Today I want to cover what exactly multi factor authentication or two factor authentication is, what any abbreviations (like MFA or 2FA) are, and how you SHOULD be using it to protect yourself!
Two Factor Authentication – YouTube Version of this Post
If you prefer a video over reading the text, then you can find the YouTube version of this post below.
That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!
Before I can jump into MULTI-factor authentication, I’ll first have to cover what exactly authentication means in the realm of information security.
In security, according to NIST, authentication is “verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.”
In simpler terms, authentication is how you prove to a system that you are who you say you are. Whenever you login to your social media accounts, your banking applications, or even your work computers, you are authenticating!
The benefit of authentication should be obvious, but it prevents others from pretending to be us, and potentially stealing money or valuable information from private resources.
Normally, authentication takes two-steps: first you identify who you are (for example: your username or e-mail address), then you PROVE that you are who you say you are (for example: a password that only you know).
Two Factor Authentication – Ways to Authenticate
There are three primary methods of authentication: something you are (for example: biometrics like a fingerprint scanner), something that have (for example: a token on your keychain or an app like the Google authenticator), or something you know (for example: passwords).
In addition to these, some systems may also use somewhere you are (for example: GPS location on your phone) or sometime you are (for example: if you normally only login to your bank between the hours of 9am and 5pm EST). That said, these are generally not enough authentication factors on their own, so systems normally use these in conjunction with one of the other methods.
Something You Are
Something you are is USUALLY the strongest form of authentication, because, as you’d expect, it’s pretty hard to duplicate an iris or copy a fingerprint. That said, the TECHNOLOGY behind some of these authentication methods can be expensive, and cheaper versions may have implementation flaws of their own. This authentication method is starting to become more common (for example: the iPhone Face ID), but this is still too expensive to be common in every system that we use.
Something You Have
Something you have has been increasing in popularity over the last few years, especially with the explosion of the smart phone. This authentication method normally comes in the form of a one-time use token or key that comes from either an application you have (for example: the Google Authenticator), a physical token that you carry around (for example: an RSA token), or something like a text message/e-mail message. While this is another secure method of authentication, getting users a physical device proved to be a barrier before the smart device becoming universal.
Something You Know
Finally, the most common method of authentication is something you know. The primary example of this is passwords. There is no special hardware needed for biometrics, no apps for you to install, and no other tools required to provide our secrets. This is the reason that this is both the most common method of authentication, but ALSO the reason that this is the least secure method of authentication. Due to this, it is incredibly important that you not only create strong passwords, but you keep them as secure as possible.
Two Factor Authentication – Protecting your Authentication Mechanism(s)
Regardless of what method(s) of authentication you use, you should keep them all as secure as possible.
If someone were to know your username and password, for example, they could login to your banking application and transfer out all of your money. Not only would you be out your money, it could be hard to prove that this wasn’t you, because you “proved” to be yourself to the bank via your authentication mechanisms.
This means that you should keep any applications or tokens on your person or locked up, and you should uniquely generate any passwords and either store them nowhere or in a secure password vault.
In addition to passwords, this also covers answers to your “secret questions”, as these are effectively another method of “something you know” to most applications or services. If you are familiar with password reset mechanisms, you can normally change an account’s password just by answering a few of these “secret questions”.
What is Multi-Factor Authentication (MFA) or Two Factor Authentication (2FA)?
Finally, on to the core topic of what is multi-factor or two-factor authentication!
Multi-factor authentication, as some of you may have already guessed, is combining two (or more) authentication methods to provide greater security and identity verification. The form of this that you may be most familiar with is a password (something you know) + a one-time use token from your authenticator app (something you have).
Continuing with the banking example from earlier, if someone knew your username and password, they would STILL need to be able to access the one-time use token from the application on your physical phone.
Multi-factor authentication is huge benefit to security, and honestly the biggest thing that stops hackers LIKE ME from breaking into your company or private applications. While important, attackers can easily guess usernames and passwords, systems can leak them, or users can reuse them across multiple applications and services. By requiring an additional form of authentication, this gives application owners increased confidence that users and services will be safer from attackers.
What’s the Difference between MFA and 2FA?
While people use MFA (multi-factor authentication) and 2FA (two factor authentication) interchangeably, they aren’t exactly the same.
2FA is ONLY using two-factors of authentication (for example: the password and authenticator app from before).
Multi-factor authentication is two OR MORE factors of these authentication (for example: a password, an RSA keyring, the time that you normally login to applications, and the GPS coordinates of your phone).
How do I Enable MFA
While enabling multi-factor authentication will vary from system to system and application to application, I’ll give you a few examples to get yourself started!
For your Facebook account, you will want to login, go to your “Security and Login Settings”, scroll down to “Use two-factor authentication” and click “Edit”.
While these are only two specific examples, hopefully they give you an idea of where you might find these settings in the specific applications that you would like to enable them.
That said, if you cannot find this functionality, be sure to reach out to your system administrator or customer support and ask them about multi-factor authentication!
Two Factor Authentication – Additional Resources
- What is Multi-Factor Authentication (MFA)?
- What Authentication Means in Information Security
- Microsoft: MFA bypass attacks are so rare we don’t have good statistics on them
Should I Enable Multi Factor Authentication – Conclusion
Hopefully, all of the above examples gave you plenty of reasons to enable multi-factor authentication everywhere.
The biggest takeaway should be that two-factor or multi-factor authentication is often the BIGGEST frustration to hackers everywhere. It is also the easiest step that you can take in protecting your accounts.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here.