MFA
securityFull Name: Multi-Factor Authentication
Definition
Multi-Factor Authentication (MFA) is a security mechanism that requires users to provide two or more independent verification factors from different categories before granting access. The three standard factor categories are: something you know (password, PIN), something you have (smartphone, security key, smart card), and something you are (fingerprint, face, iris). In the EUDI Wallet ecosystem, MFA is a mandatory requirement for achieving LoA High, the highest level of assurance defined by eIDAS 2.0. EUDI Wallets typically implement MFA by combining device possession (a registered smartphone with hardware-backed cryptographic keys) with biometric verification or PIN entry.
The Three Authentication Factor Categories
Knowledge factors (something you know) include passwords, PINs, and security questions. In EUDI Wallets, the primary knowledge factor is a PIN that users set during wallet activation. While PINs are vulnerable to shoulder surfing and social engineering, they serve as a reliable fallback when biometric authentication is unavailable (for example, with wet fingers or in bright sunlight that interferes with face recognition).
Possession factors (something you have) are physical objects the user controls. In EUDI Wallets, the registered smartphone itself serves as the possession factor, specifically through the hardware-backed cryptographic keys stored in the device's secure element (TEE or SE). These keys cannot be extracted or cloned, so physical possession of the specific registered device is required. Key attestation provides cryptographic proof that the key exists in genuine secure hardware.
Inherence factors (something you are) are biometric characteristics unique to the individual. EUDI Wallets typically support fingerprint recognition and facial recognition as available on the user's device. Biometric factors provide the strongest user experience because authentication is fast and effortless -- a simple fingerprint touch or face glance. Modern smartphone biometric systems have false acceptance rates below 1 in 50,000, providing strong security against impersonation.
For MFA to be effective, the factors must come from different categories and be independent of each other. Combining a password with a PIN (both knowledge factors) would not constitute MFA. EUDI Wallets achieve true multi-factor authentication by combining device possession (hardware-backed key) with either biometric verification or PIN entry.
MFA in EUDI Wallet Operations
MFA is required at several critical points in the EUDI Wallet lifecycle. During wallet activation, the user must authenticate strongly (typically against their physical eID card via NFC) and set up their authentication factors. This creates the binding between the physical person, the device, and the wallet instance.
For credential presentation, MFA ensures that only the legitimate wallet holder can share identity credentials. When a verifier requests credentials via OpenID4VP, the wallet prompts the user for biometric or PIN authentication before releasing any data. This prevents unauthorized credential sharing if the device is unlocked and unattended.
Some implementations use risk-based authentication, adjusting the required authentication strength based on the sensitivity of the operation. Viewing non-sensitive credential details might require only device unlock, while presenting credentials to a financial institution for account opening might require explicit biometric confirmation plus PIN.
The MFA mechanism also protects against remote attacks. Even if an attacker obtains the user's PIN through phishing, they cannot use the wallet without physical possession of the registered device. Conversely, if the device is stolen, the thief cannot present credentials without the user's biometric or PIN. This multi-factor defense makes EUDI Wallets significantly more secure than password-based authentication systems.
Relationship to LoA High and eIDAS 2.0
The eIDAS 2.0 regulation requires EUDI Wallets to operate at LoA High, which has specific requirements for authentication mechanisms. LoA High mandates that authentication must use at least two factors from different categories, with at least one factor based on a cryptographic key stored in a secure hardware element that resists cloning and extraction.
This hardware requirement goes beyond basic MFA (which could theoretically be implemented entirely in software) and ensures that the possession factor cannot be replicated remotely. An attacker with malware on the device cannot extract the hardware-backed key, unlike software-only solutions where keys stored in application memory could potentially be exfiltrated.
The LoA High MFA requirements align with the Strong Customer Authentication (SCA) requirements of PSD2 for payment services. This convergence means that EUDI Wallets can serve as universal authentication devices for both identity and payment scenarios, reducing the number of separate authentication apps citizens need to maintain.