What is Multifactor Authentication (MFA)?
Multifactor Authentication (MFA) is an added layer of security to the authentication process of a user. The goal of MFA is to ensure that the user accessing a given account is indeed who they say they are.
Sometimes MFA may be referred to as two-factor authentication (2FA).
The first part of authentication is usually a username and a password, while the second stage of authentication (hence “two-factor”) is something you know, have, or are. MFA functions primarily under the assumption that your MFA method is harder to access than your account credentials.
Ultimately, MFA is significant primarily because it provides an extra layer of protection against account takeovers – even if a malicious actor has your login information.
A side benefit of MFA is that typically you’re also made aware of the malicious login attempt. This awareness gives you warning that your credentials (most likely your password) are compromised and allows you to take action prior to an account takeover.
Different forms of MFA
2FA comes in many different forms. These different forms are not created equally in terms of security, and by extension, privacy.
Remember, MFA uses something that you know, have, or are:
- Something you know: such as PINs, password, secret question answers
- Something you have: credit card, smartphone, hardware key/token
- Something you are: generally biometrics such as fingerprints, voice prints, or iris scans
SMS and Email
You’re more than likely familiar with receiving a code via text message (SMS), phone call, or email and then inputting that code to the account you’re logging into to verify that it’s really you. This is the SMS/Email method of MFA and it’s very common for services to offer this method.
Unfortunately, SMS and Email are regarded as “weak” MFA methods. In comparison with other MFA methods, there are multiple ways a malicious actor can compromise this method of MFA.
For example, with SMS, a malicious actor can take over your phone number via a SIM swap attack; with email, an attacker can gain access to your email via password attacks such as credential stuffing or scam/phishing attempts.
HOTP
HOTP stands for Hash/HMAC (based) One Time Password. This form of MFA is most commonly found in hardware keys/tokens.
HOTP is similar to TOTP except HOTP secrets 1) are event based and 2) can be valid for an unspecified amount of time; they don’t necessarily change based after an elapsed time period like TOTP secrets.
The main drawback of HOTP is since the secret codes don’t expire, they can be “guessed” via brute force attacks. Once a code is known, a malicious actor can gain access to an account.
As a note, YubiKey OTP avoids the main pitfalls associated with HOTP by encrypting the counter as opposed to hashing it. However, it relies on Yubico’s cloud and the public ID associated with your YubiKey is the same across every website and in theory can be used as a unique identifier for tracking/profiling.
TOTP
TOTP stands for Time (based) One Time Password. This is a string of characters and/or numbers that authenticates the user for a login session. The code expires after use.
Generally, you scan a QR code, which generates a shared secret in relation to the service for your account. The shared secret is what needs to be protected because its meant only to be known by your authenticator and the service. The shared secret gets stored in your authenticator, which can be software-based or a hardware key equipped with TOTP support.
Thirty and sixty second increments are common time periods for shared secrets to be “alive,” or accepted by the service until a new one is generated.
TOTP is generally regarded as a secure form of MFA for most users out there. Ideally, you’d use a hardware key capable of storing TOTP codes, but a secure authenticator app is a good option.
Biometrics
Biometrics include voice prints, fingerprints, eye scans, and their mathematical equivalents. Biometrics fall under something you are, because it's generally hard to change these characteristics.
Given their nature, biometrics are generally a very secure form of MFA. However it’s certainly worth noting that biometrics tend to prove a substantial privacy issues versus a security one.
This is because biometrics are 1) inherent to individuals, serving as exceptionally unique identifiers and 2) must be stored somewhere – in some applications, the storage method and retention duration might not be something directly under your control.
FIDO2
FIDO2 stands for Fast Identity Online; it's an extension of FIDO U2F. FIDO2 uses WebAuthn, a web standard published by the World Wide Web Consortium (W3C). The FIDO2 Project itself is a joint venture between the FIDO Alliance and the W3C.
FIDO2 is objectively the most secure authentication protocol available as it eliminates many downfalls associated with our current authentication standards. Additionally, it is an open standard that provides higher degrees of flexibility for implementation; it allows for passwordless authentication, two-factor authentication, and multi-factor authentication.
FIDO2 allowance for passwordless authentication can replace weak passwords with strong authentication methods using public key cryptography, providing resistance to phishing, session hijacking, and man-in-the-middle attacks. Unlike TOTP, HOTP, and YubiKey OTP, there are no shared secrets, which mitigates weaknesses found in these methods.
Why you should use MFA
Put simply: MFA gives you a solid layer of protection against total account takeovers and the massive headaches that follow - even in situations where your password(s) become compromised.
It is important to enable two-factor authentication on all devices and accounts that contain sensitive information, as it can help protect against unauthorized access. Ideally, you would enable MFA on every online account you have, but sometimes this may not be necessary nor feasible given your unique situation.
Most websites have an option to enable MFA - and those that don't should be regarded with a higher level of scrutiny. This holds especially true for websites that collect any form of Personally Identifiable Data (PII) as part of the account creation process.
Of course, you'll find that mobile phone numbers (text/call verification) and email are the most common forms of MFA. When other far more secure options such as hardware tokens and TOTP exist, these are less favorable due to the very-real risks that surround these 2FA methods.
However, the general consensus is that you're better off enabling 2FA than not when it's available in the mass variety of circumstances.
Even for less secure 2FA methods such as SMS and email, you can help reduce the likelihood of sim swap attacks and email account takeovers by improving your general personal security measures - such as using a hard to guess PIN at your mobile carrier and using a strong password for your primary email account. Ideally, you would exercise the option of using TOTP or a hardware security key when presented with the choice.
At the end of the day, what you should remember is that MFA saves compromised accounts more often than not. While it's not a silver bullet, it's highly advised to use MFA where you can!