What Is MFA and Why Do I Need It?
Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is now the industry-standard solution for keeping your accounts safe—and for good reason. It feels like every week there’s another report of a data breach exposing thousands or millions of usernames, passwords, and other personal identifiable information (PII).
Verizon reports that 80% of security breaches involve compromised credentials, which means there’s still a long way to go in businesses adopting this essential security tool. If you’ve ever reused a password, multiple accounts could be in danger of unauthorized access from a single data breach. MFA helps keep accounts secure even if a password has been compromised.
What Is MFA or 2FA?
- Something you know—like a username or password
- Something you have—verification codes sent to email accounts, authenticator apps, or physical devices like smartphones and security tokens
- Something you are—biometric authenticators like fingerprints, eye scans, or FaceID
What Are Types of MFA Authentication?
Email VerificationAn email is sent to a designated email account with a code to be entered at the login screen. This method is better than no MFA at all, but is the least secure of the options for authentication. If you reuse passwords or your email is already compromised, bad actors can easily gain access to authentication codes sent through email.
SMS CodeA numeric code is sent by text to your cellphone. This is better than email verification since it requires access to the phone assigned to your number, but it isn’t the best option, either. By impersonating their targets, savvy criminals can convince cellular providers to transfer a target’s phone number to a device they control.
Authentication AppAn application on your cellphone is paired to your account and the app generates rotating numeric codes. At login you enter the current code on the app. Without that specific phone physically present, the account cannot be accessed.
Hardware TokenA physical security token is plugged into the device attempting to log in to your account, and the token provides the authentication. A security token can be removed and inserted into any compatible device, allowing more freedom than authentication methods tied to a phone, as well as a high level of security.
BiometricsFingerprint scans, retina scans, and FaceID are all biometric indicators used to authenticate devices we use every day. This also includes behavioral biometrics like mouse movement patterns and keyboard pressure or pauses, and passive biometrics like AI detection that doesn’t require any authentication event (like entering a code or scanning a fingerprint) on the part of the user.
What Is the Risk of Not Enabling MFA?
Keeping your accounts secure is an important part of modern business cybersecurity, so when is the best time to enable MFA?
It’s a simple answer, but an important one. Any time an account offers MFA or 2FA security measures, use them. Far too often passwords are reused or not strong enough to withstand a brute force attack. Not enabling MFA is a security risk you can no longer afford, and that inaction opens your business up to unnecessary risk.
If you don’t turn MFA on, the criminals can and will.
A growing danger of account compromise is not merely the criminal using your account to send messages or purchase items on your dime, but that through enabling the MFA that you didn’t utilize yourself, they can lock you out of your own account. Once bad actors gain control of your account and turn on MFA, your ability to regain access may be a long, involved process—if you can regain access at all.
MFA is meant to provide you with a second level of protection against criminals, but if a criminal enables MFA, that protection switches to them. Many companies won’t allow any changes to an account without the one-time code generated by MFA, and if bad actors set up the MFA, that code will be beyond your reach.
Similarly, criminals that take advantage of subpar MFA by hijacking your phone number or accessing an already compromised email account can receive the needed MFA codes. Once inside, they can change the MFA settings to their control and lock you out
You won’t be able to rely on other forms of verification to regain control, either. Criminals in a breached account can change any form of communication or identifiable information, such as your email address or phone number, to their own. If you then attempt to gain access to your account, you will have no way of proving to the company that the account belongs to you. In some cases, the only solution is to create a new account.
Is MFA Inconvenient to Use?
Cybersecurity must always strike a balance between efficient user experience and security. The more secure something is, the more hoops the user has to jump through to access the data. For a long time, passwords were considered a sufficient method of verification, but they are no longer enough. Cybercriminals buy and sell usernames and passwords every day, breaches expose millions of individuals’ PII and account information, and too many people use easily guessed passwords.
The inconvenience of needing two forms of verification no longer outweighs the risk of account compromise and the damage that it can cause. Cybersecurity researchers continue to develop new ways to eliminate the need for passwords and for more secure methods, making MFA smoother and more efficient to adopt. Circumvent the hassle of implementing this essential security tool by choosing software and services with authentication standards that connect to a user’s workstation rather than simply requiring a secondary device.
What Should You Do?
The best way to avoid the danger of account compromise is to be proactive in its defense.
Check if the site or service has MFA capabilities.
While some companies inform their customers when they add MFA options, many do not. This is especially important on accounts not used frequently where an intrusion may not be noticed for a long time.
Always enable MFA when it is offered.
A small inconvenience now will have you from a much bigger headache later.
Close or enable MFA on accounts that you no longer use.
It may seem superfluous to enable MFA if you’re not using a site, but just because you aren’t using it, doesn’t mean someone else won’t.
Use enterprise-grade password management and authenticator applications, like Duo.
Password managers with built-in MFA compatibility allow you to centralize your authenticator codes, making it so that cybercriminal would have to gain access to your ultra-secure password manager account before ever being able to access any of your other accounts.
Every time security experts create new ways to defend against cyberattack, criminals find new ways to bypass them, but MFA has an excellent track record for protection. Don’t give bad actors an easy opportunity. Enable MFA or the criminals will do it for you.