Wat is multifactor authenticatie (MFA)?
Multifactor authenticatie (MFA) verbetert de beveiliging door gebruikers te vragen meerdere vormen van identificatie te verstrekken om hun identiteit te verifiëren. Het voegt een extra beveiligingslaag toe aan het Authenticatie (Authentication) proces, waardoor het voor aanvallers moeilijker wordt om ongeautoriseerde toegang te krijgen.
Hier is een voorbeeld van MFA:
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape rect%2c%23mermaid-0 .image-shape rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-pointEnd'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 0 L 10 5 L 0 10 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='4.5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-pointStart'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 5 L 10 10 L 10 0 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='11' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-circleEnd'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='-1' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-circleStart'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='12' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-0_flowchart-v2-crossEnd'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='-1' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-0_flowchart-v2-crossStart'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_B_C_0' d='M268%2c108L272.167%2c108C276.333%2c108%2c284.667%2c108%2c290.958%2c108.042C297.25%2c108.083%2c301.5%2c108.167%2c305.083%2c108.237C308.667%2c108.307%2c311.584%2c108.364%2c313.042%2c108.393L314.501%2c108.422'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_C_D_1' d='M484.843%2c82.093L494.736%2c78.244C504.629%2c74.395%2c524.416%2c66.698%2c537.097%2c62.849C549.779%2c59%2c555.354%2c59%2c560.263%2c59C565.172%2c59%2c569.414%2c59%2c571.535%2c59L573.656%2c59'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_D_E_2' d='M837.656%2c59L841.823%2c59C845.99%2c59%2c854.323%2c59%2c860.573%2c60.008C866.823%2c61.016%2c870.99%2c63.033%2c874.556%2c64.759C878.123%2c66.484%2c881.089%2c67.92%2c882.572%2c68.638L884.056%2c69.355'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_C_E_3' d='M484.843%2c134.907L494.736%2c138.589C504.629%2c142.272%2c524.416%2c149.636%2c561.552%2c153.318C598.688%2c157%2c653.172%2c157%2c706.247%2c157C759.323%2c157%2c810.99%2c157%2c838.906%2c155.992C866.823%2c154.984%2c870.99%2c152.967%2c874.556%2c151.241C878.123%2c149.516%2c881.089%2c148.08%2c882.572%2c147.362L884.056%2c146.645'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(544.203125%2c 59)' class='edgeLabel'%3e%3cg transform='translate(-8.453125%2c -12)' class='label'%3e%3cforeignObject height='24' width='16.90625'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3cp%3eJa%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(707.65625%2c 157)' class='edgeLabel'%3e%3cg transform='translate(-14.6796875%2c -12)' class='label'%3e%3cforeignObject height='24' width='29.359375'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3cp%3eNee%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg transform='translate(138%2c 108)' id='flowchart-B-0' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eVoer gebruikersnaam en wachtwoord in%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(414.375%2c 108)' id='flowchart-C-2' class='node default'%3e%3cpolygon transform='translate(-96.375%2c96.375)' class='label-container' points='96.375%2c0 192.75%2c-96.375 96.375%2c-192.75 0%2c-96.375'/%3e%3cg transform='translate(-69.375%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='138.75'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eMFA ingeschakeld%3f%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(707.65625%2c 59)' id='flowchart-D-4' class='node default'%3e%3crect height='102' width='260' y='-51' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -36)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='72' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eVoer tijdgebaseerd eenmalig wachtwoord (TOTP) in%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(963.9140625%2c 108)' id='flowchart-E-6' class='node default'%3e%3crect height='78' width='152.515625' y='-39' x='-76.2578125' style='' class='basic label-container'/%3e%3cg transform='translate(-46.2578125%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='92.515625'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eAuthenticatie%3cbr /%3esuccesvol%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
De definitie van “factor”
In het bovenstaande voorbeeld zijn er twee factoren:
- Gebruikersnaam en wachtwoord
- Tijdgebaseerd eenmalig wachtwoord (Time-based one-time password, TOTP) van een mobiele app
Elke factor vertegenwoordigt een andere categorie van inloggegevens die kunnen worden gebruikt om een gebruiker te authenticeren (bewijzen dat je bent wie je zegt dat je bent). In de praktijk kunnen factoren worden gecategoriseerd in drie hoofdtypen:
| Wat het betekent | Verificatiefactoren | |
|---|---|---|
| Kennis | Iets wat je weet | Wachtwoord, E-mailverificatiecode, Back-upcode |
| Bezit | Iets wat je hebt | SMS-verificatiecode, Authenticator-app OTP, Hardware-OTP (Beveiligingssleutel), Smartcard |
| Ervaring | Iets wat je bent | Biometrie zoals vingerafdrukken, gezichts-ID |
Een veelvoorkomende MFA-setup omvat het combineren van twee factoren uit verschillende categorieën, zoals een wachtwoord (kennis) en een Tijdgebaseerd eenmalig wachtwoord (Time-based one-time password, TOTP) van een authenticator-app (bezit).
