Jargon buster: what is “Multi-factor Authentication”?

One of the best things you can currently do to secure yourself online is to use Multi-factor Authentication wherever it is available. It is also sometimes referred to as MFA, Two-Factor Authentication, or 2FA.

Factor? Authentication?

We all know how most online accounts work: when you login you provide a username (often an email address) saying which account to use. To prevent other people from using your account, you then provide a secret password. In this scenario, the password is the secret thing (or factor) which only you know, and which confirms (authenticates) that you are allowed to use the account. This then is an example of Single-factor Authentication.

This system of authenticating access is simple and has been successfully used since the 1960s. But it has many weaknesses. Passwords can be guessed1 or stolen, and once a cybercriminal knows your password, they have unlimited access to whatever system you were trying to protect.

There is light at the end of the tunnel, with the introduction of passkeys; watch for our upcoming article about what passkeys will mean for you. Until then, MFA can help make your accounts much more secure. Not all systems support MFA, but we advise that if a system does offer it, you should use it.

How MFA works

MFA is simply a way of adding an additional level of authentication (an extra factor) to that of the password; hence “multi-factor”. Once you have entered your username and password, the system will ask for the extra factor to confirm your access. This could be a biometric input such as your device’s fingerprint scanner, performing an action on another device such as your phone, or using a specialised security dongle2.

Depending on the system, MFA factors can include actions like typing in a number texted to your phone, scanning your fingerprint, typing in a short-lived number from a special app, or tapping a button on a security dongle.

MFA is more secure than a single-factor system because you are asked to do something either with a device that the cybercriminal won’t have physical access to, or in the case of a biometric factor, something which is exceedingly hard to reproduce. Even if they know your password, they still can’t use the account because they cannot provide the extra factor to confirm the login.

So why are we moving to passkeys?

MFA is much better than a single-factor system, but it still has weaknesses. For example, your designated multi-factor device could be stolen, or cybercriminals could use a method known as “prompt bombing”, where they send through multiple MFA requests in quick succession, in the hope you eventually frustratedly authenticate one. There have also been cases of cybercriminals cloning people’s SIM cards, allowing them to see the texted MFA number, when that is the selected extra factor.

So, no point then?

Even if there are weaknesses, they are hard to exploit, and MFA will always be more secure than a simple single-factor username/password authentication. Until passkeys become widely supported, we advise you activate MFA wherever it is available.

  1. According to cybernews.com, the most used password is still “123456”. ↩︎
  2. A dongle is a small device you plug into your computer which acts like an electronic key. ↩︎
Contact us