What Is Multi-Factor Authentication and How Does It Work?


In today’s Ask the Admin, I’ll explain what multi-factor authentication is and why you should enable it.

Identity theft is a big problem on the Internet. There’s an understatement if ever there was one. We all know someone, even the most diligent of acquaintances, who have been affected by some form of online fraud, and at the root of the problem are passwords and how we use them. The most common issues are reusing the same password across different accounts, logging in from untrusted devices (i.e., a friend’s computer), weak passwords, and passwords that are never changed or easily guessed. Two-factor authentication (2FA) helps protect against the shortcomings of passwords (and people).

Protect Your Primary Email Account

Email is the primary means of verifying your identity when signing up for a service on the Internet. Sometimes you’re also asked to provide a secondary email address in case there’s a problem with the first. If you sign up to a new service and provide a unique password, change it regularly, and other security measures are put in place to secure the account, such as a set of challenge/response questions — you’d imagine that your account is well protected. But access to your email could easily enable a hacker to reset passwords and take over accounts associated with your email address.

This is what happened to a friend of mine recently, who found himself unable to access his bank account from overseas. When he called the bank, they couldn’t verify his identity because his details had been changed. I asked if he had any idea how this had happened, and he told me that somebody had hacked his Google account and set up a rule to delete email from Google, his banks, and credit card companies — all revealed via the Security Check link in Gmail.

This is one of many ways in which hackers gain access to otherwise well-protected accounts. And if you protect just one account using 2FA, start with the email address used as an identity for important Internet-based services.

Something You Have, And Something You Know

Password are easily stolen or guessed, and as something you know provides one ‘factor’ in the authentication process. Multi-factor authentication adds one or more factors in addition to your password. For example, something you have can be added to something you know. Enterprises have traditionally used smartcards to implement 2FA, but this often required additional infrastructure and the purchase of specialized tokens. Increasingly, smartphones are being used as a second factor, making 2FA easier for business and consumers to implement.

In practice, in addition to entering your password, 2FA requires that you confirm you have a registered device in your possession. This is usually achieved by providing an access code displayed in an authenticator app that’s installed on the phone, or a code sent by SMS, but this method is less secure because SMS messages can be intercepted.

A password isn’t enough to authenticate when 2FA is enabled. Sounds good but inconvenient, right? Once you log in using 2FA, most systems allow you to trust a device, for a limited period, so that you don’t have to use the second factor at every login attempt.

Code-Less Authentication

Apps from Google, LastPass, and Microsoft make 2FA simple with verification notifications that are pushed to your phone, so you don’t need to type a code to verify that you are in possession of the registered device.

If setting up 2FA sounds complicated, don’t worry. Google and Microsoft guide you through the process with a step-by-step wizard, and authenticator apps make the process easier than ever. If you’re worried about being locked out of your accounts, a third factor can be added, usually your phone number, which can be used if you lose access to the authenticator app.

If you decide to enable 2FA, you’ll find the settings in the security options for supported services. Microsoft, Google, and Facebook all support 2FA.