Use MFA/2FA everywhere it is possible to do so. It is one of the best ways to prevent account compromise
If your only devices are supplied by an organisation, implementation of MFA/2FA will be undertaken by it but much of the detail below is applicable to your personal devices and accounts
What is MFA/2FA and why should I use it
The basis of MFA/2FA (Multi-factor Authentication / 2-factor Authentication) is having the need of a second factor to authenticate, so just having (e.g.) a username and password is not sufficient
To authenticate using MFA/2FA, one needs two out of three of the following:
Something You Know
Something You Have
Something You Are
Before we dive too deeply into that, let’s take half a step back and look at all the options of authentication because there are two more (less secure) options. Here they all are:
SFA / 2SV / 2FA / MFA
SFA: Single-factor authentication
Typical: a password. This is Something You Know
(No, a username and a password aren’t two factors, just one. They are just two versions of Something You Know )
2SV: 2-step verification
Typical: a password and then a code received via SMS, or a phone call, or an email with a link to confirm
(Again, this is not 2FA as none of these are Something You Have - they are something you are being given and then they become Something You Know)
2FA: 2-factor authentication
Typical: a password and the use of an authentication app
MFA: Multi-factor authentication
What’s the difference between MFA and 2FA? Not much. There seem to be differences of opinion on this with some saying it is the requirement of an additional verification method (3FA anyone?) such as biometrics or location (Somewhere You Are ) and you’ll find a lot of opinions describing 2SV as 2FA and 2FA as MFA
We view MFA as giving the option of using different second factors instead of dictating the type of secondary authentication. So for instance, one system may offer 2FA by means of an authenticator app, but only that, while another may offer MFA in the form of an authenticator app or facial recognition or a hardware security key
Let’s revisit our forms of authentication:
1 Something You Know
Typical: a password
2 Something You Have
Typical: a code from an authenticator app or the use of a hardware security key
3 Something You Are
Biometrics! The normal options would be to use something you probably use every day on a mobile phone: Touch ID or Face ID. (For physical access to highly secure locations this might instead be retina or fingerprint scanning)
And we’ll add the, less commonly used, bonus:
4 Somewhere You Are
Typical: Geo-IP based on the IP address location you are logging in from OR using GPS to locate your mobile device
If you are still following along (bored, are you? ) we’ll dive in a bit further
So what types of 2nd factor are there? From least secure, in terms of being phishing resistant, to most secure they are:
In joint first place (worst place?) are SMS or phone call. These can be subject to an attack known as SIM-swapping
Following closely behind is a confirmation email. This falls down if, for example, your laptop is stolen in an unlocked condition
Authenticator apps, such as Google Authenticator, Microsoft Authenticator, Authy. Others are available, indeed some password managers include them (not recommended - it creates a Single Point of Failure). The way in which these function can vary greatly but we’ll delve into that at another time
Passkeys. This concept is a relative newcomer to the scene, indeed we don’t expect widespread adoption for at least another few years. Again, explaining Public-Key Infrastructure (PKI) and asynchronous encryption would be lengthy for this post so let’s just say that passkeys are just about THE best way of implementing 2FA. Passkeys use a combination of Something You Have (a private key) and Something You Are (biometrics). The brilliance is that the site you are logging into doesn’t need to store a password (hopefully encrypted ) so it can’t get compromised in a data breach. Think of passkeys as password-less
So lastly (bestly? ) comes a Hardware Security Key. This, typically, is a USB key which you set up for a site or service and then when authenticating it just requires a touch or click. These are un-hackable. Indeed Google issued these to all their staff several years ago and no account (to date) has ever been compromised. The downside can be cost (you really should have more than one), time to deploy over a large number of logins, and ensuring you always have one with you
Regardless of how good or bad an MFA solution is, EVEN THE WORST ONE IS BETTER THAN NOTHING. Without some form of MFA it’s only a matter of time before you will have to try and deal with account compromise/takeover