We all now know that protecting your online account is one of the most important things to do to make your account private and safe from access by any unintended third parties. Traditionally, you protect your account by using password. However, because average people have at least twenty accounts, remembering all passwords are cumbersome. This makes people to use the same password for all or most of their online accounts.
As well, when creating password, people tend to use password that is easy to remember like their pet’s name, birth place or high school name. Do you know that hacker can use a technique called brute force attack to easily crack your password in a matter of seconds if your password is weak or easily guessed? Password that is found in dictionary is the easiest to crack. On the other side, hacker can also guess your password, for example, if you use your pet’s name by looking to your social media account especially if you often share your pet activity there.
That is the reason why people always suggest us to use a strong password to make it harder for hackers to crack your account. A strong password is one with at least 12 characters long and includes uppercase and lowercase letters, number and special characters. This has to be unique for every account. It is better to use a passphrase (a series of words) rather than a single word.
Why passwords alone are not enough
Even you use strong and unique passwords, if your computer or cell phone is infected by malware either you accidently accessed untrusted websites, downloaded documents from untrusted sources or clicked a link from scammers, there is a chance that your credential (user name and passwords) is compromised. To combat this issue, there is a way to add extra security to protect your online account by using Multi Factor Authentication (MFA).
What is Multi-Factor Authentication (MFA)?
MFA is a method to add an extra layer of security in logging into account by using two or more verification steps to prove your identity before given access to your account. If you are using two factor verification, it is commonly called Two Factor Authentication (2FA).
MFA can use a combination of the following factors:
Something you know
- Password
- PIN (personal identification number)
- Answer to security questions
Something you have
- Code sent by SMS
- Code sent by email
- Code sent by authenticator app (such as Microsoft Authenticator, Authy or Google Authenticator)
- Push notification sent to your phone. This is a notification sent to your phone saying that there is an attempt to access to your account and you will be given an option to click either “approve” or “deny”
- Physical security key (Yubikey, Google Titan Security Key)
Something you are
- Your fingerprint
- Facial scan
- Iris/retina scan
- Voice recognition
Using more than one verification method can make attackers harder to access your account even they have your password.
How does MFA work?
When MFA is enabled on your account, in addition to enter your password, you will need to verify yourself by using any other verification factor described above. If all factors are correct, you will be given access to your account.
Example 1 of using two factor authentication (2FA)
- You enter your credential (user ID and password or PIN) à something you know
- You will receive a 6-digit code from SMS à something you have
- You enter the 6-digit code to finish logging in
Example 2 of using two factor authentication (2FA)
- You enter your credential (user ID and password) à something you know
- Your authenticator app on your cell phone will generate a 6-digit code that changes every 60 secondsà something you have
- You enter the 6-digit code within the 60 second time frame. If you miss the 60 second deadline, you need to enter the new code generated by the app
Similar to the example 1, without gaining access to your cell phone, the hacker will not be able to get the code generated by the authenticator app, and without the code they cannot access your account.
What MFA method is the most secure?
Not all MFA methods are created equal. Some of them are very secure and others are less secure. Below is the list of MFA methods in order from the most secure to the least one.
1. Security key (Yubikey, Titan Key)
With security key, the second authenticator factor is kept on it. It is near impossible for bad actors to hack your account since your credential is not stored online but are kept physically on the key. When you login to an account, you will be asked to insert the key onto your laptop’s USB slot and then type in your password or using your biometric to authenticate you.
Currently, security key is the most secured form of MFA as it is very hard to hack and it is great for protecting your sensitive and important accounts.
The downside of using your security key is that if you lose your key, there is a risk that you may not be able to recover your accounts unless you have a back up of your security key.
The best practice is that you use and register multiple security keys on the service you use. You also need to have a back up by keeping the one-time back up code of your security key safely. Alternatively, you can set up the security key recovery method by enabling it using authenticator app or biometric identification.
2. Authenticator app
As a second factor of authentication method, authenticator app is a good balance of security and convenience. It is secured because it uses a TOTP (Time-based One-Time Password) to authenticate you. Once your online account/service is enabled to use authenticator app, whenever you try to login to your account, the app from your phone will generate a six-digit time-sensitive TOTP that last between 30 to 60 seconds.
It is convenient because you can use/enable 2FA on multiple accounts or services on a single and easy to use authenticator app on your phone. As well, this authenticator app can still be used even your phone is not connected to internet or does not have SIM card. In another word, you can use the app to generate security code even your phone is on airplane mode, no signal at all, no SIM card, even when you are underground or inside an airplane. The reason is because the app (once installed on your phone) relies on your current time to generate the code.
3. Push notifications
Push notification is an MFA app that sends a notification (instead of sending security code) to your device (cell phone) to ask you to either approve or deny an attempt access to your account. Example of push notification is Microsoft Authenticator app that if you enable the notification/push option, the app will send a pop up on your device to choose to approve or deny the access.
4. Code sent through SMS/email
This type of MFA is the least secure one compared to other type mentioned above. However, although it is less secure, it is still better than no MFA at all and just relying on your password.
With regard on using SMS, there is a risk that the code sent to SMS can be intercepted if your SIM is hijacked (also known as SIM swapped). This happens if the hacker can convince your carrier (by pretending to be you or use your stolen info like name, phone number, birth date, address etc.) to move your phone number to another SIM card they own. If your SIM is hijacked you lose access to your phone. Any security code sent by the app will be sent to the hijacker’s phone.
Although biometric verification is part of MFA, I did not include it in the list of MFA ranking described above. The reason is because biometric is rarely used solely as a second factor in MFA. For most online accounts/services, biometric do not directly authenticate and connect to the service provider. Instead, it is used to unlock your device when a security code or push notification is sent to your device.
Biometric is used to use mostly to:
- Unlock your device
- Unlock the authenticator app
- Unlock the security key
- Approve a local login
They are not used as an independent MFA method similar like security key or authenticator app. They are used in combination with other MFA method described above.
Final thoughts: Should you enable MFA?
Understanding what MFA is, how it works and what benefits it can provide to protect your online account can give you an awareness and confidence that enabling MFA on your account is important. There is no perfect method to 100% secure your account. However, enabling MFA is much better than just relying on your password.
If I can say using my own word, it is a “must” to enable MFA on your account whenever your accounts or services have capabilities to enable MFA. Otherwise, you will be facing higher risk of your accounts being hacked by unauthorized/unintended users.
