top of page

Multi-factor Authentication

Multi-factor authentication (MFA) is also referred to as 2-factor authentication (2FA). Effectively, it means that having a user's password is insufficient to access their account. The user also needs access to something else, whether it is their mobile phone, or their email address or something else.

An example of this would be a one-time number that is sent to you via SMS or email. Many service providers will provide MFA as an option to help secure your account and may even offer you the choice of multiple mechanisms.

Two of the most common forms of MFA are a text message containing a PIN or a MFA application on a smartphone. While these can protect against certain forms of attack, cybercriminals have already found ways to circumvent them, using what is known as a social-engineering attack.

There are forms of MFA that provide a more robust defence against phishing attacks (e.g a hardware key such as a
Yubikey).  Hardware keys incur extra inconvenience and extra financial cost. but these are less common and often (as in the case of a hardware key) incur a non-trivial financial expense.

A smart phone application is generally preferred to a solution that sends you a PIN via test message or email.

While MFA is not perfect, if a site gives you the option of implementing MFA on your account you should always make use of it. The convenience cost of doing so is usually low enough that is still worth doing. Just remember that you are still vulnerable to social-engineering attacks (or even having your phone's SIM card cloned).


bottom of page