Cloud-Based Multi-Factor Authentication: Beyond Passwords, OTPs, and FaceID
27 May 2025
Cloud-Based Multi-Factor Authentication: Beyond Passwords, OTPs, and FaceID
27 May 2025
What is Multi-Factor Authentication (MFA)?
If you've ever had to enter a code sent to your phone after typing in your password, you've used multi-factor authentication (MFA). At its core, MFA is about making sure you are who you say you are - by requiring two or more ways of proving it.
So, what does multi-factor authentication mean? It means that access is granted only when two or more of the following are verified:
- Knowledge – something you know (like a password or PIN).
- Possession – something you have (like your phone or a security token).
- Inherence – something you are (like your face or fingerprint).
Each of these is an authentication factor, but real security comes when more than one is used.
Common Multi-Factor Authentication Examples
Let’s look at a few multi factor authentication examples and assess how strong they truly are.
- Password or PIN + SMS OTP (Knowledge + Possession)
This combination is common but outdated as SMS codes are highly phishable. Here’s how:
A scammer calls pretending to be your bank and says, “We’ve detected suspicious activity. Please read back the code we just sent you.”
As you do this, they are carrying out an account recovery with your bank - they type in your email, send a request for the one-time code, and type in the one that you have just read out. They now have access.
Plus, SMS messages will cost the bank significant amounts of money to send - making them both risky and expensive.
- Password or PIN + FaceID (Knowledge + Local Inherence)
This might look like MFA, but it’s not. FaceID is local – the app trusts your device to do the checking. But the device can’t tell if the biometric matches the user who enrolled.
Why is this risky? A fraudster could steal your phone, observe your PIN, reset FaceID to their face, and then gain access to your apps. And the app is none the wiser.
In some cases, systems can detect that biometric settings (FaceID) have been changed, but rely on knowledge-based fallback authentication methods like SMS OTPs or passwords, which as we have covered, are not secure.
We’ve written a blog that discusses this in more detail: The New Limits of FaceID: Why Banks Need a Better Solution.
- Password or PIN + Passkey (Knowledge + Local Inherence - again)
Passkeys sound secure - they’re passwordless, use biometrics, and are linked to your device. But again, the biometric check is local. If someone takes over your device, they can register their own biometrics.
Passkeys verify the device, not the user - and if they fail, fall back to a password.
- Password + Call Center (Knowledge + Human Verification)
In theory, a helpful fallback. In practice, call centers are risky, as call center agents can be tricked and social engineering attacks are common. Call centers are also expensive - some estimates place the cost at USD $16–$25 per call.
- Microsoft Authenticator (Knowledge + Possession)
Multi-factor authentication (MFA) is being used more and more across the workplace. In office environments, authenticator apps like the Microsoft Authenticator can be used to verify your identity. But again, this only proves you have your phone - not that you are you. Microsoft does not speak to
- FIDO2 Security Keys (Knowledge + Possession)
These are small USB or NFC devices that are hard to phish. Ideal for employees. But again, no inherence check - anyone holding the key can log in.
So while these solutions are strong, they don’t prove the real identity of the user.
Here’s the issue: None of these methods prove who is behind the screen. They prove that someone knows a password, has a phone, or can unlock a device. But not that they are the person who signed up.
Multi-Factor Authentication with Biometric Face Matching
True multi-factor authentication happens by comparing two things:
- That the face of the person logging in to an app is the same face that was used to sign up. This process is known as face matching and enables real identity authentication - not just device-based trust.
- That the device used to log in is also the same that was used to sign up.
This ensures inherence (using facial biometrics) and possession (using a person’s device). Having these two authentication factors makes account takeovers fraud much harder. If someone steals your device, they need your face. If someone uses a deepfake to copy your face, they need your device.
By checking the person’s face and device whenever they carry out a risky action in an app, the user (and the app) is continuously assuring their identity.
In short:
- During enrollment, the user’s face is verified and stored in a secure format.
- At login, payments, account recovery, or step-up actions, the system matches the new face to the enrolled one.
- The device used must also match the one used to enroll.
This is known as biometric face matching.
However, it’s only possible using cloud-based biometric authentication - FaceID doesn’t do it.
- Cloud-Based Biometrics (Inherence + Possession)
Cloud-based biometric systems the alternative to device-bound methods. Built by third-party providers such as Keyless, as opposed to by the device manufacturer, these systems store biometric reference data on remote servers and use it to verify users during authentication.
There are different implementations of third-party, cloud-based biometrics: centralized, decentralized, and zero-knowledge systems. Both centralized and decentralized storage can introduce privacy and security risks if the server is breached, with zero-knowledge systems currently offering the strongest mix of security and privacy.
Check out our blog Third-Party vs. Device-Bound Biometrics: What’s the Difference? for a deeper look at these
The key point however is that inherence and possession, using cloud biometrics, is the only way to prove the user is who they say they are. Knowledge-based authentication has never been able to, and pseudo-inherence methods like FaceID are only sticking plasters.
Final Thoughts: What is the Best Multi-Factor Authentication Solution?
If you’ve made it this far, you’re probably wondering: what is the best multi factor authentication solution?
It depends on your priorities - but here’s what to look for:
- Real identity assurance: Does it authenticate you, not just your device?
- Strong security: Is it resistant to phishing, spoofing, and man-in-the-middle attacks?
- Privacy: Does it protect your biometric data?
- User experience: It is frictionless and fast?
- Cross-platform use: Can it work across apps, devices, and users?
Legacy MFA tools - like passwords and OTPs - no longer meet today’s security needs. And while passkeys and FaceID are convenient, they are just sticking plasters to knowledge-based authentication.
The future is in cloud-based biometric multi-factor authentication. This method combines something you are and something you have, and matches a user’s face to the one taken when they set up their account.
Read Next
Blog
The Complete Guide to Biometric Authentication and Zero-Knowledge Technology
Explore how biometric authentication works, the pros and cons of local, centralized, and decentralized systems, and how Zero-Knowledge Biometrics™ delivers privacy, security, and scalability.Read More
Blog
The Cost of Passwordless Authentication: Technologies, Trade-offs & ROI
Going passwordless isn’t as simple as flipping a switch. It involves navigating different technologies, understanding trade-offs, and calculating real returns. This blog breaks it all down, so you can make smarter decisions about what to adopt and why.Read More
Consumer Solutions
Workforce Solutions
PSD2/SCA Compliant
GDPR Compliant
CCPA Compliant
FIDO2 Certified
FIDO Biometrics Certified
ISO 27001 Certified
ISO 9001 Certified
ISO/IEC 30107-3 Certified
NIST Accredited
eIDAS Module Certified