Waarom is MFA belangrijk?
Er bestaat niet zoiets als perfecte beveiliging, alleen verschillende niveaus van onveiligheid. —Salman Rushdie
Het belang van MFA blijkt uit de cijfers: MFA vermindert het risico op compromittering met 99,22% over de gehele bevolking en met 98,56% in gevallen van uitgelekte inloggegevens 1 . Met behulp van MFA kunnen meer kritieke acties met vertrouwen worden ondernomen, zoals toegang tot gevoelige gegevens en het uitvoeren van financiële transacties. Het is een eenvoudige maar effectieve manier om een veel hoger beveiligingsniveau te bieden dan alleen een wachtwoord of single factor authenticatie.
MFA in moderne toepassingen
Zoals de naam al doet vermoeden, kan MFA meer dan twee factoren omvatten. Naarmate het aantal factoren toeneemt, neemt ook het beveiligingsniveau en de complexiteit van het authenticatieproces toe, waardoor het mogelijk minder gebruiksvriendelijk wordt. Terwijl Tijdgebaseerd eenmalig wachtwoord (Time-based one-time password, TOTP) de laatste jaren een populaire keuze is, zijn er nieuwe technologieën zoals Toegangssleutel (Passkey) in opkomst om een nog veiligere en gebruiksvriendelijkere MFA-ervaring te bieden.
Moderne applicaties kunnen bijvoorbeeld de WebAuthn API gebruiken om MFA met passkeys te implementeren, die phishing-bestendige inloggegevens zijn beveiligd door openbare sleutelcryptografie. Bedrijven zoals Apple hebben passkeys geïntegreerd met biometrische authenticatie (Touch ID, Face ID) om de ervaring factor direct aan het MFA-proces toe te voegen, waardoor de beveiliging wordt verhoogd en het gebruiksgemak toeneemt.
Laten we een snelle vergelijking maken voor een beter begrip. Stel dat we een gebruiker hebben die:
- Een authenticator-app op hun telefoon heeft geïnstalleerd om TOTP-codes te genereren.
- Een passkey heeft geïntegreerd met de biometrische authenticatie van hun apparaat.
