factors to verify the user’s identity before granting access, and minimize the threat of attacks.

Does the MFA solution support popular, modern standards for secure connections to web applications?

  • SAML
  • OpenID Connect
  • OAuth 2.0

#6. Developer Support

If your organization needs to closely integrate existing apps with MFA, the solution must provide the necessary developer tools, including Application Programming Interfaces (APIs) and Software Development Kits (SDKs).

Does the MFA solution provide developer tools to customize it, and integrate it with custom applications and third-party systems?

  • APIs for MFA registration and lifecycle management
  • SDKs for all major platforms and programming languages
  • Command line to enroll in MFA and process push notifications
  • Client libraries to customize the look-and-feel of the MFA page
  • Sandbox environment to safely test MFA in a non-production environment
  • Documentation, e.g., developer guides

#7. User Community Support

The MFA solution should be easy to use by all authorized users with minimal friction in their day-to-day work. This includes both internal users like employees (in-office and remote), and external users like third-party vendors, freelancers, suppliers, etc.

The solution should work well even if users have limitations, such as disabilities, lack of smart devices, or poor cellphone networks. They should be able to self-enroll to the system, and choose their preferred authentication options. Finally, it should be easy to onboard users with minimal resistance.

Does the MFA solution support all authorized users that access your systems and data?

  • Employees
  • IT administrators
  • Third-party vendors
  • PartnersCustomers

Also, does it support all devices these users may be using?

  • Desktops
  • Laptops
  • Mobile devices
  • Onsite and remote devices
  • Bring Your Own Device (BYOD)

#8. Reporting

It’s crucial to look for an MFA solution with robust reporting and analytics capabilities. Reports will provide an oversight of your security posture, and help you identify gaps and take steps to improve. Reports are also important for auditing, and to demonstrate compliance.

Does the MFA solution provide reports that enable you to enhance your security based on threat data and also meet compliance requirements?

  • Externalize authorization events to third-party SIEM solutions
  • Easily accessible from the admin console
  • Easy to schedule, generate, and export
  • Out-of-the-box and customizable reports
  • Detailed authentication logs and audit trails
  • Ability to effect system change based on authorization events
  • Real-time information about failed/malicious login attempts, security events, unsecured or compromised devices, etc.

#9. Advanced Requirements

Your MFA solution should satisfy all the basic requirements highlighted above. However, many solutions have all these features. To choose the best solution among them, it’s best to compare them based on the advanced requirements given below.

Behavioral Analytics

Does the MFA solution use behavioral analytics to intelligently adapt, and does it require different authentication factors?

  • Familiarity signals
  • Attack signals
  • Anomalies (user behavior and context signals)
  • Continuous authentication

Device Trust

Does the solution consider the authentication device being used?

  • Device health, including version, tampered, lock, encryption, browser plug-in, and more
  • Device reputation
  • X.509-based certificates
  • Integration with mobile device management (MDM)

General Considerations

Select a solution that can scale to support your future needs, and make sure it is highly available. Also, when comparing prices, don’t be swayed by the low cost of initial setup or onboarding to finalize your choice. Instead, consider the total cost of ownership (TCO), which will change depending on custom integrations, admin controls, use cases, support costs, etc. Look for a solution that can help you minimize admin/overhead costs, and comes with a clear pricing model.

Try OneLogin for Free

Experience OneLogin’s Access Management capabilities first-hand for 30 days