BY: BOBBI LENTZ
Passwords are undeniably a time-tested and imperfect way for authenticating if used correctly. Passwords, alone, are not necessarily the best in these modern times. We are humans and we try to keep things simple and easy for ourselves which leads to potentially weak passwords that we rarely change unless forced to or that we re-use for multiple applications or websites. One enhancement to password authentication is Multi-Factor Authentication (MFA), also called Two-Factor Authentication (2FA).
Most of us, like Amazon and Verizon, are already using MFA. Most likely your bank is already using it as well. So, what is it and why is it important?
MFA means you need to provide at least two different pieces of evidence to access an account. These can be:
- Something You Know: password or PIN
- Something You Have: smart card, security token, SMS text to mobile phone
- Something You Are: commonly referred to as a biometric which might be a fingerprint, facial recognition or retina pattern
Amazon uses the Something You Know plus Something You Have. First, you authenticate with your password and then Amazon sends a One Time Password (OTP) by text to the phone registered in the account. You enter this OTP and then you are signed into your Amazon account.
By contrast, some banks require a password to authenticate and a PIN to fully access the account. This is not MFA. Both password and PIN are Something You Know which is one type of evidence, not two. This seems like MFA since you entered two things but the idea of MFA is that the evidence needs to be of two different types. This bank does also offer MFA to account holders. Once signed up for MFA, logging in requires a password, PIN and OTP text. The PIN is actually used to identify the device from which you are logging in. Select the choice that this is a computer you trust and the bank saves a cookie and does not require the PIN in future logons by the same account from that device.
Many websites are now offering (and sometimes requiring) account holders to establish MFA for their accounts. MFA does not mean you can be relaxed about the complexity of passwords. Always create strong passwords or passphrases as one level of protection. MFA, though not perfect, offers that extra level of protection against hackers. If hackers need to gain multiple pieces of information from someone instead of just one, it typically deters them. Hackers generally don’t compromise MFA-protected accounts. It is your personal and private information, protect it.