What is multi-factor authentication?
Multi-factor authentication (MFA) adds an additional layer of security to the login process for online accounts. In addition to user name and password, users must specify at least one additional authentication factor when logging in. This ensures that the account remains protected even if attackers have gained access to the login credentials.
- A definition of multi-factor authentication ➔
- How does multi-factor authentication work with banks? ➔
- How does multi-factor authentication work with online services? ➔
- Against which threats does multi-factor authentication provide protection? ➔
- How do I set up multi-factor authentication? ➔
- Why do I need a recovery code? ➔
- How does an authentication app work? ➔
- How secure are the different authentication methods? ➔
- How do I disable multi-factor authentication? ➔
- Myra supports multi-factor authentication ➔
- What you need to know about multi-factor authentication ➔
A definition of multi-factor authentication
Multi-factor authentication provides significantly greater security than the use of passwords alone. By combining several independent factors, the identity of a user is verified beyond doubt. Factors can be divided into three groups: something that only the user knows, possesses, or is inseparable from. Specific examples are a password, a hardware security token in the form of a USB stick or smartphone, and biometric features such as the user’s face or fingerprint.
Only when the user specifies factors from at least two different groups when logging in will he or she be granted access to his or her account. In most cases, a security code that is only valid for a short time is requested, which the user receives via text message, email, voice call, or smartphone app. Most online services now offer this type of two-factor authentication (2FA).
Procedures involving three or more factors are also used, particularly in professional environments. If login requires at least one item from each of the three groups, this is known as three-factor authentication (3FA). An example of this would be the combination of a password, device ID, and fingerprint. In four-factor authentication (4FA), the user’s location is frequently also checked, such as whether the user is logging on from the internal network.
If multi-factor authentication is enabled, an attacker will be unable to do something with the user name and password alone because he lacks the MFA key, which is used as an additional factor to verify identity. For most services, however, users first have to set up multi-factor authentication in their account settings.
How does multi-factor authentication work with banks?
Everybody should be familiar with the MFA procedure of withdrawing money from ATMs: The first factor is the bank card; the second factor is the PIN. Online banking uses a combination of login credentials and a transaction authentication number (TAN). Customers receive the TAN, which is only valid once, as a text message (smsTAN) or app notification (pushTAN) on their smartphone, or they generate it themselves using a TAN generator and chip card (chipTAN).
How does multi-factor authentication work with online services?
When multi-factor authentication is enabled, the user first logs on to his or her account as usual with a user name and password. In the second step, he or she must enter a security code generated for each session. Depending on how it is configured, the user receives the code via text message, email, voice call, or authenticator app.
As part of multi-factor authentication, some services also support hardware security keys compatible with open authentication standards such as the FIDO Alliance’s Universal 2nd Factor (U2F) and FIDO 2. These security tokens, usually in the form of a USB stick or a smart card, make it possible to log in securely without a password using only a fingerprint, face recognition, the press of a button, or a local PIN. Some security tokens are also able to generate one-time passwords on demand, which can be used for MFA in combination with other factors.
Against which threats does multi-factor authentication provide protection?
Login credentials can quickly end up in the wrong hands. For one, attackers take advantage of the ignorance and gullibility of many internet users to gain access to login information. Secondly, cybercriminals gain direct access to inadequately secured provider databases containing thousands or even millions of login credentials. On the Darknet, data like this, often originating from leaks or hacker attacks, is traded at bargain prices.
Multi-factor authentication protects an account even if the login credentials have been compromised. Attackers will still be unable to gain access to the account using the user name and password alone because they do not have the MFA key as an additional factor for proof of identity. Accounts with multi-factor authentication enabled are therefore safe from the following threats:
Phishing attacks are aimed at stealing valuable login credentials for things like online banking or payment services. To do this, phishers often send millions of spam emails that include links luring unsuspecting users to fake login pages. These login pages are often indistinguishable from the original. When a user enters his or her login credentials, they are sent straight to the scammers.
The use of malware represents another method commonly employed by cybercriminals to get login credentials. They use spam emails or tampered websites to inject a keylogger into the system, for instance. This type of malware logs every user keystroke to sniff out login credentials.
Cracking passwords by brute force has, for years, been part of the standard repertoire of hackers. This method of attack is used to crack secured accounts by repeatedly and systematically entering user name/password combinations. Using automated tools and powerful hardware, simple login credentials can be “guessed” in a short time. However, the more complex passwords become, the more computing power and time are required in the brute-force method.
