An overview of Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a key security tool for protecting accounts from being compromised. In fact, it is so effective that it reduces the risk of account compromise by 99.22%, according to research from Microsoft. Unfortunately, most people still don't use MFA. In 2023, Twitter (X) revealed that only 2.6% of its users have MFA enabled on their accounts.

In this article, I'm going to explain what MFA is, why you should use it, what the different types of MFA are, and which ones you should use.

What is MFA?

Multi-Factor Authentication is a method of confirming your identity using multiple methods (or factors); not just your username and password. Your username and password is something you know (1st factor). You then need to provide a different factor of authentication in addition to your username and password. This additional factor is usually something you have (a phone, USB key with encrypted token, etc.) or something you are (biometrics, i.e. fingerprint, face, etc.). They key thing is you need 2 different methods of authentication for it to be considered multi-factor. Using 2 passwords is still just a single factor.

Why MFA?

So why is MFA so much better at protecting your account than just a username and password? Essentially, it is much easier to steal one thing than it is multiple things.

Traditionally, most accounts are secured using a password. Anyone who knows that password can access the account. To log in to your LinkedIn account, both you and LinkedIn need to know the password for your account. So, if either you or LinkedIn are hacked, the hacker knows your password and can log in to your account. If you have multi-factor authentication configured on your account, the hacker can know your password, but they can't have your phone and they are not you. While it is possible to also steal a copy of the code on your phone and impersonate your face or fingerprint, it is a much higher barrier to entry than just stealing your password.

Instead of using a password to secure your account, you could also secure your account with just a code from your phone or just your fingerprint. While these things are harder to steal, it's still only one thing the hacker has to steal. Multi-Factor authentication is so successful because there is more than one thing to steal.

Are all MFA options created equal?

The are many different methods you can use for MFA. The most common ones are SMS, Mobile Apps, Biometrics (face or fingerprint), or Hardware tokens. While there are other methods of MFA, these 4 are the most common so they are the ones I will focus on. In the sections below, I'll outline how each method works and the strengths and weaknesses of each.

SMS Based MFA

SMS based MFA works by sending a one-time use code to your phone via SMS at the time of login. You then need to provide this code on the login page after entering your username and password to complete the login process.

Strengths

1. No set up required. Once an organisation has your mobile number, they can automatically activate SMS based MFA on your account without requiring you to take any action to activate it.
2. Easier to support wide adoption. Since most people have a mobile phone and understand how to use SMS messages, you can roll this MFA method out to your users with very little training or support.
3. Limited life span. The one-time code that is generated has a limited life span of usually no more than about 5 minutes. So even if you don't enter the code to log in, it doesn't remain valid for someone else to guess later.

Weaknesses

1. Not phishing resistant. It's possible for an attacker to trick you into giving away your MFA code via phishing. As long as an attacker knows what your MFA code is at the right time (assuming they already know your username and password), they can log in to your account, even on a different device to the one you are using.
2. Can be intercepted. SMS messages are not encrypted. This means that someone who has access to the mobile network can intercept the SMS messages as they are travelling through the network and read them. If they know your mobile number and are attempting to target you, they could potentially intercept your SMS messages to steal your MFA code.
3. Your phone number can be stolen. 'Phone Porting' attacks are a type of attack where an attacker will attempt to transfer ownership of your mobile number to a phone that they control. If they are able to do this, they can then receive all your SMS based MFA messages.

Mobile App Based MFA

Mobile app-based MFA requires installing an app on your phone (e.g. Google Authenticator, Microsoft Authenticator, Duo, etc.) that will either provide a rotating one-time code or a pop-up message to approve or decline the login attempt.

Strengths

1. Codes stay on your mobile device so there is no concerns about the one-time code being intercepted.
2. Limited life span. The one-time code that is generated has a limited life span of usually no more than about 60 seconds. So even if you don't enter the code to log in, it doesn't remain valid for someone else to guess later.

Weaknesses

1. Not phishing resistant. It's possible for an attacker to trick you into giving away your MFA code via phishing. As long as an attacker knows what your MFA code is at the right time (assuming they already know your username and password), they can log in to your account, even on a different device to the one you are using.
2. MFA Fatigue attacks. If app-based MFA is configured to send an approve/decline message at login rather than ask you to enter a code, an attacker that knows your username/password can continually try to log in to your account. Every time they try to log in, you will get a notification to approve/decline the login. Some people will eventually just get tired of getting the notifications and tap Approve to make them stop.
3. Set up required. Unlike SMS-based MFA, you have to take action to set this up. You have to download the mobile app and go through a set up process to get the MFA configured and working.
4. Can lock yourself out of your account if you lose your phone. Because the MFA is tied to your phone, if your phone is lost or stops working, you won't be able to get into your account. You would need to contact the support team for the service you are trying to access to have them turn off MFA on your account.

Biometrics

Biometrics-based MFA uses the facial or fingerprint recognition features in your phone or laptop as a second layer of MFA.

