What is MFA and how does it work?
Online security is essential in today's digital landscape. With one in three American accounts falling victim to hacking, there is a dire need for robust protection.
Multi-factor authentication (MFA) is a defense against cyber threats to your online accounts. MFA gives you that extra shield to strengthen your login process by requiring multiple forms of identification.
Statistics show that only 13% of employees at small to medium businesses (SMBs) are required to use MFA, while 87% of employees at large organizations adopt this added layer of security. In addition, 77% of accounts depend on SMS (texting) for two-factor authentication, reflecting the widespread use.
With rampant cyber-attacks, multi-factor authentication is the savior, effectively stopping 99.9% of modern automated cyber-attacks. Notably, stronger passwords are required to protect your personal information online. However, even with that, you are not assured of total safety; you still can get hacked. In fact, 81% of hacking-related breaches result from the vulnerability of stolen or weak passwords. Imagine an attacker trying to breach your email account when they have only your password.
Without MFA, a password alone is the lone barrier between the potential attacker, who may exploit your personal information or gather unauthorized access to your accounts, and your private correspondence. Traditional passwords have become vulnerable to advanced hacking techniques. With the numbers above, you can tell that data breaches have become all too common and can lead to the exposure of thousands and even millions of passwords.
This is why major email providers like Microsoft and Google have adopted MFA to respond to this growing threat to enhance the security of their user's accounts.
Whether new to cyber security or an expert, this guide is created to elevate, educate, and empower your online defenses, particularly MFA, to navigate the ever-changing digital security space easily.
Factors used for MFA
The authentication process typically involves providing a username and a password. This password, most often your first line of defense, falls under the category of something you know, which ideally has a complex combination of numbers, symbols, and letters unique to you.
Nonetheless, to enhance security further, MFA brings an additional layer of protection by requesting two of the following authentication factors:
- Something you know
Includes your password, a personal identification number (PIN), or even an answer to a security question like your favorite musician or your favorite food.
- Something you have
The second factor can be in different forms, adding that extra security dimension. These options include generating time-based codes from an authenticator app like Authy or Google authenticator, using physical hardware tokens (used in high-security environments), and a one-time verification passcode through email or text message.
- Something you are
Modern technology has made biometric authentication possible. Facial recognition, your fingerprint – even your voice can be the second factor, on smartphones.
Additionally, data sent without encryption can allow criminals to intercept and steal information transmitted without protection. When employees send sensitive company data, confidential reports, and login credentials across unsecured networks – it's likely to share postcards with your confidential information for anyone intending to read. With the right tools, cybercriminals can effortlessly intercept and do what they may with that information.
You should know that MFA is not confined to online contexts alone. It can be used when providing an authentication code from an RSA SecurlD key fob to access an employer's system remotely or using a credit card at the gas station by entering a zip code.
By now, you have noticed the main idea is to verify identity through a combination of two distinct factors, strengthening security measures across the board.
How do these methods work?
Here are how the methods mentioned above work:
- Text messages (SMS)
One of the straightforward MFA modes is using SMS or text messages to deliver a one-time login code to your registered mobile device. This MFA method is simple as it requires only a cellphone and a wireless network. For personal accounts, text-message-based MFA is common due to its convenience.
However, there is a potential risk of identity impersonation – a criminal could deceive the phone company, seize control of your phone number, and gain unauthorized access to your accounts.
In the corporate especially, it is vital to be extra cautious when considering this method, mainly if employees depend on personal phone numbers. With such a setup comes the risk of a dissatisfied employee leading to significant harm if they lose their job. In addition, employees' personal phone plans may only provide service in some locations, potentially locking them out of their accounts while on international business trips.
Individuals using text message MFA should protect their phone numbers against unauthorized sim swaps. Corporate employees should ideally have dedicated company phone lines to reduce security vulnerabilities.
- Using authenticator apps
Some accounts offer the option of utilizing an authenticator app installed on your device, such as a tablet or phone. These apps include Microsoft Authenticator, Google Authenticator, and Duo. These apps generate time-based verification passcodes on top of those received through email or text. The main difference is the enhanced security. They have an advanced feature, push notifications, further strengthening security.
When someone tries to access your account, you will receive a real-time notification on your mobile device – including valuable details about the login attempt, like the date and time of the attempt, the type of device used, the geographical location of the login attempt, and the account being accessed. With a simple tap, you can deny or approve the login request, allowing you to control your account's security firmly. If you are seeking a higher level of protection, this one is for you.
- Biometric authentication
This method depends on the physical attributes that make you, you. It is a unique authentication method, as it needs a physical person to grant access to your account. It happens by using a fingerprint on your tablet or capturing retina scans through your device's camera – most smartphones have this feature.
However, there are limitations to biometric authentication. First, if this method gets compromised, it can have lifelong consequences – because unlike a password, which can be changed anytime, your retina can never be changed. Technically, if accessed, hackers can compromise your accounts forever.
- The security keys
These physical devices vary in size and shape and employ encryption to establish a secure link between your account and the key. The keys have versatility, with some designed to leverage near-field communication (NFAC) while others are designed to plug into a USB port – thus creating a connection when the key is held close to your device. This method is different and provides airtight defense as it does not rely on credentials, making it one of the best MFA methods available.
Enabling MFA
Some apps and sites have secured MFA, but sometimes it is not always on by default – always check if it is available. With Google, the Google authenticator automatically generates the codes, or you can enable it yourself through your Gmail account or Google Account. To set MFA, here is how to go about it:
- Open your Google Account.
- Find security on the navigation panel.
- Under "signing into Google," and select "2-step verification," then choose "Get started."
- Confirm your password.
- Select how you would want to verify that the phone is yours: a voice call, text message, or security key, then click "Try it now."
- You will be asked to confirm using a prompt on your phone.
- Verify using your preferred method of choice.
- Then, add a backup email or phone number if your phone is lost or you cannot verify the prompt. Select an option, either a phone call or text message, and select "send."
- You will receive a verification code from Google for your phone.
- Enter the code, then click "next."
- Then click on "turn on."
- Your MFA is now set up! Be sure to check for the confirmation email from Google to ensure your process was successful.
Note that if you prefer not to provide a second verification step each time you sign in on your computer or phone, you can check the box next to "Don't ask again on this device" or "Don't ask again on this computer." Always remember to be cautious and only select this option on devices you regularly use, and do not share with others to ensure your account is always safe. Also, you can adopt two step verification in all your accounts, from banks to social media accounts.
While two-factor authentication is a strong security method, it could be better. It makes it harder for hackers to gain unauthorized access to your data and accounts. When hackers notice you have MFA enabled, they often give up and look for easier targets, thus keeping your account safe.
But you need to know that hackers try to find new ways to get around them as security measures, such as MFA, continue to develop. For instance, some apps can read your text messages, and voice bots can get hold of the codes – or even go as far as tricking you into giving them the codes.
Marshall Thompson
Marshall is a Security Consultant and Software Engineer with a wide range of talents across development, penetration testing, and cloud services. Marshall plays a large role in the development of enterprise software at Pulsar Security, specializing in .NET, MSSQL, Azure, Active Directory, C#, and Python.