By Blake Russell, Information Security Analyst, MNIT

What is MFA?

Multi-factor authentication (MFA), also known as two-step verification or two-factor authentication, provides extra security for each of your online accounts and apps. It’s a simple way to protect valuable information. 

For example, when you withdraw money from an ATM, you use MFA as you:

• Insert your debit/credit card – something you have.
• Enter your personal identification number (PIN) – something you know.

Together, these two factors prove it's you and stop criminals who only have your card.

MFA is a way to protect your accounts from unauthorized access. It requires at least two different steps to confirm your identity. This reduces the likelihood that an unauthorized user (like a cyber criminal) can access your personal data, such as health records, credit card numbers, and financial information.

Why is MFA important?

Technology helps us connect to others, access information faster, and take care of business online. But cyber criminals leverage that same innovation to create increasingly sophisticated ways of stealing information. 

Passwords are especially vulnerable. Criminals can use password-guessing software or social engineering attacks to trick users into revealing their credentials through email or phone scams. 

According to an Aldridge report, the number of cybercrime complaints rose by over 300% in 2021. The majority of the rise was due to phishing scams and extortion – primarily through ransomware. 

MFA keeps your accounts and sensitive data protected – even if a criminal obtains your password – because access still requires a second or third form of authentication. 

How does MFA work?

MFA works on the principle that you must present two or more types of authentication methods to verify your identity before you can access your online accounts, applications, or virtual private networks (VPN). For these methods to provide the best protection, each must fall into a separate category of authentication. 

These different authentication categories of MFA include:

Something you know

This may be a password, passphrase, answer to a security question, or personal identification number (PIN).

Something you have

This may be a hardware token (key fob), mobile token (authenticator app), or a code sent by text or email.

Something you are

These are biometric factors such as fingerprints and facial recognition.

Somewhere you are

Although not as common, access can be limited to certain geographic areas.

Consider these examples:

• User A protects their online bank account with a password, followed up with a security question. Is this considered MFA? No. Both the password and security question fall under the same category of “something you know” and therefore do not provide adequate protection. User A should research whether their bank provides MFA option on top of a security question.
• User B, on the other hand, protects their work email with a password (something you know) and an authenticator app (something you have). The principles of MFA are being applied because User B has two authentication methods from separate categories. 

Pros, cons, and the future of MFA

The biggest benefit of MFA is the added layer of protection against unauthorized access. Each authentication category can compensate for the limitations of the others. The significant increase in remote work has placed more companies and employees in the crosshairs of cyber criminals, but MFA is a relatively simple addition that can dramatically reduce the number of successful attacks. 

MFA is not without its drawbacks. Sometimes people don’t like having physical tokens that can be forgotten, lost, or stolen. But the potential downsides of MFA are greatly outweighed by the benefits it provides. As more organizations work to strike balance between employee productivity and security—especially in hybrid workplace environments—expect to see greater acceptance and more routine integration of MFA solutions going forward.