Multi-factor authentication, or MFA, has a bit of a bad rap – at least it seems to.
As we talk with clients and potential clients about cybersecurity, MFA is always discussed – but few have actually implemented it. “It’s too inconvenient,” is one thing we’ve heard. “It’s too much work” is another. And of course, there’s the ever-popular “We’re not big enough for anyone to attack us” comment that we hear all the time (and in fact the opposite is true, as we’ve discussed in prior posts).
If you do an internet search on “what is multi-factor authentication,” the results you get DO make it sound like it’s going to be inconvenient and a lot of work and a royal you-know-what. But that’s not the case at all. Let’s dig in to the truth about MFA.
First off, let’s make clear that MFA can cost you nothing to implement. It’s a feature provided at no charge by just about every online service you can imagine, from your bank, to your email, to your social media accounts, credit card accounts, and into the corporate world with accounting systems, HR systems, and more.
You’ve probably used it already. The last time you got a new phone and tried to login to your Amazon account, Amazon sent you a code, and likely asked if you wanted it texted (to the number it had on file for you) or emailed to the email address associated with your Amazon account. The code was sent; you plugged it into the Amazon screen, and you were in. You also likely got an email saying “Amazon login from new device” or something similar.
That was MFA in action – and then you likely forgot all about it because you don’t have to have a code sent every time you login to Amazon (or your bank, or your HR system, or whatever).
That’s one of the big misconceptions of MFA. People think that they’ll need to go through the “send me a code” process every time they login – and that is simply not correct.
Certain situations trigger MFA, including:
- A new device logs in to one of your accounts – could be your email, banking app, HR application, accounting, shopping, anything where you’ve got a username and password and MFA turned on.
- This could be a brand new device – like when you get a new laptop or a new phone
- It could also be a current device that hasn’t logged into that particular application for a while
- And it could be a current device where you cleared out your cache recently (cleared cookies and browsing history)
- You try to login to one of your applications from a new geographic location, different from your normal location – if you’re traveling, for example.
- If you try to login to a corporate application from a non-corporate system, or from outside the corporate network. This is typically detected by IP address, and anonymous network users (including those using VPNs) would not be able to get through without satisfying MFA.
MFA has been around for a long time, but it hasn’t been called “MFA” until recent years. One factor has always been the password – and those a tricky for a lot of reasons (see our blog post and the eye-opening Hive graphic for more on that). A second authentication factor has been security questions. “What was the name of your first pet,” or “What’s your mother’s maiden name” and so on. Some services evolved to using a PIN for access – though those are most frequently used when you’re trying to verbally engage (call) customer service about a secure account.
Nowadays, MFA can be handled in a variety of ways.
The simplest implementation is the “send me a code” system. When you trigger MFA, it does as we described above in the Amazon example – sends a code to your cell phone or your email, which you then type in to be allowed access.
However, instead of “send me a code” you might have the opportunity to use biometrics – like your fingerprint (place your index finger on your phone screen) or a facial or retina scan. You could also have a USB device that creates an “instant code” that must be used immediately. And it won’t be too many more years until your voice print could be your standard means of authentication.
But again, no matter what method of MFA you’re using, for most applications, you won’t have to do it every time you login.
So… MFA can be free. It’s available. It’s convenient. It’s easy. And it only happens when something new or unusual is detected with your normal login.
That’s exactly the kind of security you want, don’t you think?