There is a hacker attack every 39 seconds. With that continuous barrage, it's only a matter of time before non-secure usernames and passwords are hacked.
Multi-factor authentication is a formidable extra line of security you can use further protect your accounts.
Our mini guide tells you everything you need to know about multi-factor authentication and why you should be using it.
What is multi-factor authentication?
Multi-factor authentication (MFA) is the requirement of extra forms of verification before allowing access to an account. Where traditionally we would log in into most online services with a password, using MFA means having to input more information or take an action. This could be entering a code sent your phone or a fingerprint scan.
The multiple factors of authentication are protection against one of the factors being compromised. So if your password gets hacked they would still need access to the extra factors to gain access to your account.
How does multi-factor authentication work?
The factors of authentication are split into 3 different groups. When using MFA you should pick at least two factors from two or three different groups.
What you know
This is the most common form of authentication. It is something that you will know. It includes passwords, PIN codes and memorable words. Banks have been using more than one of these forms of authentication for a long time.
On their own, they offer a good level of security but when using MFA you shouldn't only use factors from this group. These types of authentication can all be discovered or stolen.
What you have
These are physical objects that can be used for additional authentication. The most popular is a code sent to your mobile phone. Other examples include key fobs and smart cards.
The chances of your password being hacked and your phone being stolen by the same person are extremely high. Cash machines use a bank card and a PIN as MFA. Someone can gain access to your pin but if they don't have your card they can't withdraw money (and vice versa).
By picking a factor from this group and the 'what you know group' you are greatly increasing the security of your accounts.
What you are
This factor is something physical about you. The most common is a fingerprint scanner that is now common among most smartphones. It also includes facial recognition (also common in new phones), voice recognition and any other type of biometrics.
The premise behind this group is simple. Someone might get access to your password but it will take a lot to get access to your fingerprints! (And there is a good chance you might notice that!)
What is two-factor authentication
Two-factor authentication is a common form of MFA where only two credentials are required. Multi factor authentication requires a number of factors.
Why you should use multi-factor authentication
Stolen or hacked credentials are used in 95 per cent of all web application attacks. By using the same (or slight variations) of a password on multiple accounts can put you at risk. If one of those accounts is breached, then the hackers will know your password. If that password is used on all your other accounts then they can gain access to them all just from one breach.
Multi-factor authentication is protection against a breach of your password. By requiring at least one more form of authentication it is must harder for criminals to gain access to your accounts.
When to use multi-factor authentication
If you are using passwords or something similar like pin codes to secure an account then you should be using MFA as well. Even if you are using a password manager the additional security MFA offers make it almost impossible for someone to gain access to your account.
Inside a business, MFA is even more important. There are countless examples where a password can be compromised. How many times has a password been sent in an email or text message? Walk into most offices and you are still likely to see passwords written on post-it notes stuck to a monitor.
As a business and personally, you should strongly consider whether to use any service which only offers single-factor authentication.
Multi-factor authentication examples
There are many multi-factor authentication services available, such as Duo, Authy and Google's version. If you want ideas of how you can use MFA yourself here are some examples you might want to use. You might even be using some of these and didn't even realise it was a form of MFA.
- Codes generated by smartphone apps
- Badges, USB devices, or other physical devices
- Soft tokens, certificates
- Codes sent to an email address
- Facial recognition
- Retina or iris scanning
- Behavioural analysis
- Risk score
- Answers to personal security questions
The installation of multi-factor authentication to online services within your business might require your IT helpdesk. We have worked with many of our clients already to set up MFA for their services.
There are other factors to consider once MFA has been set up within your business. You will need to consider how your account reset and multi-factor token replacement processes verify that the user is who they say they are. You will also need to know how administrators can gain access to a service if MFA becomes unavailable for any reason.