Utilizing strong, unique passwords across all accounts qualifies as a fundamental part of security. But it’s also “security at a minimum.” Meaning, it’s the least you can do. Multi-factor authentication, or MFA (sometimes called two-factor authentication or 2FA), enhances security by alerting you when an account is being accessed, and blocking that access until a second or third authentication method is satisfied.
Traditional login procedures require only the username and password. MFA adds an additional security step—a second or third factor—as a part of the authentication process. It combines something you know, with something you have, and/or something you are.
Something you know.
Usernames, passwords, PINs, and security questions are all examples of “something you know.”
Something you have.
This refers to anything that you physically possess, such as a bank card, smartphone, USB drive, security tokens, etc.
Something you are.
The biometrics side of MFA, “something you are” refers to inherent factors like your fingerprints, face, eyes, and voice. This could also be your location or a physical gesture.
Examples of MFA
In one of the most basic and common forms of MFA, users are sent a one-time passcode via text message. Of course, “basic and common” also means “easily hackable.” Cybercriminals can spoof phone numbers to intercept text messages, which renders SMS inferior to other options.
Most accounts allow you to have the secondary code sent to an email address. Similar to SMS, this option also qualifies as unsecure since email accounts are generally easy to compromise. Regardless, using either SMS or email still offers better security than no MFA at all.
Push notifications offer a great alternative to SMS and email. Instead of receiving a message, users are prompted with a smartphone notification that asks if they’re trying to sign into an account. This option offers better security than SMS or email because it requires physical possession of the registered smartphone, and is more convenient since users need only to tap “yes” or “no” rather than entering a code.
You can’t withdraw money from an ATM without two things: a PIN (something you know) and a bank card (something you have). That’s the most generic example of a physical second factor. Others include USB keys, such as the Yubikey, which prevent access until the physical key is plugged in or connected via NFC (near field communication). If you or your end-users travel with devices that contain highly sensitive info or access to your organization’s intranet, utilizing a physical token might be your best option.
Most modern smart devices now allow you to unlock them by scanning a fingerprint or by using facial recognition. Some accounts also utilize these biometrics as a second factor of authentication. After inputting the username and password, the account will then ask the user to scan a fingerprint or whichever metric the user has chosen.
Of course there’s an app for that! Authenticator apps work by issuing time-based one-time passwords (known as TOTP). It works like this: the user installs an authenticator app and scans a QR code for the account the user wants to protect. The authenticator app then generates a code that changes after a certain time interval. Since the code is generated on the user side (via the app on the smartphone) versus the server side (such as those sent via SMS or email), it’s much more difficult for that code to be intercepted by a cybercriminal. You also need physical access to the device, making authenticator apps one of the best options for MFA.
Why You Should Use MFA
Imagine a scenario where a massive data breach exposes millions of login credentials, including yours. Without MFA enabled, the attackers would gain access to your account by simply logging in via the stolen credentials. But with multi-factor authentication enabled, the attackers remain locked out, and you receive an immediate notification that someone is attempting to access your account.
While there’s no replacement for strong, unique passwords, even the strongest passwords remain vulnerable to data breaches and other cyber-attacks. Take the next step in security and implement multi-factor authentication wherever possible.
Latest posts by Justin Bonnema (see all)
- Multi-factor Authentication: What it is and Why You Need It - June 27, 2019
- Summer of Security 2019 - June 20, 2019
- How Much for That Data in the Window? - May 28, 2019