In many of your online accounts, you may have been asked to either provide a phone number or download an app to enable multi-factor authentication (MFA). MFA is when a user is asked to provide two or more forms of authentication when logging into an account. (When exactly two forms of authentication are required—the most common form of MFA—this is called 2-step for 2-factor authentication (2FA)).
For reasons we’ll explain, MFA is something you should strongly consider whenever the option is available.
What are the different forms of authentication?
To access a secure online account, you need to authenticate yourself—i.e., prove that you are the legitimate user with the right to access the account. The most common form of authentication we’re all familiar with are username and password credentials. Pretty much every online account you have will require something along these lines.
However, there are multiple other forms of authentication that can be used to verify the identity of an account holder. These include:
- Time-Based One-time passcodes (TOTP): The user is asked to enter a passcode (some combination of numbers and digits) provided to them via a secure channel only they would have access to. A common form of TOTP is an SMS text message sent by the online account system to the user’s mobile phone number on file.
- TOTPs can also be generated by a piece of software called an authentication app that the user must download to their mobile device and register with the online account system. Passcodes are unlike the login password in that they are generated at the time of the login attempt, they are for one-time use only, and they expire within a very short period of time (e.g., 30 seconds).
- Biometrics: The users is scanned to confirm they have physical qualities matching those on file for the legitimate account holder. These physical qualities can include things like fingerprints, facial features, hand shape, retinal eye pattern and voice.
- Security Questions: The user is asked a series of questions that only they should know the answers to.
Why is MFA a good idea?
Adding MFA to your accounts does mean it’ll take a few more seconds and an extra action or two to login. However, the additional security MFA provides more than makes up for this minor nuisance.
The fact is, any account that relies solely on traditional username/password credentials is at risk. These credentials can be compromised in a number of ways:
- A fraudster is able to guess the user’s password.
- A fraudster obtains the user’s credentials via a phishing, smishing or spoofing attack.
- A fraudster obtains password credentials by hacking a user’s email account.
- There’s a data breach into the organization maintaining the accounts, resulting in users’ credentials being leaked to the public or to the Dark Web.
- A fraudster gains access by stealing a user’s laptop.
While MFA does not guarantee your account cannot be compromised, it does make it significantly more challenging. Take for example, an account secured by TOTP. A fraudster anywhere around the world could obtain a user’s password if their account has been compromised and credentials shared via the Dark Web, or via a successful phishing attempt. However, the fraudster still won’t be able to get into that user’s account because they won’t know what TOTP code to enter. To do that, they’d need to also be able to somehow gain access to the user’s authentication app or device, or convince the user to share their TOTP code with them.
According to Microsoft, 99.9% of compromised accounts don’t have MFA.
When and How to Use MFA
Not all online accounts you access will require or even offer MFA. However, MFA is increasingly an available option for many online accounts. And for accounts involving access to financial and other sensitive information, MFA is increasingly becoming a standard requirement.
When given the choice for one of your online accounts, implement MFA. This applies to not only your work and financial accounts. Personal accounts like your email or social media accounts should also be protected, as hackers can potentially use them to gain access to credentials you may have stored within these accounts. They can also use these accounts to gain personal details about you, and use them to guess your passwords or impersonate you to access more sensitive accounts.
It’s important to remember, however, that MFA alone is not a silver bullet. MFA won’t prevent account compromise if, for example, a user doesn’t know to never share their TOTP code with someone else. (One smishing attack being used is when fraudsters send out an SMS text message saying there’s a problem with a user’s account at a financial institution. They’ll then pretend to be a help desk agent for that institution, and will ask the user for their TOTP code so they can ‘help’ them with the problem.)
Ultimately, cyber education requires an awareness of the various forms cyberattack and what to do to stop or prevent them. An important part of that awareness is knowing that if the choice is given to you, choose MFA.