We live in a world where our online accounts are becoming increasingly important to our everyday lives. Everything from shopping to job hunting to banking to catching up with friends will usually need some sort of online account.
Most of us will access these accounts using our emails and a password. This has been the default way to login to sites and services for a long time but it could be more secure. If there are accounts that you couldn’t imagine living without, then you may wish to secure them further with multi-factor authentication (MFA).
What is multi-factor authentication and how does it work?
MFA is an authentication method where 2 or more requirements must be met before a user is authenticated.
Usually, the first form of authentication is to use a password. This has been a standard means of authentication for as long as people have been using logging into things. This is good but it has its limitations.
People tend to use passwords they can remember which are usually short and contain words that are guessable. A lot of people also reuse passwords which increases the risk a password will be involved in a breach. This can be avoided by following good password guidance and using a password manager (Read my previous blog on the subject)
Even with a good password it is advisable to have an additional line of defence. This can come in several forms:
SMS
This is the easiest way to set up MFA, if you have never done it before. All you need is a phone that can receive text messages. When you login to a site with your password, a text message will be sent to your phone. The message will contain a code. You simply enter this code into the website or service to login.
This is better than just a password as the code will change each time you log in. For any potential hacker to access your account, they would need both your password and your registered phone.
MFA apps
The second way to use MFA is through a dedicated app to authenticate. There are several available such as Google Authenticator, Lastpass, Microsoft Authenticator app and more. These may all have slightly different interfaces but all use the same method of authentication.
The app is paired with the website/service you are using. This is usually done by entering a code or scanning a QR code with the authenticator app. Once this is done, the app will show you a number for that website. This number must be entered along with your username and password to login. The number will change regularly so again, you will need your phone to login.
Similar to SMS, this checks your identity by ensuring that you are the user you claim to be, and that as well as knowing the password, you have access to the phone registered with the account.
Hardware MFA
This is a more specialised form of authentication. The exact implementation of hardware MFA varies between implementations. The basic idea is that, in order to authenticate into a website/service you must have a physical object. Sometimes the hardware requires biometric authentication, such as a fingerprint, for extra security.
This may seem like a high-tech solution but you are likely most used to seeing this in the form of a credit/debit card. In order to access your money, you need the physical hardware (the card) and the password (pin). This is one of the most widely used forms of MFA. Some banks will also give you a small card reader for online banking. This is the same idea, needing the objects and password to login.
Do I need multi-factor authentication?
If you are the sort of person who has their phone in their hand at all times, then this is worth it. It adds an extra layer of security to your accounts. As a rule of thumb, any account that supports MFA, that you need to remain secure, should use it.
MFA does come with inconveniences. You need to have your device to hand to login. There is a bit of setting up to do if you change your phone. It will take a bit longer to login. All of these can be annoying but it is far less of an inconvenience than having to recover an account if one is breached, or dealing with the consequences of an attack on your account.
