2 factor authentication (2FA) or multi-factor authentication (MFA) is something that pretty much everyone in the IT security industry agrees is the single most important technology you can adopt to increase the security of your data. But why? What is it? Do you really need it? Let’s go over the details and then you decide for yourself.
Firstly, what is MFA? You can think of it as an additional way for the system you’re interacting with to confirm you are who you say you are. There are a multitude of ways this can be implemented, some more secure than others, but fundamentally it usually boils down to a password (something you know) and then something else that you possess.
A practical example would be when you go to an ATM. You have a PIN code or password for your account (something you know) and you also have a physical card (something you posses) that are both required for you to use the ATM. If you don’t have both available when you try to use the ATM, it’s not going to work.
In the case of your computer accounts, you typically will have a username and password only. That means that anyone who wants to access your account only needs to know your username and password, no additional verification required!
How secure do you think your password is? I bet you probably think it is pretty secure, but why not check for yourself? Security.org has an excellent tester to demonstrate how weak your current password likely is, check it out here https://www.security.org/how-secure-is-my-password/ . Go ahead, I’ll wait.
Shocking, isn’t it?
So, as you can see, passwords alone are simply not enough. This is where MFA can really help. Using the ATM example from above, imagine you also had a physical card you needed to insert into the computer after entering your password each time. Suddenly the complexity and security of your password has some backup! Someone may be able to hack your password, but without that physical card, they’re not getting in. There is still the risk however that your card gets stolen, or inadvertently copied… Now what? Well, what if your card changed every 30 seconds to a new card? Then, even if it was stolen, it would only be valid for a few seconds anyways. Unfortunately, this is still impractical, you would need a mechanism to constantly be receiving and disposing of access cards and any computer you use would also need to be equipped with a card reader…
Alright, it’s time for us to throw away the ATM card analogy and talk about what MFA actually is from an end user standpoint today.
Instead of a card, you have a small app on your phone which will store a code for each system you have MFA set up on. This code will change every 30 seconds and must be entered following your usual username and password every time you log in. Because you are the only one in possession of your phone, you now have all the components needed for a secure MFA set up. The only way someone is going to access your account is if they know your password AND have access to your phone at the same time!
Admittedly it is a slight inconvenience, as it is an extra step every time you log in and also if you lose or forget your phone at home, then you’re kind of stuck between a rock and a hard place, but the alternative of risking someone gaining access to your data is far, far worse.
So, do you really need MFA? Yes. Absolutely. On everything.