A Brief Introduction to MFA

If you are reading this, then you are becoming a cybersecurity geek, or you already are one and you just can’t get enough.  You wake up at four in the morning wondering if you should use 2048 or 4096 bit RSA Encryption for your SMS messages. (Always go with 

4096).  You avoid password sticky notes, and phishing scams like they are the plague. You are paranoid, but well informed. If you have been keeping up with recent posts, you already know how to either generate or create secure and memorable passwords.  However, your vast powers of technical ability and common sense will inevitably fail you.

Data breaches often occur from factors that are beyond any one user’s control. Companies may use an insecure cryptographic 

algorithm, have poor password management practices, or have an admin account on an unlocked desktop in the corporate office, with the password on a sticky note, just “in case.” In all of these scenarios, it does not matter how secure your particular passwords are if the organization storing your information ever drops the ball.

This is where Two-factor authentication (2FA) comes in. Two-factor authentication ensures that the user has two methods of proving identification for account access. There are three widely accepted forms of identification online. The first is something the user knows, like a password, passphrase or PIN, the second requires something that only the user has access to, like a mobile device or a token, and the third is something that is unique to the user themselves, like a fingerprint. Two-factor authentication requires any two of these methods. That way, if a password is compromised, account access will still be restricted.

Let’s say, for example, that your account at example.com was compromised 3 hrs ago. This is more than enough time to allow you and 3 million other users to have your password or password hashes stored and distributed online. If you used the same password, or simple variations of it throughout multiple sites. The attackers can access email, social media, government, and banking accounts.

Multi-factor Authentication systems (MFAs) require more than one factor of authentication to prove identity. They tend to use a combination of Security Tokens, Soft tokens, GPS, and biometric data. Security Tokens consist of physical things that are used for ID, such as key fobs and ID Badges. Soft Tokens are rotated through software that can create single use PINs to identify users, this is often done in smartphones through an authentication app. Location data may also be used for authentication. If you access your checking account from New York, it is impossible for you to access it in Nigeria twenty minutes later unless you have a portal gun.  Biometric data consist of any feature that relates to your physical body.  

So, back to the example.com scenario; Your attackers have access to your password, but if you enable MFA, the attacker must now acquire or monitor your cellphone, be within a certain radius of your last recorded access location, and have your fingerprint. Unless you are truly a high profile target, attackers will move on to someone else.   

Enabling MFA is now easier than ever! Companies like Google enable a form of 2FA by default and many other organizations like Facebook, Microsoft, Amazon, Discord and GitHub allow MFA through their account settings. Once you have enabled MFA, you should be able to choose between receiving an SMS or generating a temporary PIN by using authentication apps like Google Authenticator, LastPass Authenticator, Authy, or Duo Security.

So what are you waiting for? Enable MFA and tell cybercriminals “You shall not pass!”

2 thoughts on “A Brief Introduction to MFA”

  1. 2FA and MFA authentication are certainly a huge improvement over the traditional username and password only authentication of the past, but you should be aware that the primary technique used to attack 2FA protected sites is currently using a phishing approach (an email is sent to the user with a link that acts as a go-between passing all messages back and forth and recording user credential details).

    Whilst OTPs do expire after use this “Man in the middle” style attack can use the genuinely acquired access (via the user supplying all required details), then use access to undermine the users security.

    1. Good point. This post is at the introductory level though. A more advanced post on MFA attacks was something that I’ve been meaning to cover for a while. I’ll probably do it at some point in the future. Thanks for your thoughts.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top