What is MFA?
MFA, Multi Factor Authentication also known as Two-Factor Authentication (2FA). This provides an extra level of protection. This blog post is to explain what this extra level of protection is and why it is best to have it turned on.The publications and views expressed in this (blog) website are my own personal opinions and are by no means associated with my employer.
Table Of Contents
Introduction
MFA consists of multiple factors to verify that your login to a system is you. The first factor in most cases will be your password or in MFA terms, "Something You Know". This is what we have been using since the beginning and is now no longer as secure as it has been due to the technique's hackers and people with malicious intent are making use of.
This is where MFA comes in, the next factor after you have entered your password is to verify it is you that has entered the password, this could be something like a phone call or SMS Text Message to your phone or making use of an Authenticator App like the Microsoft Authenticator or Google Authenticator app where you enter a One Time Passcode (OTP), this would fall under "Something You Have" as the Phone Number or Device that has the Authenticator app is something you own and have with you at all times.
Another factor is Biometric, such as the Fingerprint scanner or IR (Infra-red) Camera seen on most laptops and mobile devices. This is also known as "Something you are" as it is making use of your fingerprint or a face scan that is then checked against its configured method. These are generally stored locally to the device on your phone or laptop.
So, now that the different types of MFA have been explained, why don't we compare MFA with a couple of real-world examples:
Your Home or Business
Your Home or Business, you want it protected right? You install that Alarm System for Entry, CCTV to monitor who comes and goes, maybe even add a gate at the top of your driveway with a communication system to communicate with who is at the gate then allow them in if you want to?
If you do this, then why don't you protect your accounts for all of your different systems? Your account or identity for these systems is just like your home or business you need to protect it to try and prevent any malicious intent being actioned. So, MFA is just like the different preventative measures you add to your home or business.
Your password is your house key, secures the home however, if someone were to steal the key and know where you live, they would be able to get in unhindered and you would be non-the-wise until you get home.
Note: Your Companies I.T. department will have other monitoring measures in-place but this is just an easy comparison to explain the principle.
So... To protect your home/Business from something like this, you would install an alarm system in addition to CCTV to monitor the outside of your property.
MFA is the exact same thing, to add extra protection to verify that it is you. For example:
Accessing a Web Application that contains sensitive information - you want to protect this data, right? - Verify that it is you that is attempting to access this system
Unusual activity on your account, such as an attempt to login from "Spain" but you are a UK based business. Verify that it is you or make use of other protections, such as Microsoft Conditional Access, to block attempts from a set of unapproved Countries.
Your Bank Card
Another example is your Bank Card, why? Because we have been making use of MFA the whole time we have used them. See the table below
Item | MFA Type |
Bank Card | Something you have. |
Bank Card Pin | Something you know. |
Both of these, your physical bank card and your card pin, are required to purchase products in shops and to withdraw money from an ATM.
Admittedly we have started to go contactless however we do still make use of MFA for cases where your bank detects anything unusual or out of character with your spending. On these occasions, you will be prompted to verify that the purchase is you, by inserting your card into the chip and pin device and enter your Pin Number. So even with us all starting to just tap our cards to buy products, we do still have some protection in place. We of course do need to be mindful and vigilant
This is the same with situations are work, we may not be required to verify our logins on a daily basis. It may be as simple as verifying every 30 days then if there are any factors that are uncommon with your account activity such as:
Logging in from a new location
Changing your password
Entering your password incorrectly on several occasions (once or twice is to be expected but multiple times can be down as a red flag for some systems.