top of page
  • OpaCyber

Multi-factor Authentication / 2-factor Authentication (MFA / 2FA)

Use MFA/2FA everywhere it is possible to do so. It is one of the best ways to prevent account compromise

If your only devices are supplied by an organisation, implementation of MFA/2FA will be undertaken by it but much of the detail below is applicable to your personal devices and accounts

What is MFA/2FA and why should I use it

The basis of MFA/2FA (Multi-factor Authentication / 2-factor Authentication) is having the need of a second factor to authenticate, so just having (e.g.) a username and password is not sufficient

To authenticate using MFA/2FA, one needs two out of three of the following:

  1. Something You Know

  2. Something You Have

  3. Something You Are

Before we dive too deeply into that, let’s take half a step back and look at all the options of authentication because there are two more (less secure) options. Here they all are:

SFA / 2SV / 2FA / MFA

SFA: Single-factor authentication

Typical: a password. This is Something You Know

(No, a username and a password aren’t two factors, just one. They are just two versions of Something You Know )

2SV: 2-step verification

Typical: a password and then a code received via SMS, or a phone call, or an email with a link to confirm

(Again, this is not 2FA as none of these are Something You Have - they are something you are being given and then they become Something You Know)

2FA: 2-factor authentication

Typical: a password and the use of an authentication app

MFA: Multi-factor authentication

What’s the difference between MFA and 2FA? Not much. There seem to be differences of opinion on this with some saying it is the requirement of an additional verification method (3FA anyone?) such as biometrics or location (Somewhere You Are ) and you’ll find a lot of opinions describing 2SV as 2FA and 2FA as MFA

We view MFA as giving the option of using different second factors instead of dictating the type of secondary authentication. So for instance, one system may offer 2FA by means of an authenticator app, but only that, while another may offer MFA in the form of an authenticator app or facial recognition or a hardware security key

Let’s revisit our forms of authentication:

1 Something You Know

Typical: a password

2 Something You Have

Typical: a code from an authenticator app or the use of a hardware security key

3 Something You Are

Biometrics! The normal options would be to use something you probably use every day on a mobile phone: Touch ID or Face ID. (For physical access to highly secure locations this might instead be retina or fingerprint scanning)

And we’ll add the, less commonly used, bonus:

4 Somewhere You Are

Typical: Geo-IP based on the IP address location you are logging in from OR using GPS to locate your mobile device

If you are still following along (bored, are you? ) we’ll dive in a bit further

So what types of 2nd factor are there? From least secure, in terms of being phishing resistant, to most secure they are:

  1. In joint first place (worst place?) are SMS or phone call. These can be subject to an attack known as SIM-swapping

  2. Following closely behind is a confirmation email. This falls down if, for example, your laptop is stolen in an unlocked condition

  3. Authenticator apps, such as Google Authenticator, Microsoft Authenticator, Authy. Others are available, indeed some password managers include them (not recommended - it creates a Single Point of Failure). The way in which these function can vary greatly but we’ll delve into that at another time

  4. Passkeys. This concept is a relative newcomer to the scene, indeed we don’t expect widespread adoption for at least another few years. Again, explaining Public-Key Infrastructure (PKI) and asynchronous encryption would be lengthy for this post so let’s just say that passkeys are just about THE best way of implementing 2FA. Passkeys use a combination of Something You Have (a private key) and Something You Are (biometrics). The brilliance is that the site you are logging into doesn’t need to store a password (hopefully encrypted ) so it can’t get compromised in a data breach. Think of passkeys as password-less

  5. So lastly (bestly? ) comes a Hardware Security Key. This, typically, is a USB key which you set up for a site or service and then when authenticating it just requires a touch or click. These are un-hackable. Indeed Google issued these to all their staff several years ago and no account (to date) has ever been compromised. The downside can be cost (you really should have more than one), time to deploy over a large number of logins, and ensuring you always have one with you

Regardless of how good or bad an MFA solution is, EVEN THE WORST ONE IS BETTER THAN NOTHING. Without some form of MFA it’s only a matter of time before you will have to try and deal with account compromise/takeover


bottom of page