Cyber security

Multi-factor Authentication: What is it and why do you need it?

Traditional usernames and passwords can be easily compromised. Multi-factor authentication (MFA), is a security control that requires users to verify their identities by providing multiple pieces of evidence before gaining access to a device or application. It is an enhancement over the two-factor authentication (2FA), which requires only two pieces of evidence. This is the only difference between the two. A few examples of multi-factor authentication are codes created by Authenticator apps on mobile devices, answers to personal security questions, codes sent to an email address or by SMS to a phone, fingerprints, etc.

And why is it important?

According to entrepreneur  90 percent of employee passwords can be cracked in six hours and 65% of people use the same password is multiple places.

Whereas Microsoft manager Alex Weinert stated in a 2019 blog post that, “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

What are the possible authentication factors?

• Something that you know – This could be a password, a PIN code or answer to a secret question
• Something that you have – This is always related to a physical device, such as a mobile phone, a USB security device (YubiKey), a security code generator, etc.
• Something that you are – This is a biological factor, such as a face or voice recognition, fingerprint scanner, DNA, handwriting or retina scan
• Time and location factors identifying your physical location. For example, attempt to log into an account from an unauthorised country can be blocked or a time sensitive access.

Most common forms of 2FA

• A one-time password, that you receive as text message (SMS) on your mobile phone
• The security code generator device, which generates a specific code at a specific time – usually used with your username and password for Internet banking
• The security code generator mobile app generates a random time sensitive code.

Here are a few examples of security code generating mobile apps:

• Google Authenticator available for Android, iOS and Blackberry
• LastPass authenticator available for Android, iOS
• Authy for Android, iOS, but also available as desktop app and browser extension
• Microsoft Authenticator
• HMRC authenticator

These apps use Time-Based One-Time Password (TOTP) algorithm. They will generate a time-sensitive six-digit code, which you can use to verify your login. The code will typically refresh every 30-60 seconds.

Tags: MFA Passwords Security