People sometimes ask me about the efficacy of multifactor authentication and whether they should use it. Whether you should use it is easy to answer: Yes, absolutely, everywhere you can. How effective is it? Well, that’s a little harder to answer. Multifactor authentication or MFA is good at doing what it was intended to do. In short, it adds an extra verification factor when determining whether a person is who they claim to be rather than relying solely on a password. Is it completely foolproof, keeping you 100% safe against password attacks? Absolutely not.

Why Multifactor Authentication?

Before MFA, a publicly known username and secret password were the only credentials a person needed to sign in to various computer systems. The premise was that a password is a secret only that person would know. But weak passwords are easily guessed and reused passwords are often stolen. So having only one factor for determining a person’s authenticity—something as weak as a password—is not adequate. Adding a second factor, one that’s not so easy to guess or steal, was the logical next step. Ideally it should be something a person has or something a person is. Hence, two factor authentication or 2FA uses a password and something else. Multifactor simply means two or more. Its just a more generic form allowing for three or more factors to be used. In most cases MFA only really involves two factors. The second factor is most often something someone has, like a smartphone or one-time-password generator. It could also be something someone is. This involves biometrics such as a retina scan, facial recognition or fingerprint. These are unique to an individual and nearly impossible to fake. In many cases this is deemed enough on its own without requiring another factor.

So again, for what it does, MFA does a pretty good job. If someone finds out your email password and tries to sign in to your email account, they will be asked for a code that was sent to your phone, or maybe one generated by an app on your phone. Without being in possession of your phone, they won’t have this code. If your MFA uses a push request, you will get an alert on your phone that someone is trying to sign in. You simply decline or ignore it. In either case, the bad actor is blocked. For these cases, MFA works great.

Where it Breaks Down

Where basic MFA isn’t very helpful is in adversary-in-the-middle (AiTM) attacks, which are becoming more prevalent these days with Phishing-as-a-Service. In an AiTM attack, a bad actor puts their own website in between you and the site you’re signing into. Their website is a replica of the site you’re trying to sign into but is designed to capture your credentials. They do this by deceptively getting you to click a link that brings you to their site. Once there, you sign in thinking it’s the legitimate site. The bad actor captures your username and password and sends these on to the real site. If the real site uses MFA, you will get the push or the SMS text and/or enter your one-time passcode. At this point you’ve given them what they need. The bad actor may send you through to the real site so you don’t suspect anything is wrong. But now they have something called a session cookie. As long as you don’t sign out, that cookie will give them persistent access to your account. If it’s your bank, they only need a few minutes to transfer funds. If it’s your email, they will set up rules to forward mail to their own account, or they may stay signed in and hide conversations they’re having with your contacts. If it’s a file storage account (e.g., OneDrive, Google Drive, Dropbox, etc.) they will certainly be downloading and deleting files.

What You Can Do

Despite its potential shortcomings, MFA is still far better than no MFA. If you have a choice of how you’re authenticated for MFA, follow this order from best to worst:

  1. Push notification to an Authenticator app on your phone.
  2. Generate a one-time passcode (OTP) in your app that you enter online.
  3. SMS text message to your phone with OTP that you enter online.
  4. Avoid email or voice call unless that’s your only option.

If your authenticator app supports biometrics (face or fingerprint) to access it, use that too.

For the technologically minded:

Look into WebAuthn. If a web portal has this capability and your hardware supports it, go for it. WebAuthn is not susceptible to the AiTM attack described above. Authenticating through a fake site is just not possible. At least not presently. It’s also secure enough to use on its own without a password. Passwordless authentication is a growing trend. Unfortunately, not all sites support this yet.

Also check out FIDO2 devices such as Yubikey. This puts all your authentication into a small USB device. Just plug it in and you’re authenticated to sites and devices that support it.

Then there’s Single Sign-On (SSO). That’s a topic for another day. Suffice it to say there are lots of ways to authenticate securely.

These options will take a little more setup than simply scanning a QR code. But if you, or someone you know, can set it up for you, it will give you better protection and better productivity.

Oh, and always remember to sign out of web portals before leaving. Don’t just close your browser. If someone does have your session cookie, signing out will invalidate it, signing them out as well.