What exactly is Multi-factor authentication?
MFA is a security measure that require users to provide multiple forms of identification to prove their identity and access an account or system. This adds an extra layer of protection against unauthorised access and helps keep user data safe.
Many people will already be aware of two-factor authentication (2FA). This is a type of MFA and specifically refers to authentication where two forms of identification are needed.
Although MFA (and 2FA) add extra steps to the process of logging-in to accounts, the security benefits are well worth the effort. Even if an attacker has someone’s password, with MFA in place the attacker cannot access an account.
What types of MFA are available?
There are several types of MFA options available that include the following:
- SMS codes: with SMS authentication, a verification code is sent to the user's mobile phone via text message. The user then enters the code on the website or app to gain access. This is one of the most common forms of two-step verification, but it's also one of the least secure. Hackers can intercept SMS messages or use phishing techniques to trick users into giving away their verification code.
- Push notifications: This involves receiving a notification on a trusted device, such as a smartphone or tablet, and confirming the login attempt with a simple tap or swipe.
- Authenticator applications: An authenticator app generates a unique code that users must enter to access their account. This code changes every few seconds, making it more difficult for hackers to intercept or use a stolen code. Authenticator apps like Google Authenticator and Authy are considered more secure than SMS authentication because the code is generated locally on the user's device and not sent over the internet.
- Hardware tokens: these are physical devices that users plug into their computer or mobile device to authenticate their account. This is considered to be one of the most secure options because it's almost impossible for hackers to intercept or duplicate the key. Physical security keys, such as Yubikey, are becoming more popular with high-security accounts like banking and government.
- Smart cards: these are similar to hardware tokens. The cards are inserted into a reader to generated a unique code.
- Biometric verification: biometric verification uses the user's physical characteristics, such as their fingerprint or face, to authenticate their account. This is becoming more common on mobile devices and is considered more secure than traditional passwords. However, biometric verification can still be vulnerable to hacking or spoofing.
- Location-based authentication: this involves using the physical location of a user’s device to authenticate their identity, such as through GPS or IP-address tracking.
Which types offer the best security?
In general, the most secure verification options are the physical security keys and authenticator apps because they don't rely on the internet or mobile networks to generate codes. It's important for users to choose a verification option that's appropriate for their level of security needs.
When should you be using MFA?
- Online banking
- Email clients (e.g. Gmail, Yahoo, Hotmail, etc.)
- Online Store websites
- Social Media (e.g. Facebook, Snapchat, etc.)
- Any other sites that contain information that you would not want a stranger knowing
This page was last reviewed 01/03/2023