Two Be or Not Two Be Secure?
That is the question! This blog will explain what multi-factor authentication (MFA) is, why it is important, and some things to pay attention to. By the end of this blog, hopefully you can make an informed decision to answer the question.
What is Multi-factor Authentication?
Think of multi-factor authentication, MFA, as a belt and suspender’s approach to keeping one’s pants up. MFA in the digital world is a combination of a password and a temporary passcode, usually in the form of a text or email.
Setting up MFA helps keep your digital accounts more secure as it is one additional step a threat actor will have to figure out to be able to login as you.
There are several different options for MFA:
Text messages
Email codes
Code generator applications
Google Authenticator
Authy
Push notifications from an application
Biometrics
Think FaceID / Fingerprint readers
Physical devices that follow the FIDO 2 standard
Good cheap ones I like are a brand Yubico’s YubiKey
Are all MFA approaches created equal?
The short answer is no. There are two main categories MFA can fall under. One is “phishing resistant”, and the other is not phishing resistant.
Phishing resistant means that even if the bad person is able to login to your account, it’s not easy for them to gain access to your account. The best kinds of MFA in this category are biometrics and physical devices, because the bad person would have to be next to you or have stolen your physical device.
Push notifications and code generators are also a form of phishing resistant MFA, however they are not as secure as the previous two. These kinds of MFA can be prone to either brute-force attacks or what is called MFA bombing attacks.
A brute-force attack means the bad person tries every single combination of codes until one works. This attack can be prevented by the application creators if they only allow a certain number of attempts before temporarily locking the account.
An MFA bombing attack means that the bad person starts repeatedly triggering the push notifications to your device in the hopes that you will either get tired and approve or accidentally approve the request. This kind of attack can be prevented or lessened by the application creators by limiting the number of push notifications that can be sent during a certain timeframe.
The non-phishing resistant category includes text messages and email codes. They are considered like this because cellphones can be susceptible to what is called a SIM swapping attack and email accounts can be compromised by the same bad person.
The gist of a SIM swapping attack is that a bad person transfers your phone number to a cellphone that they own. This way they can receive phone and text message verification codes instead of you. I will make a more robust post about this in the future.
What should you do?
Go enable MFA, even if it is non-phishing resistant, it’s better than not having it. Before you go all gung-ho on turning it on. Here is a helpful pros/cons of some of the mentioned methods. Choose the method that is right for you and your risk tolerance.
| MFA Method | Pros | Cons |
|---|---|---|
| Text Messages | Widely available and easy to set up | Vulnerable to SIM swapping attacks; relies on cellular network |
| Email Codes | Convenient; no need for a separate app | Email accounts can be compromised; delayed delivery |
| Code Generator Apps | Offline functionality; generates time-based codes | Device-specific; backup and recovery challenges |
| Biometrics | Convenient and user-friendly; difficult to fake | Privacy concerns; not foolproof |
| Physical Devices (e.g., YubiKey) | Highly secure; resistant to phishing attacks | Requires carrying an extra device; initial setup |
As always comments are welcome, keep them civil and on topic.