Multi Factor Authentication or Biometrics?

The implementation of Multi Factor Authentication (MFA) is certainly an improvement over using just a username and password. However, this method has some disadvantages. Biometric authentication, based on patterns inherent to each person, offers greater guarantees in terms of security.

In recent years, Multi Factor Authentication (MFA) has become one of the identity authentication methods most used in all sectors on a global scale.

According to a recent Research & Markets report, the Multi Factor Authentication market size is expected to grow from an estimated value of USD 12.9 billion in 2022 to USD 26.7 billion by 2027.

Multi Factor Authentication is an identity authentication method that requires the user to provide two or more verification factors to gain access to a resource, such as an application, or an online account.

Thus, instead of requiring only a username and a password, Multi Factor Authentication requires one or more additional verification factors. Normally, two or more verification credentials are combined. These can be:

• Knowledge credentials (something the user knows) such as email addresses or username/password combinations.

• Possession credentials (something the user owns) such as a mobile phone, a USB token, and a card reader.

• Inherence credentials (something the user is/has) as biometric patterns unique to each individual.

There is no question that the Multi Factor Authentication implementation is an improvement over using just a username and password. However, this method presents some disadvantages.

Its two biggest drawbacks are security against identity fraud and the friction it creates in the user experience.


Today, one of the most widely used identity verification systems, which combines several credentials, is two-step authentication or two-step verification (2FA).

It is a system through which, when there is a login, the user is requested a second verification factor, usually through an SMS or an email. Thus, the user can confirm that he is truly the person who is accessing the account or service. Generally, this procedure creates friction with the user and is very time consuming.

Verification solutions using SMS are especially vulnerable. Device SIM cards can be hacked, duplicated or stolen and codes and emails can be intercepted.

In fact, according to the Identity Management Institute, the United States government has recommended that SMS tools not be included in the implementation of MFA systems.

But in addition to SIM card duplication or theft, there are various formulas used by cybercriminals to circumvent MFA requirements (such as social engineering, technical attacks, and physical theft). Hackers often combine several methods.

For example, data mining on social networks is a common one. The posts, games, and images we post provide enough information that can be used to guess passwords or answer security questions.

Technical attacks, on the other hand, include malware and Trojans that use some of the smarphone’s OS accessibility features, such as “enable unknown sources” or “developer options.”

These features allow cybercriminals to enable remote access, increase user privileges, and install malware on targeted systems.

Today, one of the most widely used identity verification systems, which combines several credentials, is two-step authentication or two-step verification (2FA).
Today, one of the most widely used identity verification systems, which combines several credentials, is two-step authentication or two-step verification (2FA).


Each company implements MFA or 2FA in a different way, either by sending a code to the user’s mobile device, or by sending a verification email, in addition to the username and password combination. In any case, they are systems that hinder usability for the user.

On the one hand, for the user it implies a double or triple effort, with the consequent discomfort. In the case of 2FA, for example, to verify your identity, you must leave the site where you are, be it a store, a financial, educational or health service, to go to your mailbox, copy a code and enter it, or go to your email and click a link.

On the other, since each company implements it in a different way, there is no common usage pattern and users must learn different methods of authenticating their identity for different platforms.

All this makes the user experience unfriendly, especially for those not used to digital environments, and with consequent impact in the balance sheet.

According to Techjury, a company specialized in testing the performance of apps and websites, 70% of users abandon the use of an application if the startup process is too cumbersome or takes a long time to load.


Today, biometrics is the most reliable method of identity authentication. It is based on the measurement and analysis of each person’s unique individual physical characteristics that cannot be easily hacked.

Currently, and although it can be used alone, according to Gartner’s 2022 Innovation Insight for Biometric Authentication report, it is often integrated with some other type of token as part of the standard suite of biometric identification, such as Open ID and FIDO.

Some MFA applications use biometrics as one of the identification credentials of their authentication system. In some cases, for example, the user accesses the service with a password, and then associates a biometric pattern with that password, such as his fingerprint or his face, which he stores on his smartphone.

This facilitates usability, since, in practice, the user will use his biometric pattern to access the service, but, in fact, it is not a biometric authentication system.

The biometrics in these cases will be activating the stored password to access the service. The password can be hacked, and it is possible to associate it with another biometric pattern on a device other than that of the user.


B-FY is a biometric system of “Identification as a Service” (IDaaS), with which our clients can truly identify their users instead of simply “matching” certain authentication credentials, either knowledge or possession credentials.

It is a system that uses the biometric tools integrated into the device’s operating system, which does not require effort for the user and where a learning curve is not necessary.

On the other hand, there are no associated costs for recurrent identifications such as those generated by sending SMS any time verifying an identification is needed.


Protecting people and their identity is one of the premises of B-FY. Our identification protocol does not incorporate passwords or credentials of possession or knowledge of any kind.

To identify the user, B-FY only needs to validate their phone number and email. These user data are linked to their device where they have their biometric pattern, allowing user identification exclusively from that specific physical device and with the user’s biometrics.

If the device is stolen, it will not be possible to access a service protected with B-FY either, since it would be necessary to provide the biometric data of the device’s owner.

In addition, with B-FY the user’s data never leaves the user’s physical device, nor does it go to any server, so it is not susceptible to hacking. The user has control of their biometric data at all times.


The B-FY system is integrated into the client’s application in the places where they want to make an identification. These can be online (web, support systems, or any relevant application depending on the sector), or physical (access control systems to buildings, events, etc.).

In places where the client has integrated B-FY, a temporary QR code will be generated and the user will read it with the application installed on their device, and in which the service they wish to access will be included.

This procedure will initiate a communication process between the user’s device, B-FY’s server and the customer’s online or physical access point, during which the user will identify himself with the user’s biometrics.

In this way, in any identification process, both the app and the access point are verified, since it has the B-FY “cloud” system as interlocutor to operate.

During this process, the only communication between the app and the physical access point or the client’s website is the reading of the temporary QR, which guarantees that the user is in front of the screen.

The rest of the operations are carried out from the central B-FY system, without direct app-access point communication. This is how we guarantee the identity of the user.

Do you want to know more? Request a free demo here.