Blog & News
Multi-factor authentication

The Points

  • Passwords are not secure because most people use short, guessable, passwords and reuse passwords across different sites
  • Multi-factor authentication can prevent hacks.
  • There are several methods of multi-factor authentication

Why passwords aren’t secure

Passwords keep our digital life secure, or do they? Despite being used for everything from email to banking, passwords, as implemented, are a relatively insecure method of securing accounts. That’s because most people don’t use secure passwords and reuse passwords across different sites with little or no variation. Let’s focus on the second reason - reused passwords.

As cyberattacks have become rampant in the past decade, passwords are a primary target. Hackers know that people are reusing passwords and they exploit it. Everyone should assume that their “go to” passwords are already compromised - in the hands of hackers who now have access to any other accounts that you used that password for.

What is multi-factor authentication

One solution to this problem is to use strong unique passwords. But even with strong unique passwords, it’s a good idea to add a second level of protection. The current advice is to secure your account with something you know and something you have. Something you know is the password and something that you have can come in a few forms, but most often it is a code sent to your phone. By using this second level of authentication, you are protecting yourself from the hackers that, as we said, probably already have your password.

Types of multi-factor authentication

There are three main types of multi-factor authentication:

  • codes sent via SMS message or a phone call
  • codes received from an app (e.g. Google Authenticator, Authy, and 1Password)
  • USB security keys

While all of these methods add security, there are pros and cons to each. Let’s take a look at each in more detail.

SMS messages

Most of the time, multi-factor authentication (MFA) codes are sent via SMS text messages. This type of MFA requires the least amount of configuration, making it easy to deploy. Unfortunately, phishing attacks are getting more sophisticated and include ways of prompting you for your password and MFA code on a fake website, after which the hackers enter the password and MFA code on the real website. So just because an account uses MFA doesn’t mean that you can let your guard down.

Authenticator application

Similar to SMS messages, authenticator applications run on your phone or computer and generate a new six-digit code every 20 seconds. Also relatively easy to implement, this has the same conveniences and drawbacks as SMS messages do. If you are using a password manager, like 1Password, you can include the MFA code in the login item, making it even easier to autofill your username, password, and MFA code.

Physical (USB) security key Physical security keys are another method of MFA that don’t have the same drawbacks as SMS messages and authenticator codes. They typically come in the form of a small USB drive that plugs directly into your computer. These keys can work in a number of ways, depending on the protocol being used, but usually they constantly generate long and unique codes that are automatically transmitted to the website or app. Yubico, one of the leading manufacturers of security keys, even makes a key that works over the wireless NFC protocol and is compatible with iPhone and Android devices.

Get started

The website 2fa.directory shows a list of the most popular websites, by industry, and which types of MFA they support (text, phone, authenticator applications, security keys, etc.) For most people, email and financial accounts are the most important to protect. Financial accounts for obvious reasons and email because all of you other accounts, including financial, can be reset using your email. So once email is compromised, everything else is extremely vulnerable. If you have any questions or need help getting started, please reach out to hello@sprucepointgroup.com.