Wanneer ze zich aanmelden bij een website met MFA ingeschakeld op hun laptop, zouden de twee processen er als volgt uitzien:
%3btext-align:center%3b%7d%23mermaid-1 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-1 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-1 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-1 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-1 .cluster text%7bfill:%23333%3b%7d%23mermaid-1 .cluster span%7bcolor:%23333%3b%7d%23mermaid-1 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-1 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-1 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-1 .icon-shape%2c%23mermaid-1 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-1 .icon-shape p%2c%23mermaid-1 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-1 .icon-shape rect%2c%23mermaid-1 .image-shape rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-1 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-1_flowchart-v2-pointEnd'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 0 L 10 5 L 0 10 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='4.5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-1_flowchart-v2-pointStart'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 5 L 10 10 L 10 0 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='11' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-1_flowchart-v2-circleEnd'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='-1' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-1_flowchart-v2-circleStart'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='12' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-1_flowchart-v2-crossEnd'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='-1' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-1_flowchart-v2-crossStart'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'/%3e%3cg class='edgeLabels'/%3e%3cg class='nodes'%3e%3cg transform='translate(0%2c 117)' class='root'%3e%3cg class='clusters'%3e%3cg data-look='classic' id='WebAuthn' class='cluster'%3e%3crect height='636' width='330' y='8' x='8' style=''/%3e%3cg transform='translate(135.7890625%2c 8)' class='cluster-label'%3e%3cforeignObject height='24' width='74.421875'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eWebAuthn%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='edgePaths'%3e%3cpath marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_G_H_5' d='M173%2c123.5L173%2c131.75C173%2c140%2c173%2c156.5%2c173%2c168.875C173%2c181.25%2c173%2c189.5%2c173%2c197.083C173%2c204.667%2c173%2c211.583%2c173%2c215.042L173%2c218.5'/%3e%3cpath marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_H_I_6' d='M173%2c300.5L173%2c306.75C173%2c313%2c173%2c325.5%2c173%2c334.875C173%2c344.25%2c173%2c350.5%2c173%2c356.083C173%2c361.667%2c173%2c366.583%2c173%2c369.042L173%2c371.5'/%3e%3cpath marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_I_J_7' d='M173%2c453.5L173%2c459.75C173%2c466%2c173%2c478.5%2c173%2c487.875C173%2c497.25%2c173%2c503.5%2c173%2c509.083C173%2c514.667%2c173%2c519.583%2c173%2c522.042L173%2c524.5'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg transform='translate(173%2c 173)' class='edgeLabel'%3e%3cg transform='translate(-64.9296875%2c -12)' class='label'%3e%3cforeignObject height='24' width='129.859375'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3cp%3eMFA ingeschakeld%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg transform='translate(173%2c 84.5)' id='flowchart-G-20' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eVoer gebruikersnaam en wachtwoord in%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(173%2c 261.5)' id='flowchart-H-22' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eVraag om biometrische authenticatie%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(173%2c 414.5)' id='flowchart-I-24' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eAuthenticeer met biometrie (bijv. Touch ID)%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(173%2c 567.5)' id='flowchart-J-26' class='node default'%3e%3crect height='78' width='152.515625' y='-39' x='-76.2578125' style='' class='basic label-container'/%3e%3cg transform='translate(-46.2578125%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='92.515625'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eAuthenticatie%3cbr /%3esuccesvol%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg transform='translate(380%2c 0)' class='root'%3e%3cg class='clusters'%3e%3cg data-look='classic' id='TOTP' class='cluster'%3e%3crect height='870' width='330' y='8' x='8' style=''/%3e%3cg transform='translate(151.8125%2c 8)' class='cluster-label'%3e%3cforeignObject