Multifactor Authentication

Strong passwords help secure accounts, but passwords can be lost, guessed, or stolen. Many modern systems support additional login factors, such as SMS text messages, authenticator apps, email verification, or biometrics. Using multiple factors to authenticate can improve your account security.

Learning Objectives

You should be able to:

  • Describe multifactor authentication
  • Install an authenticator app on a smartphone
  • Register an account with multifactor authentication

Video Walkthrough

Use this video to follow along with the steps in this lab.

Authentication Factors

Authentication is the process of verifying that you are who you say you are. You should be the only person who knows your password, for example, so if you can provide the correct password, you verify that you are the account owner. Passwords are "something you know," but there are other types of authentication. Below are different authentication factors:

  • Something you know (like passwords, answers to secret questions)
  • Something you are (biometrics like a fingerprint, face scan, palm scan, retina scan)
  • Something you have (such as a smartphone)

An attacker might be able to steal one of these things, but it is much harder to compromise more than one. For example, a hacker might steal your phone, but not know your password. A password might become disclosed in a data breach, but that would have nothing to do with your physical smartphone. Requiring multiple authentication factors can dramatically improve your account security.

Many of our accounts are low-risk and do not necessarily need multifactor authentication. Maybe you signed up for a small message board, and nothing terrible would happen if that account were compromised. But many accounts, such as email, are very important to secure. If your email account is compromised, attackers can reset accounts, cause embarrassment, and more. At a minimum, multifactor authentication should be turned on for email because email is often used to reset passwords for other accounts.

Multifactor authentication occurs when more than one type of authentication is used. Usernames, passwords, and personal identification numbers (PINs) are all something you know, so if you are asked to provide all 3 at login, that is still only single-factor authentication.

Practical Advice for Multifactor Authentication

For websites (the majority of peoples' accounts), passwords are the common denominator. The choice for a second authentication factor usually is one of the following:

  • SMS text message authentication
  • Using an authenticator app

SMS authentication basically is a "something you have" factor of authentication. Ideally, only your phone is linked to your phone number. Seems reasonable enough. But some people hack phone number portability (the feature that lets you keep your phone number when you switch carriers) to steal your phone number. Typically, only high-value targets need to worry about their phone number being stolen. But it does happen.

Authenticator apps are more secure than SMS authentication. These should be preferred when they are an option. These apps are linked to your phone's hardware, not your phone number. So even if an attacker was able to steal your phone number, they would not have access to the authenticator apps on your smartphone. But if you lose your phone, you lose this second factor. If using authenticator apps, it may be a good idea to have SMS verification as a secondary option. Many systems also let you generate backup codes in case your smartphone is not accessible. Those codes can be stored securely in a password manager.

Download an Authenticator App

There are several authenticator apps available. Google makes one. Microsoft makes one. Other reputable companies make them. I was uncomfortable with how much I relied on Google, so I decided to install Microsoft's Authenticator app.

If you already have an authenticator app installed on your phone, you do not need to install another one (unless you just want to test another one out).

  • Go to the app store for your smartphone.
  • Search for "authenticator app."
  • Below are the top results in the Apple Store. The Microsoft Authenticator and Google Authenticator apps have similar (high) numbers of installs. Either app is a good choice. Avoid authenticator apps from companies that you do not recognize.

Apple Store Results

  • I would recommend sticking with one of the following four authenticator apps unless your employer requires you to choose one outside of this list.
    • Google Authenticator
    • Microsoft Authenticator
    • Authy
    • Duo Mobile
  • Install an authenticator app.
  • Launch the authenticator app.
  • Finish the authenticator app setup as prompted in the app.

Enable Multifactor Authentication on Gmail

This activity assumes that you have a Gmail account. Multifactor authentication setup should be similar for most email providers. Email is used here because it is likely the most critical account that you manage.

2-Step Verification Link

  • You may be prompted to authenticate. This protects you in case you left your web browser open and somebody wanted to change your authentication options.
  • You can set up SMS verification if desired. The remainder of this section will address authenticator apps.
  • Click the Authenticator app link.

Authenticator app link

  • Click the button to set up an authenticator.

Set up authenticator

  • Launch the authenticator app on your phone and scan the QR code on your screen.

QR Code

  • In your smartphone's authenticator app, grab the code and enter it on the website.

QR Code Confirmation.

  • Test the 2-factor authentication.
    • Open an incognito/private web browser window.
    • Login to your Gmail.
    • After entering your password, you will be prompted for the code in your app.

2nd Verification Prompt

  • Find the code on your smartphone.

Authenticator smartphone app screenshot

  • You can optionally choose to remember this device (i.e., the web browser).

If you remember your devices, you will not be prompted for the second factor every time you log in.

Where to use MFA?

MFA comes at a cost of inconvenience. MFA fatigue occurs when people get annoyed that they constantly have to use their second factors just to access a service. When fatigue sets in, people may be tempted to disable MFA. To get the most value from MFA and reduce MFA fatigue, I recommend using MFA on the following accounts:

  • Email. If an attacker can access your email, they can reset passwords for other accounts.
  • Banks, credits cards, and others other financial accounts. Protect your money.
  • Any account you use to login to another account. For example, if you use Facebook to login to other websites, you should secure your Facebook account with MFA.

Beware

Scammers know how multifactor authentication works, and they have developed techniques to convince you to give them the second factor. Here is how a typical attack might look.

  1. A scammer somehow obtains your username and password. These could have been part of a data breach.
  2. The scammer initiates the login process. But, the scammer knows that they need the 2nd factor that only you have.
  3. The scammer calls you, pretending to be a customer support representative. They tell you that to confirm your identity, they will be sending you a code. Really, it is the legitimate site that will send you the code.
  4. You receive a text message or email with a temporary code, just as the scammer said you would. This might make you think the request is legitimate.
  5. You give the scammer your code.
  6. The scammer logs in with your username, your password, and the code you just gave them.

Be skeptical. Never give the authentication codes to anybody over the phone. If in doubt, hang up, call the company, and figure determine if your account has been compromised. It would be a good idea in this case to change your password.

Challenge

  • Think about other critical accounts you manage. Set up 2-factor authentication with your authenticator app if those accounts allow it.

Reflection

  • Why are authentication apps better than SMS verification?
  • How comfortable are you registering your biometric data with companies for authentication purposes?
  • How might attackers be able to hack the 2-factor authentication process? (Hint: it might take some social engineering.)

Key Terms

  • Authentication: The process of verifying the identity of a user, device, or system before granting access to resources. It ensures that the entity requesting access is who or what it claims to be.
  • Authentication Factors: The different types of evidence used to verify an identity. Common factors include something you know (such as a password), something you have (such as a smartphone), and something you are (such as a fingerprint).
  • Multi-factor Authentication (MFA): A security process that requires two or more authentication factors from different categories to verify a user's identity. This enhances security by making it more difficult for unauthorized users to gain access.
  • Authenticator Apps: Mobile applications that generate time-based one-time passwords (TOTPs) or push notifications for multi-factor authentication. Examples include Google Authenticator, Authy, and Microsoft Authenticator.
  • SMS Authentication: A method of multi-factor authentication where a one-time password (OTP) is sent to the user's mobile phone via SMS. The user must enter this OTP in addition to their regular password to gain access.