Everything You Need to Know About Multi-Factor Authentication

Image of mobile phone showing a multi-factor authentication code for use on a tablet device.

With business email compromise and ransomware attacks on the rise, it is becoming increasingly important to ensure you are keeping your personal information and your credentials safe from threat actors out in cyberspace.  One such way you can improve your cyber hygiene is to turn on multi-factor authentication in the various applications and websites you visit. 

More and more business and their websites offer this capability as an additional measure to safeguard your personal and private information.  In most cases, one must opt into the service if the site provides it.  

How does multi-factor authentication work? 

The premise behind this capability is that it is another piece of information required to access your data.  Websites that contain your personal data are typical targets, with banking, technology, and social media accounts at the top of the list.  Security best practices talk about three-factor authentication.  Those three factors are something you know, something you have, and something you are.  An increasing number of websites are implementing two-factor authentication (TFA) that taps into the something you have and something you know aspects of multi-factor authentication (MFA). 

What multi-factor applications exist? 

There are several multi-factor authentication applications available, including Microsoft authenticator as well as Google Authenticator for iPhone and Android users.  These are applications that you download and install on your mobile phone.  These applications scan a QR Code on the site that you are attempting to use MFA on.  This QR code is a complex key tied to that site.  Upon scanning the code, the authenticator app on your phone starts producing 6-digit numbers, which change after a predetermined amount of time. 

Because the numbers are randomly generated on a device you have (your mobile phone), it makes it that much more complicated for the threat actor to try and utilize your stolen credentials to log in and gain access to your information. 

Other means to accomplish the same thing 

Other forms of this process have been implemented where some companies’ websites will send you an SMS text message or an email with a code that you must enter to gain access.  The email method is the least secure as all it takes is for the threat actor to log in to your compromised account and change the email address where the codes are sent. 

Many of the high-profile attacks that have taken place lately involve the use of stolen credentials for a website that was not appropriately protected with multi-factor authentication.  MFA is one of the simplest ways to protect your personally identifiable information from being stolen and sold on the dark web to be used in other nefarious ways.  

It’s not if, but when this happens to you.  

It is not a matter of if, its a matter of when a site has a cyber breach and some or all of your user data exposed in that breach; you want to make sure you are protected the best way you can.  That includes not using the same password for all your online website logins and implementing multi-factor authentication on the sites you use.  Suppose you are using a website that does not offer this service. In that case, you should consider how much of your personal information you leave on that site. 

Is multi-factor 100% guaranteed to work? 

Also, no single process or tool will be 100% effective at stopping a threat actor from stealing your information.  These tools can still be compromised by what is called a man-in-the-middle attack, where the threat actor uses something like a trojan that may exist on the system used to log in with 2FA. The threat actor could intercept that traffic and generate their own code to access the protected system. 

The process just described is complex and involves several complicated steps.  In most cases, the use of multi-factor authentication technology is a prudent defense against threat actors being able to compromise your information.  Typically, the threat actor moves on to the next site or next computer connected to the Internet to gain access. 

If you haven’t turned on multi-factor authentication, and it is available to you on the websites you use, we recommend you do so to ensure the best protection for you and your businesss private information.