Multifactor Authentication (MFA)

MFA Recommendations

Key reads

What is Multifactor Authentication (MFA)?

Multifactor Authentication (MFA) is an added layer of security to the authentication process of a user. The goal of MFA is to ensure that the user accessing a given account is indeed who they say they are.

Sometimes MFA may be referred to as two-factor authentication (2FA).

The first part of authentication is usually a username and a password, while the second stage of authentication (hence “two-factor”) is something you know, have, or are. MFA functions primarily under the assumption that your MFA method is harder to access than your account credentials.

Ultimately, MFA is significant primarily because it provides an extra layer of protection against account takeovers – even if a malicious actor has your login information.

A side benefit of MFA is that typically you’re also made aware of the malicious login attempt. This awareness gives you warning that your credentials (most likely your password) are compromised and allows you to take action prior to an account takeover.

Remember, MFA uses something that you know, have, or are:

  1. Something you know: such as PINs, password, secret question answers
  2. Something you have: credit card, smartphone, hardware key/token
  3. Something you are: generally biometrics such as fingerprints, voice prints, or iris scans

Why you should use MFA

Put simply: MFA gives you a solid layer of protection against total account takeovers and the massive headaches that follow - even in situations where your password(s) become compromised.

It is important to enable two-factor authentication on all devices and accounts that contain sensitive information, as it can help protect against unauthorized access. Ideally, you would enable MFA on every online account you have, but sometimes this may not be necessary nor feasible given your unique situation.

Most websites have an option to enable MFA - and those that don't should be regarded with a higher level of scrutiny. This holds especially true for websites that collect any form of Personally Identifiable Data (PII) as part of the account creation process.

Of course, you'll find that mobile phone numbers (text/call verification) and email are the most common forms of MFA. When other far more secure options such as hardware tokens and TOTP exist, these are less favorable due to the very-real risks that surround these 2FA methods.

However, the general consensus is that you're better off enabling 2FA than not when it's available in the mass variety of circumstances.