Do you know how multi-factor authentication (MFA) or two-factor authentication (2FA) work? Have you seen it on some of your accounts, but haven’t paid much attention?
Definition
Multi-factor or two-factor authentication is an additional step you take when logging into an account to verify that it is really you. When logging in, after entering your username and password, you must also enter an additional piece of information (a second factor). You can get this information via email, text, phone call, an authenticator app, an app for the service, or a physical security token. Each of these methods have varying degrees of security and ease of use.
Broad categories for authentication
Authentication can be made up of something you know, something you have, and something you are.
Something you know would be a password or a pin.
Something you have would be a physical security key, an authenticator app, an app for the service you are trying to log into, access to a phone number, or access to an email address. These authentication methods would likely provide you with a one-time password (OTP) that changes based on the time or a link that you click on. The OTP is sometimes called a token.
Something you are would be biometrics: a fingerprint, facial recognition, voice recognition, etc.
Hard versus soft tokens
Tokens that come from hardware are called hard tokens. A physical security key, keycards, RFID, key fobs, or even traditional keys are some examples. Hard tokens are generally more secure since they are harder to copy.
Soft tokens come from software. These would be email, SMS or voice, an app, or an authenticator app. They are generally less secure than hard tokens.
Types of MFA methods (from least secure to most secure)
- SMS or voice
- App of Service
- Authenticator App
- Physical security key/security token
- Backup codes
You click a link or enter a code that was emailed to your email address.
Email is often used to verify that it is you logging in to a website, such as Amazon. If they see you are logging in from a new browser, they sometimes require you to click a link in an email sent to you. This method of authentication is fine, but it is not very secure because it isn’t terribly difficult to get access to someone’s email account, especially if they don’t have multi-factor authentication enabled. Because it is easy to be logged into an email account on multiple devices, you may never know if someone has gotten into your email. This is a weaker MFA method since it depends on the MFA of your email and because you can be logged into an email account in multiple locations at once.
SMS or voice
SMS or voice methods are also commonly used. You receive a text or a phone call giving you a code to enter into the website to verify it is really you. This method is better than email, but is susceptible to SIM hacking.
App for a service you are already using
If you are trying to log into a site on your computer, you follow the directions of the notification from the same service’s app on your phone.
For example, if you are trying to log into Amazon on your pc, you can use the Amazon app on your phone to verify it is you logging into your account on your pc. An app or service provided by the website you are logging into is not a bad option.
Authenticator app
An authenticator app is a separate app you download specifically for the purpose of MFA. To use an authenticator app, you typically have a QR code you will scan and then it will generate a code for you to enter into the web page you are trying to login to. You will get a new code every time you want to login to your account since the codes change every 30 seconds. An authenticator app is a solid option for securing your accounts. An authenticator app gives you codes for all of the accounts where you enabled it. They are all different since the QR code you used when adding the account to your authenticator app was different for each website.
This is a great balance between security and flexibility. Some authenticator apps can save your accounts (encrypted) in the cloud. You don’t have to worry about a physical key that you can lose, but it still keeps your accounts secure. Here are some authenticator apps: Aegis Authenticator (open source), Authy, Google Authenticator, Microsoft Authenticator, and LastPass Authenticator.
Physical security key
This is the most secure option on the list. The key is a devices that you insert into your USB drive. When you click the button in the key it will give you a one-time password.
Yubico offers security keys and are the most widely accepted option.
Backup codes
Backup codes can be used when you don’t have access to your other authentication method. If you are away from your security key or don’t have your phone with you, they will still let you log into the service or website. They are also great for if you permanently loose access to the authentication method. They can let you get into your account to change the MFA method.
If there is an option, you should always create backup codes in case you lose your MFA method. Usually, you just click a link on the MFA page in your account to create them. Being locked out of your accounts can cause problems that nobody wants, so taking this extra step can save a lot of potential headaches.
Backup codes can be as secure as you make them. If you put them in a safe place (physically or encrypted online), they should be safe from someone trying to access your account.
Signing up for multi-factor authentication
- Login to your account
- Go into account settings or security settings or something similar
- Click the multi-factor authentication option
- Set it up – depending on the method you prefer and the options they have
You can do it!
Determine the authentication method that is best for you. We suggest an authenticator app for most people since they are a great balance of convenience and security. Physical keys are great for those who want even more security.
Set up MFA on all of your important accounts. Then set it up on the rest of your accounts.
Encourage services and sites you use to offer secure (not just SMS-based) multi-factor authentication.
Remember it’s a marathon, not a sprint. Sustainability should be the goal.