Multi-factor authentication, sometimes referred to as two-factor authentication, has been a pretty big buzzword over the last few years. It’s something that can provide additional security for many of your accounts, yet it can be extremely confusing.
I hope to try and ease some of this confusion and help you understand what it is and how it can help you. I might not be able to explain how to set it up for each individual service, after all each service is different. I hope though to give you some pointers on what tools you may need to set it up and give you a general overview of how multi-factor authentication works so you can try and get your head around it a bit easier.
So what is multi-factor authentication?
Everybody understands the concept of a password. These have been in use since the dawn of computing. However passwords alone can be a bit of a weak spot. It is often very difficult to come up with a password that is easy to remember, but is also secure. As a convenience, people tend to reuse their passwords on multiple different services. This carries a risk that if your password is ever guessed or cracked, an attacker may be able to get into other accounts you own.
Enter multi-factor authentication. This combines different “factors” to provide additional layers of security for your accounts. These factors are usually a combination of the following.
Something you know. The most common things you “know” will be a username and password, or a PIN number.
Something you have. This could be a physical credit card, or an app installed on your mobile phone (the phone being the thing you “have”).
Something you are. This will usually be some sort of biometrics, for instance fingerprint scanning or facial recognition.
Where you are. This is commonly used by services such as banks, or online shopping services. If for instance you make a transaction from your home country, and then another transaction comes in from a different country a few minutes later, the service can pick up on the fact the account has been possibly compromised and flag this for review.
Should I enable multi-factor authentication?
The short answer to this question is: If a service you use offers multi-factor authentication, it is a good idea to enable it. This means that if your password is ever compromised, an attacker has an extra hurdle to jump through. It doesn’t guarantee an attacker will stay out, but it makes their job significantly harder.
For devices such as laptops and mobile phones, fingerprint scanners and facial recognition are becoming increasingly common.
For online accounts, such as banking and social media, you can often pair this with an authentication app on your mobile phone. How you set this up varies between different services, however the process is frequently documented in their online help.
Finally some services will send a code via text message to your mobile phone when you log in. This is better than nothing, however this isn’t the most secure option. It has been known for someone to contact your mobile provider and impersonate you, allowing them to move the service to a new phone that they own. This allows them to intercept these text messages, allowing them to gain access to your account. It is rare for this to occur, but is not unknown. For this reason, we would only recommend using this option if you have no other alternatives.
How does multi-factor authentication work?
There is a slight variation on how different services implement multi-factor authentication, but they all follow a similar theme.
Laptops and mobile phones generally use a form of biometrics, for example a fingerprint scanner or a front-facing camera to do facial recognition. When you log into or unlock the device, it’s simply a case of pressing your finger against the scanner, or facing the screen so the camera can identify your face. How you enable these varies between different manufacturers. For phones, you can go into the Settings menu and you will usually find a Security option to enable these options. On a Microsoft Windows 10 computer, you can go into the Settings app, then go to Accounts and then Sign-In Options. If your device supports Windows Hello facial recognition, you can set this up in here
For online services, such as emails or banks, this will usually be done through an authentication app on your phone. Common authentication apps include Microsoft Authenticator, Google Authenticator or Authy, all of which can be downloaded from your phone’s app store. Once installed, there is usually an initial setup process for each service. Specific instructions on how to set up a particular service can usually be found in their help section, but the process will usually be to display a QR code on the screen for you to scan. You then go into your authentication app, add a new account and scan the code. You’ll then need to enter the code that is displayed on the phone back into the website which confirms it’s working, and then setup is usually complete.
It’s a few steps to go through, but you only have to do it once per service. Once it’s set up, whenever you log back into the service, you’ll be prompted to enter a code. Fire up your authentication app, select the server, and enter the number that is displayed and you’re in.
Are there any ‘gotchas’ that I should be aware of?
There are a few things to watch out for to make sure you don’t come unstuck.
Some authentication apps will make a backup of themselves using some sort of cloud service. Microsoft Authenticator is known to do this. This is important when it comes to upgrading your phone, as you will need to set up the app again on the new phone.
If it backs up to the cloud, you will need to set up your new phone using the same Google or Apple account that you used on the old one. You then download the authentication app from the appropriate app store, and there will be a process to follow to recover from a backup. Once this is complete, you should then be on the air. I recommend that you don’t wipe your old phone until this process is complete as a precaution. This process means that you can set up on a new device and not be locked out of any of your other accounts.
Some services also allow you to download backup codes. These are useful in the case of absolute disaster where you are unable to get to your authentication app for some reason. The process for using these varies depending on the service, so if you need to use these codes you will need to check the process in the help section of the site you are using. For disaster recovery, it is important to download these and save them somewhere secure.
Multi-factor authentication can be a little bit daunting to set up initially, particularly if you have to set it up for multiple accounts. Luckily with most services, the process is usually well documented.
It is definitely worth the pain of setting it up, as it makes it significantly more difficult for an attacker to gain access to your accounts. Once it’s been set up, it quickly becomes second nature to utilise multi-factor authentication. We would recommend doing it for at least your most valuable accounts, such as any banking accounts, email and social media. It will significantly reduce the risk that these accounts become successfully compromised.