Multifactor authentication, or MFA, helps keep your accounts safer by adding login steps beyond entering a username and password. While remembering an extra PIN or finagling your fingerprint login can be annoying when you’re in a rush, including extra security layers can prevent 99.9% of fraudulent sign-in attempts, according to a 2019 Microsoft report.
So if you’re using MFA and someone finds your bank account password, it won’t be enough information to get to your money. That’s bad news for cybercriminals who try to break into your email, financial and shopping accounts—and good news for you. Here’s how MFA works.
What is multifactor authentication? Why is it important?
Multifactor authentication is a security measure that asks for two or more credentials before you log in to an account, with the goal of stopping intruders from accessing that account. Those credentials fall into one of three categories that are described as:
- Something you know, such as a password or the answer to a security question.
- Something you have, such as a passcode you fetch from your phone or email account.
- Something you are, which is a biometric verification, such as a fingerprint or facial and voice recognition.
Some MFA programs may also check two more factors: when you normally access the account and your current location. If you log in to your account from a different country, for example, you may need to provide a security passcode to prove you’re the authorized user.
The need for online security is only growing. Hackers gained access to more than 446 million consumer records through data breaches in 2018 alone, according to the Identity Theft Resource Center. Criminals used this info to steal money, commit identity theft, and take control of email and social media accounts. Multifactor authentication makes it harder to get to your sensitive information.
How does multifactor authentication work?
MFA is crafted to make it near impossible for intruders to access your accounts. If the criminal breaks through one factor—for example, they find the answers to your security questions—then they have at least one more factor to breach before successfully breaking in to the account.
“Cyberattackers are looking for the easiest way in, typically with a weak or stolen password,” said Brad Shewmake, director of corporate communications at Centrify, which provides identity and access management security software solutions. “Most of the time it’s through phishing or people who use ‘12345’ as their password. If they come up against a multifactor authentication challenge, they’ll move on.”
Some scenarios in which you may use multifactor authentication:
- Insert a debit card at a store’s point-of-sale device, then enter a PIN.
- Log in to a website that sends a one-time passcode to your phone or email.
- Tap your phone screen, then scan your fingerprint or pose for facial recognition.
- Call your bank and provide the last four digits of your card number and pass a voice recognition scan.
What is the difference between two-factor and multifactor authentication?
Two-factor authentication, or 2FA, is a subset of multifactor authentication that confirms your identity by using a combination of two different factors. With multifactor authentication, each additional factor increases your overall cybersecurity.
“The more factors you use to log in, the more secure you’re going to be,” said Andy Smith, vice president of product marketing at Centrify.
How can I protect myself online?
Be alert while shopping and managing your finances online. While you can’t prevent data breaches, you can control certain information in your accounts and your security settings. Making sure you or your business is protected online can require a bit of strategic planning, take steps to implement policies and procedures to protect yourself.
Know the signs of phishing, which is any attempt by email, phone or text that tries to get you to divulge personal financial details. In a recent report, the Federal Bureau of Investigation warned that cyberattackers may crack through multifactor authentication by using common phishing techniques.
It helps to know the red flags. “Make sure you’re educated about what to look for,” Smith said. “For example, your bank will never email you and ask for your password.” You can use an email search service as a potential way to check suspicious communications, as well as using a secure email provider.
Enable multifactor authentication. If someone tricks you into giving up information, such as your password, multifactor authentication is supposed to make it harder for a criminal to access the account. Wherever it’s offered, use multifactor authentication for your mobile payment, insurance, health care, financial and retail shopping accounts. You can also use an identity monitoring tool to alert you to breaches involving your personal information.
Use a different password for each account. This makes it harder for criminals to access more than one of your accounts. Consider using a password manager to help you generate strong passwords and keep track of them. “And if you read about a company or a service that you use that’s been breached, you better go change that password immediately,” Shewmake said.
While some companies require account holders to use MFA, others may provide it as an option. To use this security feature, make a list of all your accounts that contain sensitive information. Log in and check the security and privacy settings, which is where you can typically switch on MFA options.
According to the FBI, while multifactor authentication isn’t perfect, it can greatly reduce the risk of attackers breaking in to your account.