Multi-Factor Authentication, what is it and why do I need it?

Multi-factor authentication is the latest in securing your online presence.  It has become available for you to secure your online bank accounts, social media accounts, emails, and various other services.  Let's have a quick look at what exactly is this mysterious Multi-Factor Authentication (MFA), or otherwise referred to as 2-factor authentication (2FA).

For many decades online accounts were protected by an username and a password, over the years complex password became required and eventually this was just not enough to ensure proper security.  Many people would use simple passwords, or easy to guess passwords based on the person's environment (kids names, pets names, date of births, house numbers, street names, etc.), combine this with more and more powerful computers and what was secure 5 years ago is easily hacked nowadays.  This is where MFA comes in.  It plays a crucial role in gaining access to your account.  Remember this phrase “What I know and what I have”, it is the basis of MFA.  

What you know … that's your password.  However, someone else might also know it … might have guessed it, or even saw the copy of the password you wrote down somewhere for safe-keeping.

What you have … that's your MFA token.  This is an ever-changing token (usually about 6 digits) that is re-calculated every 30 seconds.  Each token is only “alive” for 30 seconds, after that it is garbage and completely useless.  When you login, the second step (the “2” in 2FA) is the request to enter the currently valid token.  Where do you get this token if it changes every 30 seconds?  When you setup your account with MFA or 2FA, you would normally enter a seed in your authentication app (we'll come to the apps to use in a little bit), and then based on that seed your app will generate this token every 30 seconds.  The servers you are connected to, will also know the seed, and they also will calculate the token every 30 seconds.  Since the token is generated on your phone, you need to have your phone with you to be able to login.  (the app does not need internet access to generate the token, but if you are signing in to your email, or online banking … you are already online).

If the token you enter matches the currently valid token that the server knows of, you can login, else the login will fail.  MFA can go even further, depending on the level of security required, and add bio-metric authentication or other methods, but for most of us the 2 factor is enough.

What if someone guesses my password?

If you have MFA already enabled, the hacker will need access to your phone as well to get the currently valid token …. if they are sitting somewhere else in the world, the likelyhood of them getting access to your phone is nil.  Your account is thus secure.  What if its someone who is in my community and thus can access my phone when I put it down on the table?  You need to secure your phones as well.  Add a PIN, or fingerprint, or a password to your phone as well.  It might be a bit combersome for you momentarily, but thing of the headache you have avoid by knowing that your online social media, your emails, your bank accounts, and whatever else is protected with MFA is secure as well.

How can I get the current token?

You can have the seed value entered in an app on your smart phone.  There are two that are recommended and easily available for Android or Apple devices.

Google Authenticator (Android):

Google Authenticator (Apple):

Microsoft Authenticator:

Microsoft Authenticator (Apple):

If you don't have a smart phone, you can still use the benefits of MFA/2FA via SMS or email, although both SMS and email methods are considered less secure than the app.