Multi-Factor is for EVERYONE


For years I have hosted education presentations and had casual conversations in which I promote multi-factor authentication.  I myself have it enabled for every account I possibly can.  Today, right now, this moment, you should enable whatever multi-factor option you have available for every account you can.


Multi-factor authentication is not just for ‘security elites’ or ‘techy nerds’.  Until we come up with a better way to verify our identities online than the traditional username and password, multi-factor protection is critical to maintain as much security as we can.  It is not perfect, there are caveats that I’ll touch on below, but it should be considered absolutely essential for everyone for every account you use online.  In many attack scenarios, multi-factor authentication stops attacks in their tracks.

The reason it should be essential for everyone is two-fold.  First, if a bad actor decides to take over any of your personal accounts, especially your email account, then you’re going to have a very bad time.  All of your email, phone contacts, text messages, pictures, and maybe even documents if you use cloud storage, could all be stolen, shared publicly, or deleted.  Your social media accounts could be taken over and controversial posts could be made that appear to have come from you.

The second reason is of course, money.  If a bad actor takes over your Amazon or eBay account, they can charge things to your credit card easily.  If they take over your social media accounts, they can run up huge bills by running fake advertising under your name if you have ever used a credit card on those systems.  One event could cost you hundreds or thousands of dollars.  You MAY be able to work with someone to get refunds or cancel these charges, although that certainly is not guaranteed.  Regardless of any bills they rack up, it will always cost many hours of your time to recover and may cause lasting damage to your reputation or cause you to lose access to your accounts permanently.

Why would I be targeted?

Criminals have motives that are all over the place.  Some specifically target rich targets, some specifically target big companies.  But many target whoever they can find, big or small, and may only want to cause havoc.  Even without any financial gain to be had, some will spend countless hours annoying whoever they can.

A bad guy may have found your email address in a leak of some kind, or they may have broken into a low security website about recipes or cars and got a list of those usernames and passwords.  These two cases are extremely common and because people re-use passwords, it is always worth their time to try those passwords on every popular site they can think of.

Phishing emails are another hugely popular attack.  Millions of emails get sent out to people and if they click the links in those emails, they may get infected with a virus called a ‘keylogger’ that steals everything you type, or they may trick you into typing your password into a fake website.  The bad guys never know what they might get, but they almost always get enough to make it worth their time.

What IS multi-factor authentication?

Mult-Factor Authentication, MFA, Two-Factor Authentication, 2FA, two-step authentication, multi-step authentication, are all referring to the same idea.  In the security world, the concept of ‘factors’ breaks down to three things:  Something you KNOW, something you HAVE, and something you ARE.  These are the 3 factors of security.  Multi-factor simply means that you use more than one of these factors during your login.  Using 2 of them is the most common.

Something you KNOW

Anything that you could type into a login box or select on screen, like a username, password, ‘security questions’, special picture, etc… are all things that you KNOW.  These things can be copied, shared, or stolen and used without your knowledge or presence.  There are many many ways that your login information can be stolen.  From guessing to a virus infection, using only something that you KNOW to protect an account is very thin security.  Some systems require a password and a picture and describe this a multi-factor security, but it is not.  Asking a user for 3 or 4 things during login, that are all pieces of information that they KNOW, is still single-factor, and does not increase protection from real-world attacks.

Something you HAVE

Something that you HAVE is the most common extra factor to add.  This is most commonly added by sending a text message to your cell phone number under the expectation that you will always be in possession of your phone and your phone number.  There are ways to take over a phone number, which is one of the caveats keeping multi-factor from being ‘perfect’, so in high-security environments text messages are not recommended.  Many systems only offer this method however, and it is certainly better than no multi-factor at all, so if it’s your only option, or you are new to multi-factor, use it.

A better option for something you HAVE, is a token or authenticator.  These come in several forms, both physical and ‘soft’.  The ‘soft’ tokens are usually apps installed on your cell phone like “Google Authenticator”, or “Authy”.  Physical tokens usually look like keychains.  Both types of tokens provide a 6-digit number that you must type in along with your username and password each time you log in.  The expectation here is that you will always be in possession of your phone, and if your phone is lost or stolen, you will know immediately, notify anyone involved in your account security, and re-sync your accounts with a new authenticator.

Some authenticator apps don’t require you to type in a code, but instead, they pop up a message asking you to approve the login.  This style is more user-friendly and can be found in apps like DUO and the Microsoft Authenticator.

A device being stolen is another caveat of multi-factor that prevents it from being ‘prefect’.  Someone’s phone or physical token could be stolen, and used to help a bad guy log in to an account.  Using a passcode on your phone and using biometric options like your face or fingerprint to unlock your phone help protect against this for phones, and being vigilant about keeping track of your physical token helps with those.

Something you ARE

Something you ARE is a very common factor today in the cell phone world with fingerprint and face login methods.  Also known as biometric logins, these are an excellent addition to your security because they are based on your physical body.  Fingerprints, eyes, hands, voices, walking patterns, and many more things can be used to identify you based on your body.  Generally, high security environments rely on biometrics in a big way.

It is worth noting however, that when these phone-based options are used, they only protect your phone, not your account.  For example, just because you enable fingerprint login for your bank app on your phone, does not mean that your bank account is protected by your fingerprint.  This only protects your bank app on your phone.  You (and a bad guy) can still log into your bank using a computer without a fingerprint.  So while using biometrics on your phone is a very good way to protect your phone, you still need to enable multi-factor options on your accounts.

In certain situations, biometrics have been defeated, by copying fingerprints for example.  This is another caveat that keeps multi-factor from being ‘perfect’, but all of these options raise the bar for an attacker and lower their chances of success in trying to take over your accounts.

Practical Security

I view security through a practical lens.  No security measure will ever be ‘perfect’, much like making something idiot-proof, there will always be a better idiot or smarter bad guy.  Or in the case of security, it’s usually a vulnerability, software glitch, or mistake being made that opens the door for the bad guy.

That being said, the overwhelming majority of attacks against ordinary people come via email, text messages, or social media posts and are performed by individuals or groups from various parts of the world that will never have any physical proximity to their targets.  This means that the caveats for multi-factor mentioned above that rely on physical proximity (stealing a phone, copying fingerprints, etc…) are highly improbable and practically ‘impossible’ for the attacker to take advantage of.  If an attacker knows that a target is worth millions of dollars, they may just step up and spend some of their own money to travel or hire a local thief.  But that is much closer to movie magic than reality in the vast majority of cases.

The practical impact of adding ANY of the multi-factor options mentioned above, is that your accounts will be safe from any attacker trying to take them over provided that you yourself do not fall for a scam where you are tricked into giving away your multi-factor information.  There could also be a glitch in the software that enforces multi-factor, or a bad employee that helps an attacker bypass your multi-factor, or bad security at a company that allows an attacker to bypass it easily.  These things are exceedingly rare though, and are the tiny exception to the rule.

Enable multi-factor now, and you will increase the security of your accounts beyond what a typical attacker is capable of compromising.