Multi-Factor Authentication (MFA) is the security feature where a website or system asks you for two different types of proof (authentication) that you’re authorized to access a system. The three big factors systems usually choose from are:
- Something you know (e.g. password)
- Something you have (e.g. smartphone, RSA token)
- Something you are (e.g. biometrics, like Apple Face ID or a fingerprint scan)
MFA is incredibly powerful as a security defense — it’s not expensive or complex, but it makes it a lot harder for bad guys to break in, because they can’t just try lots of passwords or try one of your passwords from a different site that was hacked.
Two tips about MFA:
- Use a MFA application when you can, instead of text messages, because of the treat of a SIM Swap attack. A SIM Swap is when someone calls your cell phone company, pretends to be you, and gets a replacement SIM card, so they can take over your phone number. The danger here is that they can then “steal” your SMS text message-based MFA to log into systems like your bank account.
- Here’s an example of someone a group of 10 hackers stealing $100 million using SIM Swap attacks.
- Here’s a powerful two-minute clip on someone showing how social engineering, like a SIM Swap, can happen: Hack Attack – Vishing – YouTube
- Consider using Authy instead of Google Authenticator. Authy can be used anywhere where you see a website offer you to use Google Authenticator, and they’re a free solution that offers a few advantages: You can put your Authy app, with your MFA tokens, on multiple mobile devices if you want, You can backup your MFA tokens in the cloud (in case you lose your phone), and (3) You can disable adding more devices to your account from within the app. For example, if you put your Authy app on your phone and your tablet, you can lock the account from adding anymore devices. Then, if you lose your phone, you could buy a new phone, and instead add Authy to it, by enabling new devices on your tablet Authy app for a few minutes while you add it, and then re-block new devices to be secure, while also convenient.