It feels like every day, a leaked password causes another compromised account. Understandably, the security community puts a lot of energy into encouraging users to create long, unique passwords. Strong passwords are one of the easiest ways to dramatically improve one's security posture. The tricky part is that passwords can be leaked, phished or stolen in other ways, resulting in an account becoming compromised long before the user realizes it.
Multifactor authentication (MFA), sometimes called two-factor authentication (2FA), is a relatively simple and effective way to prevent a compromised password from granting a malicious actor access to an account. Yet why do so many accounts fail to have MFA enabled?
- Some services don’t yet support MFA in any form.
- The user doesn’t know the platform supports MFA.
- The user dismissed setting up MFA because they don’t believe they will be compromised.
- The user doesn’t want to jump through authentication hoops.
- The user doesn’t understand the risk of leaving MFA disabled.
So, let's address this last point and improve the general understanding of MFA by exploring authentication factors and the difference between the various types of MFA. By doing so, we may discover how quick and easy MFA is to implement and use so that complacency and convenience aren't excuses for not enabling it.
Factors of authentication
Before breaking down multifactor authentication, we need to cover the various authentication factors. Many of us are used to just entering a password to authenticate ourselves with a website or service. A password is the most common form of authentication, but it is far from the only one.
There are three factors of authentication:
- Something you know, like a password, passcode or the answer to a security question
- Something you have, like an app on your phone, a physical security key or a smart card
- Something you are, a biometric like your fingerprint, face or eyes
What is the difference between MFA, 2SV and 2FA?
Multifactor authentication (MFA) is a term that should be used to generally define any authentication process requiring two or more factors of authentication to access a service.
Two-step verification (2SV) is not generally a type of MFA, since it defines when two of the same authentication factors are used. Think of a password and a security question (two things you know), or a fingerprint and facial scan (two things you are).
Two-factor authentication (2FA) is a subset of MFA and likely the one you're most familiar with. 2FA differs from 2SV by requiring two different factors of authentication. 2FA is commonly a password, something you know, and a randomly generated code from a text message or time-based one-time password (TOTP) app, something you have. Alternatively, 2FA could be a biometric (something you are) and a smart card (something you have), as another example.
SMS or TOTP?
While there are many combinations of multifactor authentication, the one we focus on in this post is using a password and a randomly generated six-digit code since that's the most common form of MFA in use today. These randomly generated six-digit codes — one-time passwords (OTP) — are delivered via email, SMS messages or TOTP apps, also known as an authenticator app. An example of an authenticator app is Microsoft Authenticator, which can be used when logging into your Microsoft account.
Just as it sounds, SMS messages are sent to your mobile phone number like any other text message, giving you a convenient way to get your OTP. But this isn’t 100% secure — attackers use social engineering tactics to trick users into giving them their OTP. Though less common, phone numbers can even become compromised through "SIM swap" attacks, where an attacker uses tricks a mobile provider into porting a phone number over to a SIM card in their possession, effectively granting the attacker the ability to become their target in terms of security.
Therefore, TOTP apps are a more secure option than SMS-delivered OTPs since they cannot be so easily compromised. TOTP apps generate a random six-digit code every thirty seconds, which can be obtained when needing to authenticate.
When deciding between SMS and TOTP apps, always go for the app where possible. TOTP apps are the more secure option and is easier to share securely if working with a team and using a password manager. However, if TOTP apps are not supported by a particular service and SMS codes are, use SMS — some form of MFA is always better than none.
How do I get started with MFA?
Many common applications use MFA of some kind. If it isn’t currently enabled, consider enabling it in these commonly-used accounts:
For accounts not listed above, consider looking in your account settings to see if MFA is an option.
Key takeaways
- MFA uses two different factors, something you know, have or are.
- MFA is a great way to add a layer of security to your accounts.
- If available, using a TOTP or authenticator app is more secure than using text messaging.
- To get started, go through your account settings to see if MFA is available.
by Category:
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.