So what is Multi-Factor Authentication anyway?

You might have noticed that I write a lot about computer security and invariably when I talk about security I also talk about MFA (Multi-Factor Authentication).  In this article I’m going to show you what MFA is and how you can use it to protect your own digital identity but first I want to preface this advice with an observation.

It seems to me that I hear about a new data breach either within our own customer base or from industry peers about once a week and whenever I take a look under the hood I find that in almost every single case, if MFA had been in use that breach would not have occurred.  Although MFA is not a cure-all it is extremely effective at preventing unauthorised access to your data so why wouldn’t you use it?

Multi-Factor Authentication is really just an additional layer in the process of identifying someone, a bit like having two different keys to unlock your front door.  Before MFA was common computer users would identify themselves with a user name and a password and often the user name was (and still is) automatically entered so all the operator has to do is type their password.  In this context a user name and password are two bits of information that a computer operator KNOWS.  MFA adds a third bit of information but this time it is information that the operator HAS.

Early incarnations of MFA used a battery powered device called a token which displayed a 6-digit number that changed every 60 seconds.  While the number appears random and unpredictable that’s not quite true, the 6-digit number is generated using a random number seed, a highly accurate real-time clock and a very complicated math formula; the computer on the other end that you are identifying yourself to also knows about this random number seed and is capable of generating the same 6-digit number as your MFA token at the same moment in time.

If it sounds complicated that’s because it is but it all boils down to this – it is extraordinarily difficult for anyone or any computer to guess the correct 6-digit code other than the computer you are trying to authenticate with and this is what makes MFA so powerful and such a useful security tool.

The days of carrying around a hardware token for MFA have all but disappeared but the methods they employed are still more or less exactly the same today.  Instead of reading a 6-digit code from a hardware token you get it from an app installed on your smartphone or you have it sent to you in a text message, some systems even allow you to have a computer call you on a landline or mobile and read out the MFA code.

When an account is protected by MFA it is protected by information that you simultaneously KNOW (your password) and information that you HAVE (your MFA code).

You can use MFA for all sorts of things like online banking, email services and just about anything else that requires a user name and password.

Although it is slowly changing MFA is still not mandatory for most online services however the bulk of these service do have an MFA option and I strongly encourage you to set it up for all of your online services.

Setup is usually very quick and easy, in most cases it takes only a few minutes, it costs you nothing and gives you the confidence that your accounts are well protected.