Multi-factor authentication: Your guide to better online security

The most secure online journeys involve more than one step to get you started. Welcome to multi-factor authentication or MFA, which requires more than a password to log you in. Read on to find out why this little extra effort is worth a lot in the fight against cybercrime. And did you know that Avira Password Manager manages more than strong, unique passwords for your online accounts? It comes with a smartphone authenticator so you can easily generate secure codes and help say “NO” to unauthorised access, even if your login credentials are stolen.

 

What is multi-factor authentication?

You have complex, unique passwords for all your online accounts (right?) so when it comes to online security you may be dusting your hands and thinking “My job here is done”. Not so fast. It’s a start—but your security could be that much stronger with multi-factor authentication or ‘MFA’.  As the name “multi” suggests, this involves multiple more steps than a mere password. If that sounds time-consuming and tedious you wouldn’t be entirely wrong. Trust us, it’s worth it—because whatever is an extra fuss for you is a terrible additional hurdle for hackers who may be lurking to steal your data, identity, and even drain your bank accounts. Thank you for joining us in making life tougher for them.

To sum up: MFA is an account login process that requires users to enter more information than just a password. You’ll typically be asked to enter a one-time code that’s sent to your email address or mobile phone—or you might need to answer a security question or scan a fingerprint. Some security-conscious users purchase the Titan Security Key from the Google Store, which promises to be phishingresistant.

And here’s why it’s called multi ‘factor’ (and not, for example, multi-step): Authentication methods in IT are called factors and there are three of them: A knowledge factor (so something you know, like a password), a possession factor (something you have, like a card or device) and an inherence factor (something you are, which refers to your biological or physical characteristics).

Is there a difference between two-factor authentication (2FA) and multi-factor authentication? 2FA requires only two types of authentication while MFA requires at least two, and possibly more. This means that all 2FA is multi-factor, but not all MFA is 2FA! And here’s something they both agree on: They’re each better than a single factor.

The idea behind MFA (and 2FA) is that if your password is hacked, the unlawful third party won’t be able to log in to your account (unless they steal your phone along with your password, for example, which would be tremendously bad luck). What if a cybercriminal suddenly laid their hands on your PayPal or social media passwords? What damage could they do? Twitter staff found out in 2020 when around 130 Twitter accounts were breached, and hackers scrawled offensive messages on CEO Jack Dorsey’s feed. Let’s explore why we all need more than just a password.

Why is multi-factor authentication so important to your online security?

We lead increasingly digital lives and effective cybersecurity is essential in safeguarding them. Just think of the wealth of information stored on you right now—from personally identifiable information (PII) and confidential health records to your bank and credit card accounts. Businesses preside over intellectual property, plus customer and employee data. And that’s not to mention everything we’re constantly creating ourselves, such as photos, videos and social media profiles! Every ‘byte’ is tasty to cybercriminals and therefore vulnerable to theft, loss, and damage. It’s not just a few files being deleted; data misuse can have serious real-world consequences: Armed with key information like your name, address, and date of birth, scammers can create another ‘you’, and open bank accounts in your name. If they help themselves to your login details, they can go on online shopping sprees or order hundreds of pizzas. Identity theft and account takeovers have even resulted in serious damage to victims’ careers, reputations, and credit histories. Don’t take your digital self lightly!

IT Governance research revealed that 3,478 publicly disclosed security incidents took place in March 2024 alone. Many of us are simply not doing enough to protect ourselves online, and MFA solutions offers an extra layer of protection. If one log-in credential becomes compromised, unauthorised users will fall at the second authentication hurdle and won’t be able to access the device, network, or database that’s in their crosshairs.

What types of MFA are there—and are some more secure?

Multi-factor authentication uses several different methods to verify user identities. Here are the most common:

Email and text codes: After entering your email/username and password, you’ll receive an email or text which contains a link to a verification web page or a one-time passcode (OTP). You’ll have to enter this code to log in to your account. 

Verdict: The traditional approach is popular because anyone with an email account or mobile phone can use them without downloading another app. Hackers can intercept OTPs though, for example through a SIM-swapping attack.

Authenticator apps (soft tokens): Some websites and online services use third-party applications which generate one-time codes on the user’s mobile device to help verify their identity. Google Authenticator and Microsoft Authenticator are popular choices, but you can see a current review of authenticator apps here.

Verdict: Experts usually consider them less vulnerable than email and text codes. In very rare cases, hackers have breached authentication app providers! Authy was hacked via its parent company Twilio in 2022, for example.)

Free Avira Password Manager blends expert password management and secure storage with a smartphone authenticator. In addition to creating and storing strong, unique passwords (and syncing them across your devices), it also generates one-time passcodes. So even if your login details are breached in a data leak, you can sleep more easily knowing that your online accounts are still not easily accessible!

 

External devices (hard tokens): These look like a fob or dongle with a small screen and are used by plugging them into a computer’s USB port where they generate an OTP for each login attempt. Hardware tokens must be physically present for a device to be authenticated. 

Verdict: Experts tend to consider them even safer than soft tokens because cybercriminals can’t virtually bypass these devices. They’d have to physically steal or replicate them!

Biometric authentication: “Look into my eyes” has never been less romantic. Biometric data like iris (eye) and fingerprint scanning, as well as facial and voice recognition, are increasingly being used to verify a user. Because they’re based on physical characteristics, the legitimate user must be physically present, making these a particularly secure choice.  

Verdict: The current reigning champion of secure logins. Your face is more unique than your password. This MFA is also convenient because you can’t forget to take your eyeballs with you, for example—and it’s available on many devices. There are concerns that low-tech ones can be spoofed (i.e., cracked using a sample stolen from the user).

