MFA or 2FA is an additional layer of online security that happens afer you’ve entered your username and password to a site or service.
Why is it a good idea?
Online account details are leaked almost every day, certainly every week. That can happen because we’ve been loose with our own personal data or because one of the companies we trust has let us down by not guarding our details as well as they should.
If someone gets hold of our username and password, unless we knew that our details had been shared, once upon a time we would have had no idea that other people had access to our accounts until something happened – either money was taken, strange social media posts appeared or emails we’ve never written were seemingly sent from our account.
More and more companies now, though, are trying to help by adding in an optional layer of security, called 2-Factor Authentication or Multi-Factor Authentication.
This adds another “thing” (factor) that anyone, you included, needs to know and enter while logging-in, in order to get access to your account.
The theory goes that if someone comes across your username and password online somehow, and they try to log-in to your account using those details, if you have MFA switched on, they won’t be able to.
At its most basic level, MFA involves the site you’re trying to log-into sending you a SMS message. It assumes that if you respond with the number they have just texted to the phone you registered with them, the person logging-on must be you.
That will indeed be true the vast majority of the time, but as we saw from the recent SIM-swapping attack on Jack Dorsey, the CEO of Twitter, it’s not foolproof.
Far better that you opt for the alternative, if a little more-involved to set-up MFA method of downloading an authenticator app to your phone.
As in the image above, once you’ve set-up your accounts to use MFA via an app, whether you have cellphone coverage or not, your authenticator app will generate a unique 6-digit code every 30 seconds that is synced with the service you’re trying to log into.
Now someone would have to have your actual cellphone in their hand to know what that code was – they couldn’t just sit remotely and see that number via SMS, for example. It is a significantly more secure way of completing your authenticated log-in.
The thing is, while it probably takes about 5 minutes to set-up each of your accounts with MFA to start with, once it’s done, it’s done.
From that point on, all you have to do is to open your phone and type in the code it shows you into the account log-in screen after your username and password.
As a bonus, and not that we would ever recommend this, MFA also provides a good back-stop should you be a bit, er, “lazy” with your passwords and re-use the same one(s) over and over.
For the toughest log-in security though, you would be best off by creating unique, strong passwords for each account AND employing MFA wherever it’s offered. You’re making your life much more secure by making it virtually impossible for a criminal to crack into your account by brute force alone.