Passwords are everywhere and offer a simple solution to restrict access to accounts. However, passwords alone are no longer considered enough to keep attackers at bay. This is largely due to the shortcuts we're tempted to take.
The problem with passwords
The vulnerability of our passwords is best summarised as follows:
- We’re expected to use them for most of the services we access online
- They create annoying friction as we transact
- We know we shouldn’t pick weak passwords or reuse them, but to ease the friction, we do so anyway
Cyber criminals know that our password game is weak, making their efforts to gain access to our accounts easy. When a password is short, easily guessed or popular (for example, ‘password’ or ‘12345’), an account is vulnerable to basic password attacks, such as brute force or spray attacks. The former is the practice of entering all possible password combinations for a single username until the correct one is found, while the latter is trying a common password against many usernames.
Reused passwords are equally problematic. With a treasure trove of credentials flooding the internet as data breaches continue to hit the headlines, the breach of just one service can leave the door ajar for any others protected by the same password.
This is why multi-factor authentication (MFA), when implemented correctly, can be an effective backstop to prevent someone armed with your password from getting access to your network or accounts.
What is MFA?
There are three things, or ‘factors’, you can use to authenticate yourself to a service:
- Something you have (for example a smartcard, key or certificate)
- Something you know (for example a password, PIN, or answer to a secret question)
- Something you are (for example fingerprint or facial recognition)
When a combination of two or more of these factors is used to access a service, it’s considered multi-factor authentication, or MFA. MFA reduces the risk of unauthorised account access because even if an attacker has one factor – like a password – they can’t complete the authentication process without the second factor.
One of the most common everyday examples of MFA is your banking – to withdraw money from an ATM, you need to present something you have (your bankcard) in combination with something you know (your Personal Identification Number or PIN). There are many other everyday examples of MFA that you probably already use without realising.
The most common MFA implementations generally involve the use of a password and one of these:
- Universal 2nd Factor (U2F) security keys
- Physical one-time PIN (OTP) tokens
- Biometrics, such as your thumbprint of face scan
- Mobile apps
- Short Message Service (SMS) messages, emails or voice calls
- Software certificates
It's important to note that, although sometimes used interchangeably, multi-step authentication is not the same as MFA, because most multi-step implementations use two of the same factors to facilitate authentication, requiring only one type of attack to get access.
Where is MFA available?
Many popular services use MFA, stretching from social media to webmail, shopping and popular business tools including Microsoft Office, with easy integrations using Microsoft and Google Authenticator Apps. A search of the help pages for most popular platforms can help you determine where it’s available and how it can be implemented for that service.
Does MFA guarantee my account won’t be hacked?
It’s impossible to guarantee perfect security, and MFA does have some potential drawbacks that can be a barrier to implementation. Physical tokens can be cumbersome, and the introduction of a second factor into processes can interrupt productivity flows.
Advancements in technology also mean that options such as the use of SMS to deliver a second factor have been deprecated, due to motivated cybercriminals porting mobile numbers under their control. Additionally, code and number-based tokens can be, and regularly are, phished alongside passwords.
However, the advantages of MFA outweigh any potential risks, which is why it overwhelmingly offers better protection that a password alone and is considered by the Australian Cyber Security Centre (ACSC) to be one of their Essential 8 Strategies to Mitigate Cyber Security Incidents.
For more on MFA architecture and implementation, check out ACSC's MFA page.