Best practices for multi-factor authentication

Major data breaches that potentially expose your data to bad guys have become a daily occurrence. The easiest way to protect yourself, even if your password is compromised, is to use two-factor authentication — but not all multi-factor authentication methods are created equal.

3 Best MFA Methods

Just because MFA provides an extra layer of security doesn't mean that cybercriminals can't bypass MFA and access your data. However, if you're using one of these methods, the chances of them cracking the code are very low.

Physical security key

Imagine being able to access your computer the way you access your house - with just a key. A physical security key is a physical key that, when inserted into a USB port , gives you access to your computer. However, the biggest drawback to using a physical security key is that it becomes quite difficult to access your device if you lose it.

It is important to note that there are two types of security keys: Bluetooth and USB. While both are extremely secure, physical security keys with Bluetooth capabilities are vulnerable to attacks where the password sent over Bluetooth is stolen. Such an attack is not possible when using a USB security key.

Biometric authentication

What if instead of carrying a key in your pocket, you were the key? Biometric authentication involves using a part of your body to authenticate. Common biometric methods include using a person's face, fingerprint, voice, handwriting, and vein patterns.

Biometric authentication has become increasingly popular in recent years since Apple introduced Touch ID in 2013 (Android devices also received fingerprint biometrics in 2014, with Android 4.4). Many people have started using biometrics for authentication because it is easy to use and extremely secure. Unlike physical keys that can be lost or stolen, you never forget your finger in a restaurant, right?

One-time password (authenticator app)

A one-time password (OTP) is a unique, one-time password that must be used within a certain time frame before it expires. There are many ways to receive an OTP, but the most secure is through an authenticator app like Google Authenticator .

With Google Authenticator, you have up to 60 seconds to enter an OTP before generating a new one. Not all OTP methods are equally secure. OTPs sent via SMS and email are not as secure.

Other MFA methods

Using any MFA method is better than using none at all. However, some methods are better than others. Here are the best of the best.

Push Notifications

In addition to letting you know you’ve received a new IG message or promotional offer, push notifications can also be used for security purposes. When enabled, push notifications are sent through the app of your choice and must be approved or declined. The beauty of push notifications is that they don’t require character input in the same way that, say, an authentication app does.

Push notifications are user-friendly, providing strong and fast security. The main weakness is that if your device is lost or stolen, the thief only needs access to your unlocked phone to authenticate with push notifications.

Phone

Let’s say you’ve logged into your bank account but have enabled 2FA via phone call. Once you enter the correct username and password, you’ll receive a phone call to the number on file and be given a second password. This method is secure enough if you have access to your phone, but phones can easily be stolen or lost. Not to mention that most phone calls are unencrypted. If a skilled hacker targets you, they can eavesdrop on your calls. Having just been sent an unencrypted password, they can easily steal your password and access your account.

One-time password (SMS or Email)

OTPs sent via SMS or email are not inherently insecure; however, they are among the least secure ways to authenticate users. SMS and email OTPs are appealing because they are both simple and easy to implement. Less tech-savvy users may not want to set up an authenticator app, may not know how (or want to) enable biometric authentication, or may not even know what a physical security key is.

The problem is that SMS and even email can be compromised. 2FA is of little use if the second password is sent to a cybercriminal. SMS messages can also be sent unencrypted and intercepted.

Security question

We've all filled out security questions. Common security questions ask for your mother's maiden name, your pet's name, and where you were born.

The problem with these questions is that anyone who views your Facebook account can find out this information. Another big problem is that these answers can be forgotten. Passwords and usernames are often recorded, whether in a password manager or elsewhere; however, the answers to security questions are not. If you forget the answers, cybercriminals won’t be able to access your account, but neither will you.

You have a variety of multi-factor authentication methods to choose from. Now that you know which method is most secure, you can make a more informed decision about how to best protect your data. Regardless of which method you choose, remember that any 2FA is better than none at all.