Blog

CATEGORY: Data Protection

Multi-factor Authentication (MFA): What is it and why do you need it?

Multi-factor Authentication (MFA): What is it and why do you need it?

Traditional usernames and passwords can be easily compromised. Multi-factor authentication (MFA), is a security control that requires users to verify their identities by providing multiple pieces of evidence before gaining access to a device or application. It is an enhancement over the two-factor authentication (2FA), which requires only two pieces of evidence. This is the only difference between the two. A few examples of multi-factor authentication are codes created by Authenticator apps on mobile devices, answers to personal security questions, codes sent to an email address or by SMS to a phone, fingerprints, etc.

And why is it important?

According to entrepreneur  90 percent of employee passwords can be cracked in six hours and 65% of people use the same password is multiple places.


Whereas Microsoft manager Alex Weinert stated in a 2019 blog post that, “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

What are the possible authentication factors?

  • Something that you know – This could be a password, a PIN code or answer to a secret question

  • Something that you have – This is always related to a physical device, such as a mobile phone, a USB security device (YubiKey), a security code generator, etc.

  • Something that you are – This is a biological factor, such as a face or voice recognition, fingerprint scanner, DNA, handwriting or retina scan

  • Time and location factors identifying your physical location. For example, attempt to log into an account from an unauthorised country can be blocked or a time sensitive access.

Most common forms of 2FA

  • A one-time password, that you receive as text message (SMS) on your mobile phone

  • The security code generator device, which generates a specific code at a specific time – usually used with your username and password for Internet banking

  • The security code generator mobile app generates a random time sensitive code.

Here are a few examples of security code generating mobile apps:

These apps use Time-Based One-Time Password (TOTP) algorithm. They will generate a time-sensitive six-digit code, which you can use to verify your login. The code will typically refresh every 30-60 seconds.

 

The latest advice from Microsoft is NOT to use MFA with SMS or Voice

Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped.

Sending codes over the insecure public telephone network isn't the way to go

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752


Take a look at our help article to set up 2FA on your e-shot account.

Free email marketing healthcheck - icon

Email marketing healthcheck

We are confident that we can help you, which is why we offer a free healthcheck to identify potential issues with your current programme and free advice on things that could be done to improve it.

Get started