What’s the point of MFA?
How do you ensure that you are, in fact, yourself? This might seem like a silly question that can be answered easily; you are an amalgamation of factors that make you an individual. You know who you are (hopefully), but what about your online accounts? How can your online accounts verify that the person accessing them is you?
The most common method of verification is a password. This combines a unique user login and a password that you come up with yourself. There’s no way that anyone else could know that information, so this proves the person trying to access your account is you. Sounds secure enough right? Wrong.
The amount of ways that your login details could be compromised is almost limitless. This could range from things as severe as large scale data breaches that leak huge amounts of account details to places like the dark web, where it is sold as a commodity to the highest bidder. Alternatively, something as simple as someone looking over your shoulder and watching your keyboard in a public place could also compromise your details. The bottom line is that despite how complex it may be, your password is not secure.
So how do we fix this? There are actually a lot of steps we can take to mitigate the risks of a breached account, which is how we come to our primary talking point: Multi-Factor Authentication, or MFA. MFA adds an extra layer of security meaning even if your password is leaked, it is not enough information for an attacker to try and prove that they are you. So, what does MFA actually consist of?
What can MFA do for you?
MFA covers a wide variety of factors you may choose to add to your account for extra security. MFA is something that you are, something you know, or something you have. We will go into more detail about what each of these entails.
One factor most people will have come across before is security questions. This is used by default for things such as online banking. It involves a series of 3-5 questions that only you should know the answer to. Some examples of these may be: What was your first pet’s name? What was your first school? What is your mother’s maiden name? Questions such as these provide an extra layer of security. However, this should not be seen as an infallible method of keeping your account safe. There are several ways an attacker might use social engineering to pry these details from you without you even realizing it.
Secondary Device or Account
Using security questions is not the only method to secure your account, however. Another popular form of authentication is via a secondary device or account. This can be done by connecting either a phone number or email to the account you want to secure. In doing this, when connecting to your account, you will be asked for a secondary code. This will either be sent to your phone number or email address, or even both for extra security.
It is good practice to ensure your accounts are as secure as possible and work proactively instead of reactively, as it is very unlikely that an attacker will be able to compromise everything. For example: your email login details are leaked in a breach. An attacker then attempts to use this compromised email to log in to a variety of different services. The attacker can then access your emails to reset passwords and emails, effectively stealing all of your accounts. Now picture the same situation, but each of those services has one or more factors of authentication. Your email has a code that is sent to your phone number, and the other sites that they try to access are protected by an authenticator app. The attacker may have the details to log in, but they do not have the code sent to your phone, and they do not have the codes generated by the authenticator app. This means that they cannot effectively access any of your accounts, giving you time to change passwords and leave the leaked credentials worthless.
This is the beauty of multi-factor authentication. You are not limited to one method of security. Depending on how secure you need your account to be, you can keep adding layers of authentication. This means that a malicious actor trying to access your account will have to peel back each and every layer of security, like an onion, with the chances of them breaching each level getting exponentially smaller the more you have.
In conclusion, I can wholeheartedly say that everyone could benefit from a little extra security in their life. It is better to have it and not ever need it, than to need it and not have it. It only takes a few seconds extra to log in, and in exchange, it makes your information tenfold more difficult for any prying eyes to access. There are many popular authenticators available for free. Examples of this include Google Authenticator, Microsoft Authenticator, and many third-party apps available on all different platforms.