What is MFA?

The Basics:

MFA stands for Multi-Factor Authentication and is often used interchangeably with 2FA (second factor authentication) which isn’t wholly inaccurate. The way we recommend thinking about it is all 2FA is MFA but not all MFA is 2FA, kind of like how all dachshunds are dogs but not all dogs are dachshunds. You can also use the words themselves to remember the difference, second factor literally means the SECOND factor, there are no others to contend with after you pass 2FA. Whereas multi-factor can be only 2 it can also be infinitely more then that, since MFA is the more inclusive term it is the one that we use on this site.

It is also crucial to understand that MFA is not the same as a recovery method. You can have a recovery email attached to your account without it being used as MFA, in fact recovery email/SMS settings could be considered the direct opposite of MFA as they actually can be used to imperil your account, but we’ll save that for another post.

We still haven’t defined what MFA is, lets clear that up. If you have logged into a website and typed in your username and password and immediately encountered a query that request a secret 6-digit code that has been sent to your e-mail, then you have come up against MFA. We are big fans of MFA here at WAB and believe that any MFA is better than none, but we want people to understand that not all MFA is created equal.

As of this post the 5 most common types of MFA:

1. SMS

2. Email

3. TOTP (Time-based One Time Password)

4. Push Notifications

5. Hardware Keys (AKA Security Keys)

We ordered the above very specifically, with number 1 being the least secure and number 5 being the most. Some may note that we have not included biometrics in this list and that is because it isn’t often used as MFA and is generally utilized as a password. We consider SMS to be the least secure because it is the most susceptible to social engineering attacks, as all a skilled hacker needs in order to gain control of your phone number is a few facts about you (helpfully provided by data brokers) and the ability to fein distress when on a call with the phone company.

There are some situations where email may be a less secure method of MFA, such as if your primary email account still uses @aol as the domain and your password is password1. Otherwise, email is more secure because your email provider has its own security measures such as MFA on the email account itself and heuristics that can force a potential attacker to prove they are you before a successful log in. These heuristics often include noting if you log in from a different browser or IP address which is something that you won’t get with SMS MFA.

TOTP MFA is becoming increasingly utilized, at this point we believe that every one of us has at least one of these authenticators on our phone. Ignoring the security questions for a moment we will admit that we find TOTP’s tedious to use, if you consider yourself a slow typer then you understand our pain. If TOTP isn’t the most secure form of MFA then why is it so popular? The simple answer is that it is a standardized MFA, so while it will never be the most secure it also will never be the least secure. It works by generating a temporary passcode every 30 seconds to 1 minute (depending on the authenticator) that you have to quickly type into your browser in the allotted time. This password is generated algorithmically based on that given moment in time, exactly how that math is done is admittedly beyond our skills.

This is the one that we suspect the most people will disagree with, we already predict an influx of emails regarding this ranking, but we consider push notifications the second most secure MFA. Fear not though, we will explain our reasoning. The first is that applications that receive the push notifications are guarded by the same heuristics and MFA as your email account, so a hacker would have to compromise two layers of MFA to achieve their goal, which is not impossible it is unlikely.

Our favorite by far are hardware keys, also known as security keys (thank you google). There are a number of companies that make these devices, we prefer the Swedish company Yubico, but any company that manufactures keys that are FIDO2 compliant will serve you well. What is FIDO2 you ask? FIDO2 is the latest security protocols to come out of the FIDO alliance, a group of companies and think tanks that are working together to secure the internet by fixing our password problems. FIDO authentication provides security, convenience, privacy and scalability. What we love about FIDO2 authentication is that the cryptographic login credentials are unique across all the websites you visit so they can not be used to track you across sites, and they are never stored on a server. This model of security is used to minimize the risks of phishing attacks, replay attacks, and password theft. We use the word minimize very deliberately here, because while some say that it eliminates the risks of the above attacks the We Assume Breach team don’t want anybody to believe that using any form of MFA is 100% fool proof.

Our Recommendation:

If you read the above then our recommendation should make sense, if you didn’t read the above then do so, it’s free! If you have the cash and use apps that have hardware keys enabled then we recommend you do that. If you use google and don’t have a security key you should check out the “secured enclave” option that they have, which turns your smart phone into a security key. From there descend down the list and choose the most secure option available for the service that you use, and where possible utilize an SSO (Single-Sign On) provider. SSO is something we will expand upon in another post.