How MFA works?
If you have MFA setup for a given account (website, application or device), when you log in with your username and password, that account server is going to ask for a second, independent form of authentication before it will actually let you into the system. It’s kind of like when you open a bank account and they ask to see a picture ID and some other form of identification, like your social security card or a passport. It’s much harder to pretend you are someone you’re not when you have to prove who you are in two different ways!
Multifactor Authentication Methods
- Mobile device application “Push” method
The most popular way to get that second form of authentication is through a “push” to an application on your mobile device. There are a variety of authenticator apps that are free and easy to set up and even easier to use for authentication.
With this method, the account server that you are trying to log into will send a “push” to you mobile device. This push is a notification that will pop up on your mobile device and say something along the lines of, “Hey, someone’s trying to log in to this website, is it you? Should we let them in?” If you hit yes, you’re in. But if you didn’t make the original login request, you know that someone has your password and is trying to log in to your account. You can hit the “No” button and their access will be denied. You can then go log in yourself and change your password so that the attacker is back to square one. It’s simple, yet extremely effective security.
- Mobile device application code method
Sometimes the account server won’t send you a push but it may ask you to type in a unique code that is generated by the authenticator app on your mobile device. These codes are short (maybe 6 digits) so it may seem like they are not very secure. The cool thing is that the codes are re-generated every minute or so and they are based on an algorithm that is known only to your authenticator app and the account server you’re trying to connect to. It would be extremely difficult for a cybercriminal to guess the right 6 digit code under those circumstances since the timeframe is so short. Usually this method is an option as a backup to the push method as well. Most authenticator apps will support both methods.
- SMS Code Method
This method also uses your mobile device but it doesn’t use an application. Therefore, it works with non-smartphones. If you set up this method of MFA, when you log in with your username and password, the account server will send your mobile phone a text message with a one-time code. You will then type that code into the website or device portal where you entered your password.
- Email Code Method
This method works very much like the SMS code method except that the code is sent to an e-mail account that you have pre-communicated with the account server you are trying to access. You will most often set this up when you register for the multifactor service you are using.
If you’re going to use this kind of MFA, you need to make sure that your email account itself is secure, which probably means that you should have MFA enabled for access to the e-mail account in question. The reason is that e-mail can be checked from anywhere, including the same computer terminal where the cybercriminal is trying to log in to your account. In other words, this method does not require physical access to any independent device. That’s why you should have a strong password for your e-mail that isn’t used anywhere else. If you do that, then this method would essentially require the attacker to know two of your passwords.
- Physical Token / Hardware Tokens
This method used to be more popular before the advent of smart phones. A physical “token” is a small device that continuously generates codes in the same way that an authentication app on your mobile device would. It works just as well but it has the added downside that you have to keep track of this other device.
- Biometric 2FA
In biometric verification, the user becomes the token. A user’s face, fingerprint, retina, or voice can become the 2FA token needed to prove their identity and gain access to their account.
When should I use MFA?
You should use MFA whenever possible, especially when it comes to your most sensitive data—like your primary email, your financial accounts, and your health records. While some organizations require you to use MFA, many offer it as an extra option that you can enable—but you must take the initiative to turn it on. Furthermore, if a business you interact with regularly, say your health organization, wants to provide you with convenient online access to health records, test results, and invoices, but only offers a password as a way to protect that data, consider saying: ‘no thanks, not until you provide MFA to secure my information.’
What a MFA login includes?
A typical MFA login would require the user to present some combination of the following:
- Something you know: like a password, Personal Identification Number (PIN), or answers to security questions
- Something you have: like a smart card, mobile token, or hardware token
- Some you are: form of biometric factor (e.g., fingerprint, voice recognition)
What Does 2FA Mean?
Two-factor authentication can be used to strengthen the security of a phone, an online account, or even a door. It works by demanding two types of information from the user — the first factor is usually a password or personal identification number (PIN), while the second factor could be a fingerprint or a one-time code sent to your phone.
What Is a Two-Factor Authentication Code?
A two-factor authentication code is a one-time code generated to prove a user’s identity when they try to access an online account or system. The code would be sent via text message or by an automated phone call to a phone number associated with the user. Upon entering the two-factor authentication code, the user gains access to their online account. These codes often expire after a short amount of time if not used.
Benefits of Two-Factor Authentication
2FA delivers an extra layer of protection for users because a username and password are simply no longer enough.
Introducing non-password-dependent two-factor authentication greatly enhances security and reduces the risk of identity theft.
For companies, two-factor authentication can also help reduce IT costs. Password reset is one of the most common reasons people call helpdesks.
Can Two-Factor Authentication Be Hacked?
Although it is possible for two-factor authentication to be hacked, the odds are very low and 2FA is certainly the best practice when it comes to keeping accounts and systems secure. One way two-factor authentication could be hacked happens through the SMS method – or, in other words, the method by which a one-time use code is sent to a user’s phone number via SMS or an automated phone call.
Source: OSU
