I’m sure you’ve seen the message asking you to set up multi-factor authentication (MFA) on your social media accounts, online bank apps or email, and I know what you’re thinking, “Great, another step to login.” While it does add an additional step to the login process, it is crucial to keeping your accounts more secure.
But what’s the worst that can happen if you don’t set up MFA? Well, passwords are generally easy for scammers to crack and cybercriminals can obtain your password in a data breach. Once they gain access to your account they can steal your money or personal information, infect your devices with ransomware or impersonate you online. MFA is the easiest way to maximize the security of your accounts and sensitive data.
What is multi-factor authentication?
MFA—also referred to as two-factor authentication (2FA)—is a security process that requires you to provide two or more different authentication factors before you can access an account or system. These factors typically fall into three categories:
- Something you know, such as a code or PIN.
- Something you have, such as a smartphone.
- Something you are, such as a fingerprint.
By requiring multiple factors, MFA provides an additional layer of security that can help prevent unauthorized access, even if an attacker has obtained your password or other login credentials. MFA is commonly used for online banking, e-commerce, social media, and other online services to protect against identity theft, data breaches, and other cyber threats.
What options are available for multi-factor authentication?
There are plenty of different options for MFA. However, each option has its own advantages and disadvantages, and some are much easier for hackers to access.
Authenticator Apps
One form of MFA that is gaining popularity amongst cybersecurity experts is the use of an authenticator app—such as Authy or Duo Mobile. When using an authenticator app, you will download the app to your phone, then connect your account to the app by entering a secret key into the app, which is provided by your account. This establishes a secure connection between your account and the authenticator app. Whenever you log in to your account, the authenticator app will generate a unique, one-time digit code that is required to access your account.
Pros
- Authenticator apps generate one-time passwords (OTPs) that can only be used once and have a short expiration time. This means that even if someone intercepts the code, it will no longer be valid by the time they try to use it.
- They are generally more convenient than other types of MFA. Most apps can be downloaded onto a smartphone, making them easy to access and use on the go.
- They typically work with a wide range of online services and platforms, and more are adopting this type of authentication as an option for their users.
Cons
- Most authenticator apps are tied to a single device, which means that if you lose or replace that device, you may lose access to your accounts. Some apps offer recovery options, but it’s important to have a backup plan.
- Authenticator apps can sometimes have technical issues, such as synchronization errors, which can cause the codes to be invalid. While these issues are usually rare, they can be frustrating.
SMS Codes
The most adopted form of MFA for online accounts is SMS codes. However, experts no longer recommend using SMS-based MFA because it can easily be bypassed by hackers. This type of MFA involves a numeric code texted to your phone, which you then enter into the account’s login screen to gain access. The problem is hackers can use various techniques to intercept the code and gain access to your accounts.
Pros
- SMS-based MFA is simple, as it only requires you to have access to a mobile phone to receive the SMS code.
- SMS-based MFA is widely adopted by online services and platforms.
Cons
- SMS-based MFA is vulnerable to several types of attacks—such as SIM swapping, session cookie hijacking, or man-in-the-middle attacks—to intercept the code and gain access to your accounts.
- SMS messages can be delayed or fail to arrive, which can lead to frustration and inconvenience when trying to authenticate.
Biometric Authentication
Biometric authentication uses unique physical characteristics to confirm an individual’s identity. These characteristics can include fingerprints, iris scans, facial recognition, voice recognition, or even the way someone types or walks. Biometric authentication is becoming more common in devices like smartphones and laptops, and it can also be used in high-security areas like banks and government agencies.
Pros
- Biometric authentication can provide a seamless and intuitive user experience, because you don’t need to remember or enter complex passwords or PINs, which can reduce user frustration and support usability.
- For the most part, biometric authentication is often considered to be more secure because it relies on unique biological characteristics that are difficult to replicate or forge.
Cons
- Biometric data is highly personal and sensitive, and there are concerns about how this data is stored, used and protected by organizations. If a company’s database of biometric data is hacked or breached, it could lead to significant privacy violations.
- Biometric authentication can be vulnerable to spoofing attacks, where someone creates a fake biometric sample (such as a fingerprint or face scan) to trick the system into granting access.
- Not all online services and platforms support the use of biometric authentication.
Security Tokens
These are small hardware devices that generate a unique code that you’ll need to enter to log in. They can be attached to a keychain or carried in a pocket.
Pros
- They use unique cryptographic keys to generate one-time codes that are difficult to intercept or replicate.
- They do not require you to have a mobile phone or internet connection.
Cons
- Security tokens can be more expensive than other forms of MFA, as they require a physical hardware device.
- Security tokens can be lost or stolen, which can create security risks if they fall into the wrong hands.
Our Recommendations
We highly recommend enabling MFA on all accounts because it provides an additional layer of security that can greatly reduce the risk of unauthorized access or data breaches. With MFA enabled, attackers who have access to your username and password will still need an additional factor to gain access to your account. MFA is particularly important for accounts that contain sensitive information or that are used for financial transactions, but we recommend it for all accounts—including social media, email and gaming accounts.
We generally recommend authenticator apps for the average consumer because they provide a good balance of security and convenience. Compared to other types of MFA, such as SMS-based MFA or security tokens, authenticator apps are more secure because they generate unique one-time codes that are difficult to intercept or replicate. While SMS-based MFA can be convenient, it has been found to be less secure due to various vulnerabilities, such as SIM swapping. Therefore, authenticator apps are generally considered the best option for anyone who wants to enhance the security of their online accounts without sacrificing convenience or breaking the bank.
A previous version of this blog was originally posted on May 19, 2022.