Multi-factor Authentication (MFA) is an authentication method that requires a user to provide two or more identity authentication factors to gain access to a resource such as an application, online account, or a VPN. Rather than just asking for a username and password, MFA requires one or more additional authentication factors, which decreases the likelihood of a successful cyberattack.
Why is MFA so important?
MFA prevents criminals from accessing networks, applications, and systems even when a username and password have been stolen. MFA requires a second piece of information at the time of login that is only provided to the user via something personal to them (e.g. a code from a mobile device, the magnetic strip on an ID badge, their fingerprint. etc.). Thus, even if a user's credentials are compromised, cybercriminals will not be able to take control of your IT assets when MFA is used.
What's the Difference between MFA and Two-Factor Authentication (2FA)?
MFA is often used interchangeably with two-factor authentication (2FA). 2FA is basically a subset of MFA since 2FA restricts the number of factors that are required to only two factors, while MFA can be two or more.
What are MFA authentication methods?
Each authentication method must come from a different category:
Something the user knows (password, answer to a security question, etc.)
Something the user has (a code generated by a smartphone or other device, security badge, etc.)
Something the user is (biometrics such as fingerprint, face scan, retina scan, etc.)
The most common method in use today, and the most cost-effective to implement, is the use of a mobile application, such as Google Authenticator, Duo Security, and others (something the user has).
What is Google Authenticator?
The Google Authenticator app, which is available for both iOS and Android smartphones, scans QR codes on participating websites to create a 2FA code that serves as a second level of protection when you log in.
Each site is different, but a site that works with Google Authenticator will have the option to scan the QR code when setting up 2FA. Once you scan the code, the app will generate a constantly changing numerical code, usually 6 digits long. When you sign in to an account that is using Google Authenticator, you will be prompted to enter this time-sensitive code.
Many other authentication apps function in this same manner.
Can I use SMS as an authentication means?
Many sites will send a 2FA authentication code to your mobile phone number as a means of verifying your identity. However, receiving 2FA codes via SMS is less secure than using an authentication app. Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. It could be as easy as knowing your phone number and the last four digits of your Social Security number, data that tends to get leaked from time to time from banks and large corporations. Once a hacker has redirected your phone number, they no longer need your physical phone in order to gain access to your 2FA codes.
Also, if you sync text messages with your laptop or tablet, then a hacker could gain access to SMS codes by walking off with such a device of yours.