Multi-factor authentication is sometimes called two-factor authentication, two-step verification, 2FA, or MFA. But basically what it means is that to get into an account you need to know something (your password) and need to have something (your MFA device). So if someone knows your unique password but doesn’t have your device, they cannot get into your account. Many websites will offer multiple options on what to use for your MFA device but the three most common are:
- SMS
- Authenticator App
- Security Key
Now of those three, SMS is by far the most used by websites but is the least secure. The reason for that is because a hacker can often trick your wireless carrier into believing that you lost your phone and need to activate a new sim card. This is called “simjacking” or a “SIM swap scam”. Now don’t get me wrong, by just turning on SMS MFA, you are way ahead of the game!! Seriously, I have the data to prove it.
The next best thing is to use an Authenticator App such as Google Authenticator, Microsoft Authenticator or Authy. There are even more examples and will sometimes use the acronym TOTP.
Both SMS and Authenticator Apps work by first entering your username and password. Then a second screen will ask you to input a code to verify you have your device. If you are using SMS, the code will come over your cellular network into your SMS app. But if you chose to use an Authenticator app, then the code is actually generated on your device. Since the device generates the code, it is no longer vulnerable to simjacking!
However there is still the possibility that a hacker could create a fake sign in page. The hacker directs you to the fake sign in page, tricks you into entering in your username, password, and secret code from either the SMS or Authenticator App. Our hacker can ensure they are getting legitimate information by forwarding what information you input to the real page as you enter it into their fake page. Now that they have confirmed your information, they can do whatever it is they want with your hacked account. This is called phishing. So to help prevent this, we move on to my favorite MFA device, security keys!
Security keys can also be referred to as Yubikeys which is actually just a brand name. But basically you enter your username & password and you will then be presented with a page asking you to input your security key. Typically this will be done through your USB port but it could also be done via NFC. In fact, your phone could also be used as a security key.
There are websites that will allow you to set multiple options for your MFA. Some websites even force you to always have SMS as a MFA option. Just remember, if you set multiple choices as an option for your MFA then a hacker will always choose whichever is easier to take over.
Unfortunately, using a security key is not always an option. It is up to the website owner to decide which MFA options to offer. Not only that, there are plenty of websites that do not offer MFA at all. So given a choice, always use security keys as your MFA option of choice. If that is not an option, then go with an Authenticator app. If SMS is all that is available, still make sure to turn that on because it is still way better than nothing. But for those sites that do not offer MFA, either consider not using those websites or send them a request to make it an option.