In credential cracking, cybercriminals use leaked lists of user names and passwords to gain access to an online account. If the attackers know the user name for a particular account with a provider, but not the password, they use bots to test known passwords automatically. A single match will then give them full access to the account.
As with credential cracking, in credential stuffing, hackers take advantage of the convenience of many users who often use the same weak default password for a variety of accounts. Once attackers come into the possession of a leaked user name/password combination, credential stuffing enables them to quickly identify active accounts. All they have to do is to start automated requests using the known login credentials, e.g., to webshops, online banks, and even corporate accounts. The bots used for this purpose are capable of testing millions of user name/password combinations within hours. The criminals then sell any matches to active accounts or use them for more extensive attacks.
How do I set up multi-factor authentication?
The option to enable multi-factor authentication can be found in the security section of the account settings for most online services. Setting it up takes only a few steps: The user can often choose whether to receive the authentication code via text message, email, or voice call or to use an authenticator app.
The former requires the entry of a valid phone number or email address; the latter requires using an authentication app installed on a smartphone to scan a QR code. Setup is usually completed by entering the security code received.
Why do I need a recovery code?
After setting up multi-factor authentication, it is recommended that you write down or print out one of the recovery codes provided and keep it in a safe place. This is the only way to ensure continued access to the account if there are any problems with the authenticator app or if the smartphone or USB security key gets lost. Note: Each recovery code can only be used one time.
How does an authentication app work?
Authentication apps generate a local, six-digit security code on the smartphone, valid for a limited time. This also works without an internet or cell phone connection. If the user has activated multi-factor authentication for the account, after entering the password, the code displayed in the authenticator app must also be entered to log in to the account. Of course, this requires that the user has linked the online account to the authenticator app beforehand.
Adding an account to the authenticator app usually only requires using your smartphone’s camera to scan a QR code provided by the service. Optionally, a setup key can be entered manually to link an online account to the app.
How secure are the different authentication methods?
In general, all methods employing multi-factor authentication provide significantly greater security than the use of passwords alone. If the device is free of malware, the use of an authentication app is considered to be more secure than receiving an MFA key via text message. This is because codes sent by text message can be intercepted or redirected by attackers with a bit of effort. For example, they use the victim’s name to contact their phone provider and pretend to have lost their cell phone and SIM card. They have a new card sent to them and have the old one blocked. If the phone provider’s security measures are inadequate, this is how attackers gain control over the victim’s phone number and all of the online accounts linked to this number.
The greatest level of security is provided by multi-factor authentication employing hardware security tokens in the form of a USB stick or smart card. The user must connect it to a computer or hold it in front of a reader to log in. The token is uniquely identified and additional factors are requested for authentication, such as a fingerprint and a PIN. If the factors entered match the token, the user is granted access to his or her account. If the token is lost, the account remains protected against unauthorized access because the additional factors are still required.
How do I disable multi-factor authentication?
It is not generally advisable to disable multi-factor authentication. The slightly more time-consuming login process is well worth it since an account with multi-factor authentication is much more secure than one that uses a password alone.
If you do not want to enter a security code every time you log in, you can often indicate during login that you no longer want to use multi-factor authentication on that device. This means that there is no prompt for a code when the user always logs in from the same device or browser. However, multi-factor authentication still kicks in if a new login attempt is made from a different device or browser.
If desired, the multi-factor authentication can, of course, be fully disabled. The option is usually found in the security section of the account settings.
Myra supports multi-factor authentication
If you want to protect your online accounts as effectively as possible, you should use multi-factor authentication in addition to complex passwords. Of course, Myra’s Security-as-a-Service platform also supports login via MFA: In the web application, customers can easily enable “Confirmation in two steps” under My Account > Security to easily comply with internal security requirements.
What you need to know about multi-factor authentication
The theft of login credentials has always been one of the main activities of cybercriminals. The trade in compromised login credentials that can be used for targeted attacks is flourishing on the Darknet. Multi-factor authentication prevents attackers from using leaked or stolen user name/password combinations to gain access to an account by requiring at least one additional factor at login. MFA thus protects an account even if the login credentials have been compromised. This additional level of protection is definitely worth the one-time extra effort to set up multi-factor authentication.