Multi-Factor Authentication (MFA) Explained

By Craig.Bailey, October 28th, 2022
Good To Know

MFA and 2FA are a couple three-letter acronyms that pop up with increasing frequency when the topic turns to Internet security. Standing for “multi-factor authentication” and the more-specific “two-factor authentication,” they’re important concepts to understand and embrace if you want to protect yourself online.

You might be surprised these are concepts you’re already familiar with.

For example, every time your visit an ATM to withdraw cash or make a deposit you use 2FA. In order to gain access to your bank account through an ATM, you need to provide no fewer than two items: A physical item you have in your possession (your account’s card); and a piece of information you know (your personal identification number [PIN]).

With both pieces of the puzzle, and only both pieces, you’re able to gain access to your account.

2FA as it applies to websites operates on the same principle: Users must have in their possession no fewer than two authenticating items in order to gain access. One item, for example a password, is no longer enough.

In broad strokes, 2FA requires users possess two authenticating items from four possible categories:

  1. Something the user knows, such as a password or a PIN;
  2. Something the user has in his/her possession, such as a mobile device or USB stick;
  3. Something the user is, identified by things such as an iris scan, fingerprint or voice; and
  4. Some place the user is, such as logged in to a specific computer network

In the most common implementation of 2FA for website security, a user enters their password into a login form; and then is required to either provide a secret numeric code generated by a third-party app on their mobile device; or provide a code the user receives on that device sent from the website via SMS text message.

More and more website login forms are requiring users activate 2FA, with many others offering it as an additional security option. We recommend users take the plunge whether or not it’s required. No matter what service you access by logging in — social media, banking, webmail or others — the minor inconvenience of setting up 2FA can potentially ward off an inconvenient and expensive breach somewhere down the road.

We also recommend to all Root802 clients that any login forms on their websites be outfitted with 2FA. It’s a measure of protection that can be added to existing login forms at any time without any great expense.

For sites built using the WordPress and Drupal content management systems, there are readily-available plugs-ins and modules to handle the heavy-lifting. For custom websites built from the ground-up, we recommend a plan that provides users with unique codes using the free Google Authenticator app, or via SMS or voice-calls using Twilio.

If you’d like to learn more about protecting your website using 2FA, contact us.

Image by storyset on Freepik