What Is MFA and Why Do I Need It?
Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is now the go-to solution for keeping your accounts safe and for good reason. It feels like every week there’s another report of a data breach exposing thousands or millions of usernames and passwords. If you’ve ever reused a password, multiple accounts could be in danger of unauthorized access from a single data breach. MFA helps keep accounts secure even if a password has been compromised.
How Does MFA Work?
MFA works by requiring a second form of authentication in addition to your username and password. This authentication comes in various forms, including email verification, text codes, authentication apps, and physical security tokens. No matter the method of authentication, forcing a second step before access to an account is granted can impede a criminal’s fraudulent attempt to login with compromised credentials.
Types of Authentication
- Email Verification—An email is sent to a designated email account with a code to be entered at the login screen. This method is better than no MFA, but is the least secure of the options. If you reuse passwords or your email is already compromised, bad actors can easily gain access to authentication codes sent through email.
- SMS Code—A numeric code is sent by text to your cellphone. This is better than email verification since it requires access to the phone assigned to your number, but savvy or determined criminals have been known to call cellular providers impersonating people in order to transfer a target’s phone number to a device they control.
- Authentication App—An application on your cellphone is paired to your account and the app generates a rotating numeric code. At login you enter the current code on the app. Without that specific phone physically present, the account cannot be accessed.
- Hardware Token—A physical security token is plugged in to the device attempting to log in to your account. The token provides the authentication. A token device can be removed and inserted into any compatible device, allowing more freedom than authentication methods tied to a phone and a high level of security.
When Should You Enable MFA?
It’s a simple answer, but an important one. Any time an account offers MFA or 2FA security measures, use them. Far too often passwords are reused or not strong enough to withstand a brute force attack. Not enabling MFA is a security risk you can no longer afford.
The Inconvenience vs Security Equation
Cybersecurity must always strike a balance between efficient user experience and security. The more secure something is, the more hoops the user has to jump through to access the data. For a long time, passwords were considered a sufficient method of verification, but this is no longer enough. Cybercriminals buy and sell usernames and passwords every day, breaches expose millions of individuals’ personal and account information, and too many people use easily guessed passwords. The inconvenience of needing two forms of verification no longer outweighs the risk of account compromise and the damage that can cause.
What Is the Risk of Not Enabling MFA?
Besides the risks already discussed above, there is another major risk of not enabling MFA when it is available.
If you don’t turn MFA on, the criminals can.
A growing danger of account compromise is not merely the criminal using your account to send messages or purchase items on your dime, but that through enabling the MFA that you didn’t utilize, they can lock you out of your own account. Once bad actors gain control of your account and turn on MFA, your ability to regain access may be a long, involved process—if you can regain access at all.
MFA is meant to provide you with a second level of protection against criminals, but when the criminal enables MFA, that protection switches to them. Many companies will not allow any changes to an account without the one-time code generated by MFA, and if bad actors set up the MFA, that code will be beyond your reach.
You won’t be able to rely on other forms of verification either. Once inside your account, the criminal can change any form of communication, such as your email address, to their own. If you then attempt to gain access to your account, you will have no way of proving to the company that the account belongs to you. In some cases, the only solution is to create a new account.
What Should You Do?
The best way to avoid the danger of account compromise is to be proactive in its defense.
- Check if the site/service has MFA capabilities. While some companies inform their customers when they add MFA options, many do not. This is especially important on accounts not used frequently where an intrusion may not be noticed for a long time.
- Always enable MFA when it is offered. A small inconvenience now will save you from a big headache later.
- Close or enable MFA on accounts that you no longer use. It may seem superfluous if you’re not using a site to enable MFA, but just because you aren’t using it, doesn’t mean someone else won’t.
Each time security experts create new ways to defend against cyberattack, criminals find new ways to bypass them, but MFA has an excellent track record for protection. Don’t give bad actors an easy opportunity. Enable MFA or the criminals will do it for you.
The start of a new decade brings a sense of changing times and new beginnings. For your cyber security, it
Anne Neuberger the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology released a