Multi-Factor Authentication

In our last article, we discussed creating secure passwords; unfortunately, a strong password alone is no longer enough to protect your accounts. We must layer up and use one of the other two authentication methods. This practice is called Multi-Factor Authentication.

Almost all major platforms now support Multi-Factor Authentication: Apple, Microsoft, Google, and even many web-based applications. Entire companies exist with the singular purpose of providing easy to use multi-factor authentication. So why do you need it and how does it work?

Why Do I Need MFA?

Multi-factor authentication acts as a safety net for your accounts by either alerting and requiring your approval for each sign-on request or requiring an additional code along with each sign-on. As an example, let’s say you use the same password for your LinkedIn account and your corporate account. (You should never re-use passwords, but many people do). In May of 2016 LinkedIn was breached and exposed 164 million email addresses and passwords. You received an alert from LinkedIn and immediately changed your password, now your LinkedIn account is safe. Whenever a breach such as this occurs, attackers immediately scour the web for linked accounts and try to reuse the password to see if it works. Now, even though your LinkedIn account is secured, your corporate account is at risk. If multi-factor authentication is not enabled for your corporate account, attackers can log in and access all of your data.

However, if multi-factor authentication was enabled, the attacker would have been prompted to enter a code or validate the sign-in request. This is often accomplished through a mobile app, phone call, or physical token. The attacker is stuck and must find a way to steal yet another piece of information from you.

How Does MFA Work?

Many different forms of multi-factor authentication exist. The most common and secure method leverages an application on your smartphones such as DUO, Google Authenticator, or Microsoft Authenticator. Other methods such as physical tokens (Yubico) or SMS text messages provide additional security but are less secure due to theft or cloning of cellular devices. Multi-factor codes are generated by standardized algorithms that are initiated by a unique code that acts as a secret key to generating the correct response code when signing in.

I highly encourage you to check which of your accounts supports multi-factor authentication and recommend that you enable this simple feature which greatly increases the security of your accounts.