Push notification: Another convenient and secure MFA method involves sending a push notification to the user’s mobile device. When logging in, the user receives a prompt on their device to approve or deny the sign-on attempt. This method relies on the possession of the device so it’s less susceptible to interception.

Verdict: Push notifications provide a balance between security and convenience, making them a popular choice for MFA implementations.      

Smart cards: These are used primarily in corporate environments and contain embedded chips that store authentication data. Users must insert the card into a reader and enter a PIN to gain access.

Verdict: Smart cards offer robust security but can be less convenient for everyday use. They are particularly effective in password-less authentication scenarios, but the user needs to have the card with them and remember the PIN.

What are the benefits of multi-factor authentication?

Less definitely isn’t more when it comes to protecting your data and while good cybersecurity will never eliminate risks, it can help reduce them. We’ve summed up why it’s worth giving your lonely password a powerful ally with MFA.

Add extra layers of security to your online accounts:  As you’ll have realised by now, it’s a question of security layers. MFA offers more of them. Cybercriminals must successfully access at least two credentials, including probably a device or app. That requires more skill, hard work (and luck). 

Gain greater control of your data: Companies can rest assured that the information they’re storing or sharing with third parties is more secure, helping them comply with industry standards for security. And as a ‘normal’ user, you can sleep more easily knowing that your online data (like confidential health or tax records) is better protected and less accessible to unauthorised access.

Work remotely more securely: Employees working remotely are a hot favourite target for cybercriminals trying to gain access to a system! Adaptive MFA can help prevent this by examining a variety of factors (including location, device type, and user behaviour) when verifying identity. We explore this new type of MFA below.

Even with MFA, it’s still important to practice good password hygiene. Create unique and strong passwords for each of your accounts and store and manage them with the help of a trusted Password Manager like the free Avira Password Manager. It includes a smartphone authenticator so you’re getting MFA built in too. (The premium version even alerts you if your email has been exposed in a data breach). Reusing passwords is a big “nono” as it makes it easier for cybercriminals to gain access to multiple accounts. MFA helps mitigate these risks but remember: The ultimate combination for keeping data safer is strong passwords + MFA.

 

What is adaptive MFA? 

As the name suggests, adaptive Multi-Factor Authentication (MFA) changes the level of authentication required by assessing a range of factors. So ‘traditional’ MFA requires a fixed set of steps and adaptive MFA is dynamic and evaluates a range of risk signals. That’s not as complex as it sounds—let’s see what happens in practice.

Imagine you’re an employee who typically accesses certain business applications and the company database during normal business hours. Adaptive MFA would examine the security policies that apply to a user like you and easily grant you the standard access you require. It would ‘know’ that you’re meant to be there and not present extra security hurdles for you to leap over. But…if things suddenly changed, it would become suspicious. For example, if you were to suddenly log in at the weekend, at night, from another IP address, the MFA system would determine a potential risk and throw different security challenges your way, such as biometric identification or additional questions.

The factors assessed by adaptive MFA can be divided into the following categories: Geolocation (are you logging in from a different location or device?), device type (new laptop?), time of access (like Cinderella, different restrictions may apply after midnight), and of course user behaviour (are you suddenly trying to access different resources or have you typed the password in wrongly multiple times?).

The benefits of MFA are two-fold: Companies enjoy improved security because they can be (more) sure that only authorised users are accessing their data and networks. Users are relieved because they waste less time navigating various security layers (as long as they’re not doing anything unusual). Greater protection and productivity? Yes, it’s a winwin.

Adaptive MFA systems are also intelligent and use artificial intelligence and machine learning to evolve. They continuously monitor and learn from user behaviours and access patterns, helping to improve the accuracy of risk assessments over time.

What are the challenges to MFA? 

Now that you’re well-versed with the pros of multi-factor authentication, are there any drawbacks? Sadly, yes, and usually we humans are the weakest link in the security ‘chains’ protecting our online selves. If you use the same password for your email and app logins, this will pose a risk to MFA which sends a code to your email. Unless we’re vigilant, we can fall prey to phishing and social engineering attacks that could trick us into revealing our login credentials. Man-in-the-middle attacks try and intercept user credentials as they’re entered into a hacker’s fake network. Worried yet? We haven’t even mentioned keyloggers, which can record keystrokes and send them to a cybercriminal. Also, MFA can get inconvenient for us if we need to leap through multiple hoops every time—and if our primary MFA device (like a smartphone) fails, we’ll find ourselves locked out of our online accounts. There are no perfect systems; just perfect intentions. 

What does the future of multi-factor authentication hold? 

Cyberthreats will always continue to evolve and so too must our defences. We hope we’ve persuaded you that a single password simply won’t cut it! Thankfully, innovations in biometric and adaptive authentication are making MFA more secure, seamless, and convenient than ever. Nothing is ever likely to be 100% foolproof but multi-modal biometric systems are now on the rise and promise to help increase accuracy and protection by combining several biometric identifiers. They can even analyse our typing patterns and mouse movements to help detect fraud. That sci-fi future we read about as children is here…

Passwords are still an essential first line of defence! 

Advancements in cybersecurity technology don’t mean that users can rest on their laurels and ignore sensible precautions. Every little helps and multiple layers of online and device security are essential in keeping us safer. Please make sure that every password for all your online accounts is complex and unique—no pet names or reused passwords. If it’s easy to remember, it can be more easily guessed by a hacker! See our handy guide on how to generate strong passwords that are more likely to withstand a brute-force attack (whereby hackers use trial and error to crack your password).

Avira Password Manager generates strong passwords and helps securely store them. It can also be set to automatically log you in to your online accounts and helps warn you of weak or reused passwords. And don’t forget: The built-in authenticator generates single-use codes when you log in to your accounts, so you’ll have MFA at your fingertips too.

 

This post is also available in: GermanFrenchItalian

Exit mobile version