An Overview of Multi-Factor Authentication

I was staying at a friend's house for the night when suddenly my phone buzzed. I received a text with a pin to log onto my Twitter account. To some this may already sound odd, but for those adept in the world of computer security, it may be expected behavior since I was away from home. So why was this significant?

Because I received the text at 2am when I was just about to fall asleep. Certainly not trying to look at Twitter! How someone managed to get my Twitter password I'll never know. But it's situations like this that make me glad I've adopted multi-factor authentication where possible.

Multi-Factor Authentication (MFA) is verifying one's identity using more than one method, in most cases requiring more than just a password to access a system or website. While passwords are the most common form of authentication, there are actually a few ways to handle access control. The three most common means can be broken down as follows:

1. Something you know (ex. a password)

2. Something you have (ex. an ID badge)

3. Something you are (ex. a fingerprint)

Authentication is a necessary evil. We may not like using passwords but they keep our information safe; they're something only an authorized user should know if they want to access a resource. Some of the other methods in this list may not be as common, but the concept of MFA is nothing new.

Take a debit card for example: to access your funds at an ATM, you need to have an ATM card to tell the machine who is trying to access the account, and know what your PIN is. Without both of these items, you cannot access your account [1].

So, how does this apply to computers?

Due to numerous factors such as an increase in computing power, social engineering, and sheer predictability, passwords alone are no longer a good way to guarantee the safety of your digital identity - they're just too easy to guess or steal. With MFA, you need both your password and something else that isn't as easy to guess or replicate as a password.

In the most basic application of MFA, a site sends the user a text message to notify them the moment someone enters the correct username and password combination to access their account. This happens even though the user has the correct credentials, and the site won't allow them to finish logging in until they enter a code provided in this text. Thus, the user must be in possession of both their account's password and their cell phone to gain access to the site or service. And while an attacker can easily steal a password, it is much harder for them to also steal the user's cell phone. The true beauty of MFA is that the code you receive is randomly generated and will expire after a set duration of time, making it nearly impossible to guess, and thus making it nearly impossible to hijack an account protected with MFA. The only two things who will know this code are you and the service you're accessing. And once the code expires, it can no longer be used to access your account.

In lieu of a text, some sites also allow you to use mobile apps to generate a one-time code. This varies by site as they need to support this capability, but Google Authenticator is one such app that works well for this purpose. Instead of receiving a text message, you open the app when prompted and your code is available.

To sum it up: as long as you remain in possession of whatever device you're receiving your codes on AND if you keep your passwords safe, you're likely doing everything in your power to secure your online identities. It's important to note however that MFA is not a replacement for secure password practices. If someone steals your password you should still change it immediately, and you should never reuse passwords across websites.

There are of course, some annoying aspects of MFA. For example, the first time you enable MFA on a website you'll be prompted for a code. However, most sites give you the ability to 'trust' a device, meaning you won't need to enter a code each time you log into a site on that particular computer.

Another spot of difficulty comes from third-party applications (apps for something like Facebook that aren't distributed by Facebook itself) that don't directly support using a second means to prove your identity. For more popular services like Facebook and Twitter you'll receive a separate text message with a one-time password as soon as you log into a third-party tool that can be saved. In others like Google, you need to create an app password. This can make you go a little out of your way, but as long as you have the app remember the password you entered, you won't have to go through that process again.

Finally: what happens if you lose your phone? This certainly makes things more difficult, but most sites that let you sign up for MFA usually give you a way back into your account. In some cases, you can have them call another phone number you own or send the code to a trusted email account. Others will provide you with a one-time recovery code that can disable MFA on your altogether until you recover your phone. I find that this is more secure than sending the code to your email account, as long as you store the code in a safe place; if your email account is also compromised, this renders the secondary form of authentication useless since they can just send single-use codes to it.

Even with some of these nuisances, the benefits make using MFA worth it. If you're sold on the idea of protecting accounts with more than passwords, check out twofactorauth.org, a site dedicated to informing users which services offer MFA. The site breaks down the means each service provides for retrieving codes but also highlights which popular services don't provide such a function. If you don't see a service you use listed you're not entirely out of luck. It's possible they still offer it even if they don't appear here.

I encourage you to start using MFA on a few websites you frequent, whether it's your bank's website or Facebook. This gives you a feel for the process before you begin implementing it on every account you own. Someday, when you're in the same situation I was, you'll be glad you did it.

[1] Of course, the security falls apart if you're swiping the card as credit elsewhere, but there is still no direct account access without the PIN. The security feature here is at least being able to contest a charge later if you don't recognize it.