What is MFA and how does it work?
Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. Rather than just asking for a username and password, MFA requires other additional credentials such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or facial recognition.
Why should I set up MFA and what are the benefits?
Multi-Factor Authentication has evolved into being the single most effective control to insulate an organization against remote attacks. When Multi-Factor Authentication is implemented correctly, it can prevent most threats from easily gaining an initial foothold into your organization, even if credentials become compromised.
What if I lose the phone that I have MFA set up on?
If you set up Multi-Factor Authentication to use your phone for a token, usually a 6- or 8-digit number via an authenticator application, you will be supplied with recovery codes for when you replace the phone. You will use the recovery code within the authenticator application, and it will recover your token generator so that you can continue using your phone as part of your Multi-Factor Authentication. Be sure to save your recovery tokens in a safe place. Depending on the program you are using MFA on, your administrator may be able to reset this for you.
Authenticator VS SMS
SMS Pros & Cons
- No smartphone needed! With SMS authentication, you simply receive an SMS text message to your mobile phone. As long as that phone can receive SMS text messages it will work!
- Easy! No downloading an app, or scanning QR Codes, etc. It is a great option for those who aren’t as tech savvy.
- SMS text messaging has been around a long time (The first SMS message was sent in 1992). This means that hackers and fraudsters have many ways to breach the system.
- SMS recovery is very limited. Most companies only have the ability to recover SMS authentication via email. This means if you forget your email password, you will not be able to recover your SMS. Or worse, if your email address is compromised a hacker could easily recover the authentication and redirect the SMS authentication to another phone number.
- Authentication codes are tied to the application, not your phone number. This means security issues like SMS hijacking or SIM swapping will not allow a hacker to gain access to your authenticator.
- Authenticators work even if you have no mobile coverage.
- Authenticator apps depend on a shared secret that both the app and the server need to store. This is known as a “seed” and is combined with the time to generate the 2FA code. If a hacker was to crack this code (very unlikely), they could clone your token code indefinitely.
- To compare this to SMS, SMS codes are just random values sent by the server, so there is no “seed” by which a crook could predict the next one in sequence.
- Authenticator apps require a smart phone. The world is becoming more mobile and on-the-go than ever. So, this means you most likely also access some of the software on your smart device (a smartphone or tablet, for example) as well.
- For example – if you set up an authenticator app to add security to your Microsoft 365 account, and use Outlook on that same smart device, you are creating what is known as a common point of compromise.