Strengths

1. Phishing resistant. Because the facial/fingerprint recognition features are local to your device, an attacker can't trick you into giving them away like they can with a one-time code.
2. Can't be intercepted. Because the facial/fingerprint recognition is happening on your local device, it can't be intercepted in transit.
3. Less set up required. Once you set up the facial/fingerprint recognition features on your device, you don't need to set them up again for every service you use. You just need to "turn on" the MFA feature for whatever service you are using, and that service will use your already configured facial/fingerprint recognition built into your device.

Weaknesses

1. Can lock yourself out of your account if you lose your device. Because the MFA is tied to a device that supports biometrics, if your device is lost or stops working, you won't be able to get into your account. You would need to contact the support team for the service you are trying to access to have them turn off MFA on your account.

Hardware Tokens

Hardware tokens are physical devices that store a cryptographic token to secure your account. To authenticate to your account with a hardware token, you plug the hardware token into your device (or connect if wirelessly via NFC or Bluetooth) and it provides its unique code to the service you are logging into after you enter your username and password.

There are many types of these devices, but one of the most common examples is something called a YubiKey, for reference.

Strengths

1. Phishing resistant. Because you need to connect the hardware token to your device and it's authenticated locally, an attacker can't trick you into giving away the code.
2. Ease of use. Just plug the device in to your computer/phone and it works automatically.
3. Strong encryption. The encryption used on hardware tokens is usually much stronger than other forms of MFA.

Weaknesses

1. Can lock yourself out of your account if you lose your device. Because the MFA is tied to your physical hardware token, if your token is lost or stops working, you won't be able to get into your account. You would need to contact the support team for the service you are trying to access to have them turn off MFA on your account. You can have multiple hardware tokens though, which is recommended, to mitigate this risk.
2. Set up effort. Setting up hardware tokens takes a little more effort that other forms of MFA.

Why doesn't everyone use and support MFA?

Why don't consumers adopt MFA?

Awareness

One big reason why people don't choose to use MFA is simply lack of awareness. That is, people not understanding what it is and the value it brings. One of the goals of this article is to increase awareness around the value and drive adoption.

Usability

As I've outlined above, MFA has some ease-of-use issues. Both in terms of set up and ongoing use.

MFA can be difficult to set up, especially if you have never done it before. That initial set up effort creates resistance which can put some people off going ahead with it.

Once you set up MFA, it can create some friction in your log in experience as you need to pull out your phone (or switch apps if you are already on your phone) to log in. This is one of the problems that Biometrics and Hardware tokens tries to solve by integrating the MFA into the log in experience to try to remove that friction.

Why don't businesses offer MFA?

Lack of demand

MFA can be a costly and challenging thing for businesses to implement into their software and websites. There are development costs involved in the initial set up, so the value needs to be there for businesses to make that investment. If customers were demanding MFA, that would help businesses justify the cost of implementation. Unfortunately, that demand doesn't seem to be there.

As I mentioned at the start of this article, only 2.6% of Twitter/X accounts have MFA enabled. So even when the service is offered to customers, people aren't adopting it. If you were running a business, would you choose to invest money in a service that only 2.6% of your customers would use?

No return on investment

A lot of organisations see MFA as a feature that costs them money but offers no return on investment. There are initial development costs to set it up and potential ongoing running costs to support it once it is set up. Often, security features like this are seen as sunken costs that don't bring any value to an organisation so aren't prioritised.

A report from Forrester argues the cost of MFA implementation can provide a 159% return on investment when you consider the value of the security risk that is mitigated by implementing MFA. If organisations have mindset of treating their risk mitigations as potential cost savings, the attitude towards these sorts of security efforts can shift.

Other options to secure my account

While MFA provides a dramatic improvement to your account security posture, it's not the only thing you can be doing to protect your account. Having strong, random, unique passwords is still important, even with MFA.

A password manager can help you create and maintain strong, random and unique passwords for all your accounts. This means it is harder for someone to get the password for your account in the first place, reducing the need for MFA and providing multiple layers of protection on your account.

You can also monitor your accounts to determine if they have appeared in data breaches. If you know your username and password have appeared in a data breach, you can take steps to change your password for that service and implement MFA, if you haven't already (assuming the service offers MFA). Haveibeenpwned is a free service that allows you to check your accounts to see if they have appeared in known data breaches.

Summary

While having strong, random, unique passwords is a great start to keeping your accounts secure, it often isn't enough. Multi-Factor Authentication provides an additional layer of account security that can reduce the risk of your account being compromised by about 99%.

There are many different methods of setting up MFA on your account. Some are easier to set up or use, some are more secure. Ultimately, having any form of MFA on your account is going to improve your security posture, so it's better to have something rather than nothing. You should try to use the more secure options wherever you can though.

The more people that are using MFA, the more organisations are going to support it and offer it to their customers, so use it wherever you can.