Access Control is governed by 4 main pillars: Identity, Authentication, Authorization and Accounting. While Identity aims to address the entity representation (being a name, a username, an IP address, etc.), the Authentication ensures that the entity is really the one it claims to be. When an entity is proving who it is, it may use 3 main methods: Authentication by Knowledge (something you know), Authentication by Possession (something you have) and Authentication by Characteristics (something you are).
Authentication by Knowledge uses passwords, PINs, passphrase and questionnaires while Authentication by Possession involves some element that the user owns like a key, a card, a phone, a hardware or software token, a computer, a smartcard, etc. Authentication by Characteristics uses biometric factors like fingerprints, retina, palm, voice, etc.
When the user must provide proof elements from 2 methods in order to gain access is called 2-Factor Authentication (2FA); when user must provide proof elements from all 3 methods, it is called 3-Factor Authentication. Multi-Factor Authentication happens when either 2-factor Authentication or 3-Factor Authentication is used.
Identity (and sub sequentially, Authentication) became one of the first target in modern attacks. The attackers seek for accounts (identities) with no passwords, weak passwords, well known passwords, default passwords, unchanged passwords, duplicated passwords (same password for multiple systems), traces of passwords on systems, identical passwords used by multiple accounts, clear text passwords.
Another area of concern for security departments are the credentials shared between employees (intentionally or accidentally, via a phishing or web defacing attack) or passwords written on the sticky notes.
Authentication technologies evolved greatly in the last decade, providing the organization with a lot of tools to secure identities.
Deploying Multi-Factor Authentication became an action item in almost any security programme (covering network access, VPNs, domain authentication, application credentials, etc.).
Implementing such technologies, not only makes an attacker less efficient in performing account takeover, but also provide a central point of management of users credentials. An Authentication Server provides multiple interfaces (dedicated agents, TACACS/RADIUS, SAML, etc.) that allow virtually to any system to integrate with such platform; the obvious benefit is that the same tandem of Multi-factor Authentication can be used across all systems: wireless authentication, switch-port authentication, VPNs (IPSec or SSL/TLS), Web Applications, administrative interfaces (Web, GUI, command-line based).
Once the user is provisioned with multiple authentication factors, the organizations start to sense the benefits immediately: weaker methods are doubled by other factor, account compromise is harder to execute due the fact that the attacker no longer gets access to the system by using a weak/duplicated/identical passwords.
Incidents caused by password sharing (accidentally or intentionally) do not lead automatically to access to sensitive resources/systems/data.