Basics of Multi-Factor Authentication

Multi-factor authentication (sometimes called two-factor authentication or two-step authentication) provides an extra layer of protection for your online accounts. It is like having multiple locks of different types of the door to your house. Usually we have a lock that uses a key. To get into your house all you need is that physical key. This is convenient but what if a copy of that key is obtained by some less-than-honorable person? That person would be able to enter your home.

Enter multi-factor authentication, abbreviated as MFA.  Suppose that you now put a second lock on the door of your house. Only this lock does not use a key. It requires you to enter a code or series of numbers, or you need to use your fingerprint to open that second lock. The first ‘factor’ for entry to your home is your key. The second ‘factor’ is the code or fingerprint.  Now if that less-than-honorable person gets a copy of your key, they would not know your code or have your finger to press on the reader.

Now think about accessing your important online accounts. You probably have to enter your email address and your password. Your email address should be considered public, but you need to keep your password private. The problem is that we often use the same password on multiple sites. The odds are high that one or more of your passwords have been leaked from a site that has been hacked. Unless you have MFA on that account, the Bad Guy can log into that account with the leaked password. MFA would block this.

Multi-factor authentication is like that second lock on your house that requires a code or your fingerprint.

Background

MFA grew out of a need to provide a higher-level of protection for our logins.

Here’s a very simplified walkthrough of authentication. In the beginning (before the internet) there was trust and logging into a computer system only required a password. Technology advanced and people started using the internet. It was easy for Bad Guys to steal people’s passwords to access their personal information.

One of the first and best solutions to this problem was the development of MFA. The first time I saw MFA was in the early 1990’s. We started to think about the ‘factors’ necessary for authentication. The primary factors required for authentication were something the user knows (a password), something the user has (a key fob-like device with constantly changing numbers), and something the user is (biometrics, like a fingerprint or facial recognition).

The result of using MFA is a stronger and more secure method of authenticating to your online accounts.

Why you should use MFA

As alluded to earlier, it is not uncommon for credentials (usernames & passwords) for online accounts to be stolen, and sold or swapped by Bad Guys. Using stolen credentials, the Bad Guys can take over your accounts. They could then:

• Log in to your banking accounts and steal your hard-earned money
• Take over your cell phone number which is probably a recovery method for your online accounts
• Pretend to be you and file a fake tax return to steal your refunds
• And the list goes on and on…

MFA is a primary line of defense against the ability to use your stolen credentials.

How does MFA work?

There are several approaches to MFA but they all work similarly.

1. You go to the login page of the account you want to access
2. Enter your email address and password
3. The website then requires you to enter the second factor – code, fingerprint, face ID, ???
4. Access is granted if it all matches.

There are several ways to do that second authentication factor. This is usually defined by the system you want to login in to. 

1. SMS Text Message – It is not uncommon for MFA to be configured to send a SMS text message to your cell phone. In this case you would receive a message with a code after you enter your email address and password. Then you would enter that code where it is requested. Twitter used to use this for all users but now it’s only for paid users. I’ve got a credit card account that sends me a text message for MFA.
2. Email message – Similar to above, only the code is sent to your email instead of a text message on your phone. I’ve got one account that does this. The primary benefit is that the website does not have to pay for sending a large number of SMS text messages.
3. Authentication app – There are several apps that can be installed on your mobile phone to provide that MFA code. Some of the apps you may be able to use are Google Authenticator, Authy, or Microsoft Authenticator. In addition to those apps, it seems like every big company wants you to use their authentication app. Some of those are Salesforce, Thomson-Reuters, Duo and SecurID. Many times they are interchangeable.
4. Approve/Deny Authentication app – Microsoft and Google also offer a twist on MFA. Instead of having to get a code from the app, there is a pop-up where the user can approve or deny the login request. This simplifies the user experience but may introduce some other problems

Setup MFA for a Google account

What’s left? We need to see what it takes to enable MFA for an online account. For this example, we’ll enable MFA on one of my Google accounts. The concepts are very similar for enabling MFA for other accounts.

I’ll be using one of my gmail.com accounts to see how this is done.

First off, log into the gmail account that you want to enable MFA on.

Now find that “Manage your Google Account” link in the upper-right corner.

On the following page, select “Security” from the left side

…and scroll down until you see “2-Step Verification is off” under “How you sign in to Google”

Now you just follow the instructions from Google. You can have Google send the codes with a text message, phone call, using a security key, or with a Google Prompt on your phone where you can just tap Yes to sign in.

You really should take the time to enable MFA on every one of your accounts that supports it.