height='24' width='42.375'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eTOTP%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='edgePaths'%3e%3cpath marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_A_B_0' d='M173%2c123.5L173%2c131.75C173%2c140%2c173%2c156.5%2c173%2c168.875C173%2c181.25%2c173%2c189.5%2c173%2c197.083C173%2c204.667%2c173%2c211.583%2c173%2c215.042L173%2c218.5'/%3e%3cpath marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_B_C_1' d='M173%2c276.5L173%2c282.75C173%2c289%2c173%2c301.5%2c173%2c310.875C173%2c320.25%2c173%2c326.5%2c173%2c332.083C173%2c337.667%2c173%2c342.583%2c173%2c345.042L173%2c347.5'/%3e%3cpath marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_C_D_2' d='M173%2c405.5L173%2c411.75C173%2c418%2c173%2c430.5%2c173%2c439.875C173%2c449.25%2c173%2c455.5%2c173%2c461.083C173%2c466.667%2c173%2c471.583%2c173%2c474.042L173%2c476.5'/%3e%3cpath marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_D_E_3' d='M173%2c558.5L173%2c564.75C173%2c571%2c173%2c583.5%2c173%2c592.875C173%2c602.25%2c173%2c608.5%2c173%2c614.083C173%2c619.667%2c173%2c624.583%2c173%2c627.042L173%2c629.5'/%3e%3cpath marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_E_F_4' d='M173%2c687.5L173%2c693.75C173%2c700%2c173%2c712.5%2c173%2c721.875C173%2c731.25%2c173%2c737.5%2c173%2c743.083C173%2c748.667%2c173%2c753.583%2c173%2c756.042L173%2c758.5'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg transform='translate(173%2c 173)' class='edgeLabel'%3e%3cg transform='translate(-64.9296875%2c -12)' class='label'%3e%3cforeignObject height='24' width='129.859375'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3cp%3eMFA ingeschakeld%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg transform='translate(173%2c 84.5)' id='flowchart-A-9' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eVoer gebruikersnaam en wachtwoord in%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(173%2c 249.5)' id='flowchart-B-11' class='node default'%3e%3crect height='54' width='215.328125' y='-27' x='-107.6640625' style='' class='basic label-container'/%3e%3cg transform='translate(-77.6640625%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='155.328125'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eVraag om TOTP-code%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(173%2c 378.5)' id='flowchart-C-13' class='node default'%3e%3crect height='54' width='228.125' y='-27' x='-114.0625' style='' class='basic label-container'/%3e%3cg transform='translate(-84.0625%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='168.125'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eOpen authenticator-app%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(173%2c 519.5)' id='flowchart-D-15' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eVind de TOTP voor de website%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(173%2c 660.5)' id='flowchart-E-17' class='node default'%3e%3crect height='54' width='218.609375' y='-27' x='-109.3046875' style='' class='basic label-container'/%3e%3cg transform='translate(-79.3046875%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='158.609375'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eVoer de TOTP-code in%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(173%2c 801.5)' id='flowchart-F-19' class='node default'%3e%3crect height='78' width='152.515625' y='-39' x='-76.2578125' style='' class='basic label-container'/%3e%3cg transform='translate(-46.2578125%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='92.515625'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eAuthenticatie%3cbr /%3esuccesvol%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Het is duidelijk dat het WebAuthn-proces minder stappen en veel minder tijd voor gebruikers in beslag neemt. Bovendien ondersteunen bedrijven zoals Apple passkeysynchronisatie over apparaten (bijv. iPhone, iPad, Mac) om het MFA-proces soepeler te laten verlopen, terwijl een hoog beveiligingsniveau behouden blijft.
Beveiligingsoverwegingen
Bij de implementatie van MFA moeten enkele beveiligingsoverwegingen in acht worden genomen:
- Gebruik een combinatie van factoren uit verschillende categorieën om een hoger beveiligingsniveau te waarborgen. Bijvoorbeeld het combineren van een wachtwoord (kennis) met een TOTP-code (bezit).
- Vermijd het gebruik van SMS als een MFA-factor vanwege de kwetsbaarheid voor SIM-swapping-aanvallen.
- Herstelopties mogen MFA niet omzeilen. Als een gebruiker bijvoorbeeld hun authenticator-app kwijtraakt, moeten ze worden verplicht om een back-upcode of een andere MFA-factor te gebruiken om toegang te krijgen.
- Leg koelperioden op tussen mislukte MFA-pogingen om brute-force-aanvallen te voorkomen.
Zie ook
- Tijdgebaseerd eenmalig wachtwoord (Time-based one-time password, TOTP)
- WebAuthn
- Toegangssleutel (Passkey)