Many of us have often heard of “Multi-Factor” or “Two-Factor” Authentication. Multi-Factor Authentication is a great way to increase the security of your accounts. In short, Multi-Factor Authentication requires two (or more) steps to be taken to log into your account. Before discussing why it is a good security feature to enable, even though it increases the steps you need to take, let’s break down what exactly Multi-Factor Authentication is.

What is Authentication?

Authentication is different from Identification. Identification is, simply put, saying who you are. In terms of your account, this would be entering in your username or email when logging in. You claim to be that person. Of course, you could always lie and claim to be someone else, so how do we know that you are telling the truth?

This is where authentication comes into play. Authentication is proving that you are who you say you are. If you need to prove your identity to someone (say, for example, a bank), you can show them your license and other government-issued documents. When logging into your account, you use your password to authenticate yourself. In theory, you are the only one who should know your password. Sadly, this is not always the case. To help solve this issue, we have Multi-Factor Authentication.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) works exactly as the name implies. Multiple factors are used to authenticate you when you try to log into your account.

A factor in authentication is a way of confirming your identity when you try to sign in. For example, a password is one kind of factor, it’s a thing you know. The three most common kinds of factors are: 

• Something you know – Like a password, or a memorized PIN. 
• Something you have – Like a smartphone, or a secure USB key. 
• Something you are – Like a fingerprint, or facial recognition.

Microsoft

So, whenever you enable MFA on your account, you introduce another factor that needs to be provided when logging in. This can come in many different forms. Some websites or apps will send you a text message with a security pin, give you a push notification on your phone, or even have you install a second app that generates a login code or notification when it is opened. To complete your authentication, you simply need to enter in the code, press “Yes” on the “Are you trying to sign in?” notification, etc.

Why is Multi-Factor Authentication important?

Of course, MFA introduces yet another step that we need to take to log into our accounts. So why would we want to have to pull out our phone and type in a short security code or indicate that we are trying to log in each time we are trying to log into our accounts when it just makes it all take longer? Security. MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database (CISA).

Say you work in an office. You write down your username and password on a sticky note and leave it on your desk (avoid doing this at all costs! It is not a secure means of storing your password!). If someone walks by and takes the sticky note, they can easily access your account. However, let’s say you enabled MFA. When they type in your username and password, you receive a text on your phone with the login security code. Now, they cannot log in to your account since they don’t have that code. Not only that, but you now know that someone tried to log into your account (which means you should change your password!).

Can’t they just guess the code? Sure, they could try and guess, but usually codes are one-time use, are randomly generated each time, and are at least 4 to 6 digits long. There are 10,000 different numbers that are 4 digits long; there are 1,000,000 numbers that are 6 digits long! That would take a lot of time to guess, assuming that they are able to enter in each code.

So, make sure to enable MFA on your accounts, especially those that you want to keep extra secure (like your bank account). While it may cost you a few moments here and there to get and enter in the extra code, in the long run the benefit of increased security greatly outweighs this cost.

References & Further Reading

CISA. “Multi-Factor Authentication (MFA) .” Cybersecurity and Infrastructure Security Agency (CISA), United States Government, https://www.cisa.gov/publication/multi-factor-authentication-mfa.

Microsoft. “Making Accounts More Secure with Multi-Factor Authentication.” Microsoft Support, https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661.