Talking about authentication just isn’t complete without mentioning 2-Factor Authentication (2FA) and Multi-Factor Authentication (MFA). Judging from the piling evidence of data breaches and weak password tendencies, using just a password as your only line of defense seems… risky. Let’s dive into what 2FA and MFA refers to when it comes to authentication.
What is the Difference between 2FA and MFA
2FA and MFA are sometimes used interchangeably. A simple answer is 2FA involves having two factors for authentication, whereas MFA involves having two or more factors. This would make 2FA a subset of MFA.
Another distinction that could be made is the number of unique factors used for authentication. Some MFA utilizes at least two unique factors, such as going to the ATM and accessing an account with your bank card and PIN. A naive MFA is one that uses two or more factors of the same type. Although uncommon, sometimes people refer to 2FA as naive MFA, whereas MFA always means 2 or more unique factors of authentication.
Factors of Authentication
Factors of authentication refer to different ways to provide evidence of authenticity. When verifying an identity (such as a user name), you also require something that proves you are that identity or have some relationship with that identity (such as a password).
Unique factors of authentication include:
Something you know: Such as a password or PIN.
Something you have: Such as a bank card or USB key.
Something you are: Biometric data such as fingerprints or retina scan.
Examples of Multi-Factor Authentication
Most people have probably encountered ‘secret questions’ during account creation. This is a form of naive MFA, and it essentially requires 2 or more passwords, as the secret questions act as additional passwords. Even worse are those older websites that utilize secret passwords as their ‘I forgot my password’ mechanism, since this allows people to bypass your (usually) stronger password by answering a few basic questions. These questions could be easily guessed, such as what is your hometown, if the person targeting you is someone that knows you.
Another common MFA is when they send a second password to your email account or cell phone. While this may seem like something you have, it still just gives you a second password to input. What’s worse is that if somebody has access to your email account or cell phone (see SIM swapping), they can simply reset your password. This means that they only needed one factor to authenticate (the password to your email, or having your cell phone/SIM), which lets them bypass the password to connected accounts. That’s why securing your main account is so important!
The most effective forms of MFA use 2 or more unique factors. For example, utilizing a USB key (something you have, such as a Yubikey) as well as your password to authenticate. In this case, you must have the physical USB key to plug into your device on top of a password in order to authenticate into an account. An example of something you are is utilizing fingerprint scans or retina scans along with a password to authenticate. Some cell phones allow you to set both a PIN and a fingerprint in order to unlock it.
Always Enable MFA
If available, you should always enable MFA for your important accounts. Nowadays, having just a password to access your account just isn’t enough, as you’ll never know when your passwords will be compromised in a data breach. MFA will secure you against the majority of password brute force attacks. Even if your password is correctly guessed, they would still need the second factor in order to access your account. A lot of the time you would also get notification of the login, which is a good indicator to quickly update your password.
Unfortunately, despite the benefits of MFA, it is not as widely adopted as it should be. For one, it is almost never mandatory. In some cases it’s fairly tricky to set up. Also, MFA using a separate email account or your cell phone are known to be vulnerable. Your email account can be compromised, and there have been many cases of SIM swapping; these bad actors can bypass these forms of MFA while being remote from you if they have a reason to target you specifically. Secure yourself from SIM swapping by talking to your provider, and use MFA on your main account that has access to all of your other accounts.