Multi-factor authentication
What is multi-factor authentication?
Multi-factor authentication (MFA) is a login process that requires multiple forms of proof of identity, often including a password, biometric data, or a security token. When logging in, a person provides an identity—such as a username or email—and then authenticates this identity by providing additional information such as a password. Each authenticating item is called a factor. MFA requires more than one factor to authenticate the individual’s stated identity. A common MFA setup is a user ID followed by a password and then a 6-8 digit temporary code.
A similar term is two-factor authentication, also called two-step authentication or 2FA. This term specifies that exactly 2 factors are required, while the more general MFA means two or more factors are needed. MFA is becoming more common as both a user-optional and a required login process. MFA may be used when logging into a computer, unlocking a mobile device, or logging into an account or app. MFA is particularly common when logging into an account on a device not previously used to access that account.
Why is multi-factor authentication popular?
Lax security habits and improved hacking tools have weakened the security of the traditional login setup of a user ID and password. When faced with so many IDs and passwords to remember, users will often fall back on using an email address for an ID, and reuse passwords across multiple logins. This makes accounts easier to hack, especially with today’s more advanced hacking and social engineering methods.
The additional factors required by an MFA login add complexity, making it more difficult to breach security layers. A hacker may learn a user’s ID (especially if it’s an email address), and can acquire a stored password through a data breach, phishing, or password cracking. But if the hacker doesn’t have access to the source of the additional factor (for example, they can’t get the 6 digit code sent to the account owner’s mobile phone), then they won’t be able to complete the login process. More and more database owners and service providers are relying on MFA for its enhanced security against unauthorized account access.
How does multi-factor authentication work?
To be most effective, the factors should be of different types or from different sources. Using two passwords isn’t much more secure than using one—a data breach that contains one password will most likely have the second password as well.
Factors are generally divided into three categories:
- Something you know. This is usually a memorized password or PIN.
- Something you have. Often a token generator or an app on your mobile device, or an SMS message sent to your device.
- Something you are. Often your fingerprint or face scan.
Combinations of these types of authentication (know + have, know + are, have + are) are more difficult to hack or steal. Someone might be able to steal a password, but not a fingerprint. And if they don’t have your cell phone, they can’t receive any authentication codes sent to it.
Types of multi-factor authentication
One time password (OTP)
This MFA process is familiar to many people. It requires the user to enter an 6-8 digit code texted to their mobile phone, emailed, or provided in a voice message. This falls under the “have” type of factor—for example, it assumes the rightful user is holding the phone receiving the texted or voice recorded code. These codes are often only viable for a limited time, maybe 10-30 minutes. Expiration means there’s less chance of the code being guessed before it’s obsolete.
Getting an OTP via text has some drawbacks:
- Unsecured SMS texts can be intercepted.
- Phishing is an issue. Users can be tricked into providing an OTP when a hacker sends a text or email pretending to be the organization you’re trying to log in with. For example, the hacker trying to log in using stolen ID and password might send a text with a link to a faked website. The fake website will collect the OTP the user unknowingly enters, and then the hacker can use the code at the real website.
- A stolen mobile device with poor personal security can put SMS texts in the hands of the thief.
- You need a mobile device and good Internet connection in order to receive the text with the code.
- An attacker can convince your mobile service provider to port your number to a new SIM card (often called a “SIM swapping attack”).
Token-based OTP
An OTP security token can be software installed on a user’s device, or a small physical device owned by the user. Physical devices are often a key fob or smart card—a credit card sized device—with an LCD display. The display provides a new, one-time code at regular intervals (such as every 30 or 60 seconds). Software versions are also known as authenticator apps, and are growing in popularity. Authenticator apps are installed on the user’s device (phone or tablet) and provide an OTP, replacing text, email, or voice message. A single authenticator app can manage codes for multiple login accounts.
Similar to text OTP, token-based MFA uses the “know” and “have” categories of authentication, but is more secure because it avoids weaknesses of SMS text OTP. The downside of a physical token is that it can be lost, stolen, or simply left behind (at home or in the car), leaving the user unable to log in.
Hardware keys
Hardware security keys are small physical devices that plug in to your computer or mobile device, sometimes through a USB port or power input. Some models can communicate to your device wirelessly. Most are small enough to carry on a keychain when not in use.
Their advantages and disadvantages are similar to those of a token-based OTP device, but they can manage more than just one-time passcodes. Depending on the model, they can also store and use permanent passwords and other security protocols for you. Some include fingerprint readers for authenticating before running software. Hardware keys can also be built directly into a device’s secure enclave (a method that’s becoming increasingly more common with the widespread support for passkeys).
Push notification
For this MFA process, the first step is logging in as usual, using an ID and password. Then the server tasked with authenticating the user “pushes” a message through the app to the user’s chosen device (usually their mobile phone) and asks the user to confirm that it’s them attempting to log in. Although there’s no information supplied like for OTP, this counts as a second factor of the “have” type because it uses a physical device (the phone) associated with the correct user. The push notification also benefits from the layer of security on the phone—the user must unlock the phone (with fingerprint, face scan, or PIN) in order to provide approval.
A push notification can serve as a warning to the user if an unauthorized person is trying to log in to the user’s account. However, it does have its own phishing attack vulnerability. A bad actor can get the service to send multiple push notifications (by repeatedly attempting to log in), until the individual finally taps “Accept” out of frustration or confusion. This is called a “multifactor fatigue attack” or “push bombing.”
Best practices for using multi-factor authentication
Multi-factor authentication offers additional layers of security to your online activity. Here are some things you can do to take advantage of MFA benefits:
- Turn on the MFA option whenever available.
- If the only MFA option available is OTP SMS codes, then it’s still recommended to use it over nothing. However, it’s recommended that you use a separate prepaid phone number or Google Voice phone number that will be used only for receiving these OTP SMS codes.
- Never share a one time passcode with anyone else.
- If you get a text or other notice with an OTP that you didn’t request, follow up with the organization, and check your accounts. But don’t use unsolicited texted or emailed links to do this—these could be phishing attempts. Instead, type the website address yourself, or use a previously stored bookmark.
- Evaluate push notifications carefully, particularly if you’re receiving them multiple times. This is probably an indication that someone is attempting to hack into your account.
- When available, set up MFA through an authenticator app. There are several available for any mobile device, and are generally free to download and use.
What’s next for multi-factor authentication?
A recent development in MFA is a phishing-resistant process called passkeys. When you set up an account using passkeys, your device or app will store the passkey securely and link it only to the website it was originally registered for. Then whenever you use that service, your device will automatically check you’re on the right website before you authenticate with the passkey. If you accidentally click through to a fake phishing site, your device won’t recognize the website and won’t be able to find the correct passkey to login with. In this case the phishing attempt is successfully blocked, and you stay safer.