Why Multi-Factor Authentication (MFA)

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Palo Alto Networks is big on MFA. Read how this little detail can be a big impact in protecting your digital assets and network resources. Get answers on LIVEcommunity.



What is Multi-Factor Authentication (MFA)?

MFA has proven to be a method to reduce the risk of breaches due to stolen or weak credentials. Nearly any MFA method is an improvement over username and password alone.


Face it, most of us are bad at managing our passwords. Honestly, how many passwords are you re-using on different services? Sure, some of you will deny doing this, but many users reuse passwords and there are bad guys out there ready to steal your credentials.


Every password is at risk. Seriously, databases can be breached, you can be tricked through some phishing email, and so on. Bad guys are very resourceful in getting your passwords. Passwords might eventually either leak or be stolen and used somewhere else. In such case, MFA comes to the rescue!


Why MFA? What does it do?

MFA adds a second method (2FA) or multiple methods (MFA) of ID verification to secure your access. Something you know (your password) in addition to something you have (for example your phone or token) or something that's part of you (for example a retina scan). With this additional layer of protection, attackers will not be able to access your account even if they know your password.


Common use case is where you'll get a one time password generated by a token, a smartphone, or sent through text message. But be careful, this doesn't mean you're secure.


Through a SIM swap attack hackers can basically take over your phone number. In case of the classic 2FA hard tokens, they used to rely on a shared seed that resides on a server. If this seed is stolen then the MFA security becomes useless. Google authenticator uses the same principle. You register for a specific provider and a QR code is generated. The assumption here, again, is that this secret is not corrupt.


What are more secure ways of doing this?

Basically, any method using asymmetric encryption will be more secure. There is no seed file or secret on the server to compromise. That's just how asymmetric encryption works. It uses a mathematical operation with two keys (one public and one private).


The Palo Alto Networks firewall supports the following MFA factors:


Push An endpoint device (e.g., phone or tablet) prompts the user to allow or deny authentication.
Short message service (SMS) An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.
Voice An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.
One-time password (OTP) An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.



See how Palo Alto Networks can help you with MFA:

PAN-OS Administrator's Guide - Multi-Factor Authentication

PAN-OS Administrator’s Guide - Configure Multi-Factor Authentication

Palo Alto Networks Compatibility Matrix - MFA Vendor Support



Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.


As always, we welcome all comments and feedback in the comments section below.


Stay Secure,
Kiwi out!

1 Comment
  • 325 Subscriptions
Register or Sign-in