MFA – The Shield You Can Wield
Multi Factor Authentication is the single most important security invention of the 21st century. You should use it everywhere you can in your business and personal life. It will protect you from the bad guys and allow you to sleep at night.
What is MFA?
MFA stands for Multi Factor Authentication. MFA is its most common name, and the one I’ll use for the purposes of this blog, but it goes by several names. 2FA (Two Factor Authentication) is what Google calls it. One Time Password (OTP) is another name. Another name, and perhaps the easiest to understand, is Time-based One Time Password.
The premise is that you have multiple ways to prove you are who you say you are online. Of course, the first way is your username and password, which can be guessed or hacked or phished from you. The second or multiple ways usually involve some sort of timely feature involving your cell phone.
The most common example of this is carried out via a text message. You sign into a given online application on a new or different computer with your username and password and a little window pops up that says, “enter the number that we texted you.” So you look at your cell phone, read the 6 digit number, and you enter that into the window, and then you gain access to the application.
Authenticator Apps
Every form of additional verification is better than not having it at all, but some implementations are better than others.
The best way, accessible to everyday humans, is the authenticator app on your cell phone. There are a few, but the most common apps are the Microsoft Authenticator and Google Authenticator. First implemented to authenticate Microsoft 365 and G-Suite respectively, now each can authenticate many 3rd party applications, and have proprietary features to authenticate their own services.
How Authenticator Apps Work
When you first establish an account, the account provider asks you for a username and password. When you add the MFA security feature, a dialogue will pop up with a QR code that you then scan with the Authenticator app. The app will then show you a 6 digit code that changes every 30 seconds, and the MFA dialogue will ask you to enter that code. Once entered the account is configured with the MFA feature and when you log in to the given account anew, it will ask you for the 6 digit code.
Why Authenticator Apps are the Best
The authenticator app is the best because it can’t be hacked from afar, unlike your email, in some cases. It is also the fastest and works even if you don’t have cellular service. Of all the authenticator apps, Microsoft Authenticator has the most features.
Authenticator App Gotchas
If you lose your phone, you are going to have a hard time getting access to your accounts, you’ll probably have to contact various helpdesks to get all your security reset. To avoid this you can backup your authenticator app, most easily done with Microsoft Authenticator.
The other gotcha is having poor security on your phone itself. If for example, you have an easy passcode or no passcode for your phone, then a stolen phone will reveal your MFA codes, and probably more, to the bad guys. Make sure you have a passcode on your phone and add the fingerprint or faceprint option in your phone to open the app itself.
Text MFA
Many online applications, including Microsoft 365 and Google Workspace allow for text-based MFA. This is okay, and typically pretty secure.
How Text MFA Works
When you first establish an account, the account provider asks you for a username and password. When you add the MFA security feature, a dialogue will pop up and ask for your cell phone number. You will then receive a text with a 4 to 8 digit code and the MFA dialogue will ask you to enter that code. Once entered the account is configured with the MFA feature and when you log in to the given account anew, you will receive a text with the time based code.
Why Text MFA is Good
Text MFA is the easiest because no special app is required. It is usually fast.
Text Gotchas
If you don’t have a signal, text MFA doesn’t work because you can’t receive text messages. Although it is rare, cell phone SIM cards can be hacked, directing text messages, including your MFA codes, to the bad guys. On a stolen phone, text messages can appear on a locked phone, so even without the phone’s passcode, the bad guys can see private and secure information.
Email MFA
While better than nothing, email MFA is the least recommended. A service using this feature likely doesn’t have the capability of using app-based or text-based MFA. It is often enabled automatically, or simply by checking a button, as your email address is likely already part of the account credential.
Email Gotchas
Email hacking is commonplace, so if your password resets and MFA are going to your hacked email, you are screwed. If your email provider does not have encrypted transfers and MFA, get a new email provider. I would not recommend any email service aside from Microsoft and Google for business; those are also great for personal use, with the addition of Apple. Do not use email that is not protected by MFA. Do not use email for MFA for other accounts unless it is the only option.
Conclusion
Multi Factor Authentication is a great way to keep your business and personal information safe on the internet. Use it wherever you can. If you aren’t using it to protect your email, you should be. Pluto Micro is here to help; if you are a customer, send an email to service@plutomicro.com to get started. If you aren’t a customer check out our Services and click Let’s Do I.T. anywhere on this site.