Multifactor authentication, or MFA, is an extra layer of protection when you enter a password to log into a website or application. It’s also called two-factor authentication, or 2FA. Whatever you call it, it’s the simplest thing you can do to protect your accounts and personal information. It does add extra time to the login process, but the tradeoff is more than worth it when it comes to securing your accounts.
Methods of Multifactor Authentication
- Text message.
- Email message
- Authenticator app.
- Additional security questions.
- Biometrics.
Text and email
These two methods are similar: choose where you want to receive a one-time code that you will need to enter on the site you are logging into. Once you receive the message, simply enter that code, and you can proceed with the login.
Due to a newer tactic known as “SIM swapping,” attackers can obtain information about the victim to convince the mobile carrier to transfer your SIM card to their device and have all calls/texts sent to them. They can then reset passwords and have the notification be sent to the SIM-swapped number, therefore gaining access to your accounts.
For more on SIM swapping, check out this article: https://www.snbonline.com/about/news/how-to-prevent-sim-swap-fraud
Push notifications
According to Dataprot, 69% of MFA is done via push notifications to a mobile device. This involves an authenticator app, which will send a notification to you, asking if you just tried to log in to the account in question. If you confirm, then you can proceed with logging in. However, if you receive one of these and you did NOT attempt to log in to that account, this can be a sign that someone is attempting to break in to it.
Fight MFA Fatigue
Imagine your phone getting “blown up” with push notifications like this. Your initial instinct might be just to “make it stop” and verify the notification. This can be like handing a thief the keys to your car. And, in fact, that’s exactly how attackers were able to breach Uber. Known as “MFA Fatigue,” it preys upon the fact that spammy push notifications will annoy the end user enough to make them do whatever it takes to stop them. If this starts happening on your phone, try to get to the root cause of it before you enable the login. Contact your IT help desk if it is regarding a work account.
Additional security questions and biometrics
When setting up a new account, you must sometimes choose from a bank of questions that the website will ask you upon login, to prove your identity. Some common examples are “what was the make and model of your first car?” or “What is your mother’s maiden name?” Certain questions are easier to guess by a hacker than others. Anything that can be easily found by a Google search on your name, or a scroll through your social media, should not be one of your security questions. In addition, if you are able to remember your answers, you can give fake answers that only you know.
Biometrics
Common on mobile devices, the app may use facial recognition or a fingerprint to confirm your identity. This is a preferable user experience, as it requires little effort on the end user’s part other than to look at their screen, or press a fingertip to it.
Who needs MFA?
Additional resources
The National Cybersecurity Alliance has a ton of great content to help businesses get a handle on how to stay protected. In this article, they offer four tips to stay safe online: https://staysafeonline.org/online-safety-privacy-basics/its-easy-to-stay-safe-online-with-these-4-steps-plus-1/