How invisible MFA works to reduce UX friction

MFA vs. invisible MFA

Traditional or legacy MFA follows a now-familiar process. First, users enter their usernames and passwords. Once initial authentication is complete, MFA requires additional identification factors. In most cases, traditional MFA methods involve one or more of the following steps:

• Entering a one-time code obtained via text message or email.
• Accepting a push notification.
• Entering a one-time code via an authentication app, such as Google Authenticator or Microsoft Authenticator.
• Entering a one-time code from a hardware-based security token.

These manual user tasks are both tedious for the user and present phishing risks, as cybercriminals could intercept them. In contrast, invisible MFA's passwordless authentication process happens completely behind the scenes and uses authentication methods such as the following:

• Device recognition. Preapproved, trusted devices, such as users' smartphones or computers, serve as automatic authentication factors.
• User behavior analytics. Invisible MFA software recognizes a user's normal behavior, such as keystroke or screen-swipe patterns, mouse movements and browser activity, and treats it as an authentication factor. If the system notices a change in normal behavior, it locks out the user or forces reauthentication via another factor.
• Contextual authentication. Invisible MFA can also consider the context of a user's session, such as geolocation, time of day, IP address and previous activity. If, for example, a user typically operates from an office in New York during normal business hours but suddenly logs in from Miami at 3 a.m., the system can initiate additional security steps.
• Passkeys. Passkeys use cryptography to enable invisible MFA. A passkey consists of two cryptographic keys -- a private key that lives on a user's device and a corresponding public key that is shared with the application the user needs to access. Once a user signs in to an approved device -- say, with biometric facial recognition -- the private and public passkeys interact to perform cryptography-based authentication. In simple terms, the public passkey poses a challenge that the private passkey solves but without exchanging any secrets, such as passwords or passcodes. The private key never leaves the device, and even the application in question can't access it.

From the user's perspective, invisible MFA is simpler and more streamlined than traditional MFA. It is also phishing-resistant, as no passwords, codes or push notifications are in play for cybercriminals to intercept.

People often find MFA inconvenient because it requires them to perform additional tasks before they can access applications and digital resources.

Behind the scenes, however, invisible MFA introduces additional technical complexity and takes significant time and effort to implement and maintain. For example, it requires proper collection and analysis of user and device data to inform accurate behavioral baselines.

Invisible MFA also carries a much higher risk of authentication errors. Minimizing the likelihood of false positives and negatives requires extensive fine-tuning of relevant data sets and algorithms.

Invisible MFA vs. frictionless MFA

While the terms are often used interchangeably, invisible MFA differs from frictionless MFA.

Like invisible MFA, frictionless MFA seeks to make MFA more user-friendly, in some cases by eliminating traditional password use. Unlike invisible MFA, however, frictionless MFA requires some degree of user participation in the MFA process. Its goal is to reduce -- but not necessarily eliminate -- the inconvenience users experience during authentication.

Frictionless MFA techniques include the following:

• Biometric authentication -- e.g., fingerprint, facial or voice recognition.
• Single sign-on.
• Push notifications to trusted devices.
• One-time passcodes.

In many ways, frictionless MFA represents a happy medium between invisible and traditional MFA. For the user, it is more convenient than traditional MFA. And, behind the scenes, frictionless MFA carries a lower chance of false positives and negatives -- and requires less manipulation of existing data sets and algorithms -- than invisible MFA.

Invisible MFA benefits

While invisible MFA can be technically complex to execute, it offers several key benefits, including the following:

• Stronger security and compliance. Invisible MFA provides the same advantages as traditional MFA, including alignment with corporate policies, compliance with legal regulations and a stronger security posture.
• Continuous authentication. Invisible MFA enables continuous authentication, which involves monitoring authentication factors throughout a user's session, rather than only upon initial login. Continuous authentication supports a zero-trust security approach, as it never stops verifying that users are who they say they are.
• Phishing-resistant. Invisible MFA is more resistant to phishing than traditional MFA or frictionless MFA. Cybercriminals can trick users into sharing passwords and passcodes or accepting suspicious push notifications. With invisible MFA, in which authentication happens on the back end, it is more difficult for threat actors to gain unauthorized access.
• Better UX. Invisible MFA delivers streamlined UX. Because the authentication process happens in the background, end users don't have to take additional steps to access their digital resources.
• Increased adherence. Because invisible MFA is less cumbersome than traditional MFA, users are less likely to resist using it.
• Tailored security controls. Since invisible MFA is inherently adaptive, it can reference individual users' behavioral data to deliver dynamic, tailored and risk-based security controls.

Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.

Alissa Irei is senior site editor of TechTarget Security.