Secure Your Accounts with Multi-Factor Authentication

You're just about finished with your presentation and, minutes before the big meeting, rush to sign in to an app to access one last piece of critical info. You bang in your password and anxiously await the familiar home screen, only to be prompted for a 6-digit code. This repeated annoyance probably gives you an outsized appreciation for all the things you can log into with just a password. But like many aspects of cyber-security, convenience comes at a steep cost.

3awmam.jpg

These increasingly ubiquitous SMS codes are one form of Multi-Factor Authentication (MFA), otherwise known by the basically synonymous (albeit less inclusive) term Two-Factor Authentication (2FA). It can be irritating, but it's one of the most effective tools we have to prevent account hacking. A good password is important, but even the best can be cracked—by data breaches, phishing attacks, and viruses that capture keystrokes as you type. Without MFA, a password is all a hacker needs.

With MFA, the chances of an attack drop dramatically since an attacker needs your password and access to a One-Time Password (OTP) that expires after a short time. Some compare it to the dead bolt on your front door. Sure, the door's lock should be enough, but you can't pick a lock that can only be opened from the inside. Of course, a burglar has other options (use a crowbar, break a window, come during the day when the deadbolt is unlatched), but there are even more reliable home security measures, and the same is true of MFA.

The four most common forms of Multi-Factor Authentication are:

  • Email – Sends a code to your email address

  • Text Message/Phone Call – Sends a code to your phone via SMS or phone call

  • Authentication App – A code generated by a mobile app such as Authy, Google Authenticator, Okta, or OneLogin Protect

  • Hardware Token – a code generated by a physical device such as a YubiKey

Each method uses a One-Time Password (OTP), but they have varying levels of effectiveness. Email is the least effective—if a hacker got your password, it’s not unlikely they got into your email account. Text/phone is better—your texts usually show up only on the phone with your unique SIM card, but SIM cards can be hacked, too. Authentication Apps are stronger still, since you need to deliberately register the app on a specific phone to deliver the right codes. Hardware tokens are the most effective, since each one is unique and you need to be able to have the device in your possession. Even a hardware token isn’t 100% effective since sophisticated phishing attacks can fool you into providing your OTP regardless of its source, and other tools are in development to combine methods and use other available data (think of a credit card company using algorithms to detect fraud) and these tools will only get stronger.

For now, all you need to know is that some MFA is better than no MFA. From there, we’d recommend at least opting for an Authentication App instead of the basic SMS codes. A good way to ease the burden on your users is to integrate as many of your company apps as possible with Single Sign-On (SSO) so the experience across different apps is consistent and simple. OneLogin, our preferred SSO provider, has its own authentication app that lets you approve a login with one tap on your phone without copying and pasting a code.

This simple, added protection can stop bad actors dead in their tracks and mitigate the fallout from data breaches, weak passwords, and password reuse. If you have questions about how to implement MFA for your services, reach out to Kinetix for for info.