What is MFA and why you need it

Have you ever worried about hackers getting into your accounts? We do too! Even with complex passwords, that are changed frequently, bad cyber actors still have ways of getting past your password.

Wouldn’t it be nice to make it significantly more difficult for them to hack your account? Actually, you can! You just need to add a second way of identifying yourself in your accounts.

What you need is more than a password! You need a second method to verify your identity.

The good news is there is one: It’s called Multi-Factor Authentication (MFA) – also known as “Two Factor Authentication” or “Two Step Authentication.”

The better news is: It only takes a minute or two to enable it, and a few seconds to use it.

What is MFA

Multi-factor authentication (MFA) is a layered approach to securing your online accounts and the data they contain. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access.

Using MFA protects your account more than just using a username and password. Users who enable MFA are significantly less likely to get hacked, according to Microsoft. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement ultimately stopping them from gaining access to your accounts.

So, online services are taking a step to double-check. Instead of asking you just for something you know (e.g., a password) – which can be reused, more easily cracked, or stolen – they can verify it’s you by asking for two forms of information:

They’ll ask for something you know …. like a PIN number or a password, along with

  • Something you have …. like an authentication application or a confirmation text on your phone, or
  • Something you are …. like a fingerprint or face scan.

Why is MFA important

Implementing MFA makes it more difficult for a threat actor to gain access to business premises and information systems, such as remote access technology, email, and billing systems, even if passwords or PINs are compromised through phishing attacks or other means.

Adversaries are increasingly capable of guessing or harvesting passwords to gain illicit access. Password cracking techniques are becoming more sophisticated and high-powered computing is increasingly affordable. In addition, adversaries harvest credentials through phishing emails or by identifying passwords reused from other systems. MFA adds strong protection against account takeover by greatly increasing the level of difficulty for adversaries.

How does MFA work

MFA requires users to present two or more authentication factors at login to verify their identity before they are granted access. Each additional authentication factor added to the login process increases security. A typical MFA login would require the user to present some combination of the following:

  • Something you know: like a password or Personal Identification Number (PIN);
  • Something you have: like a smart card, mobile token, or hardware token; and,
  • Some form of biometric factor (e.g., fingerprint, palm print, or voice recognition).

There are many ways you may be asked to provide a second form of authentication. Here are the most popular forms of MFA (in order of strength) from weakest to strongest:

  • Text Message (SMS) or Email: When you log in to an account, the service will send a code to your phone or email account, which you then use to log in. Note that this SMS/mail is the weakest form of MFA, and you should only use it if none of the other options are available.
  • Authenticator App: An authenticator app is one that generates MFA login codes on your smartphone. When prompted for your MFA code, you launch the app and type in the displayed number. These codes often expire every 30 or 60 seconds.
  • Push notification: Instead of using a numeric code, the service “pushes” a request to your phone to ask if it should let you in. You will see a pop-up and can approve the login request or deny it if you did not initiate the authentication request.
  • FIDO authentication: FIDO stands for “Fast Identity Online” and is the gold standard of multi-factor authentication. The FIDO protocol is built into all major browsers and phones. It can use secure biometric authentication mechanisms – like facial recognition, a fingerprint, or voice recognition – and is built on a foundation of strong cryptography. Often it uses a physical device – a key – essentially an encrypted version of a key to your house.

Where to use MFA

Consider enforcing MFA on Internet-facing systems, such as email, remote desktop, and Virtual Private Network (VPNs). Implementation schedules, costs, adoption willingness, and the degree of protection provided vary depending on the solutions selected and the platforms to be protected, so match the capability to the need.

Bottom line: Any form of MFA is better than no MFA. Any MFA will raise the cost of attack and will reduce your risk.

*Content for this blog was taken from CISA.gov (The Cybersecurity & Infrastructure Security Agency).