What is Multifactor Authentication, how does it work and why is it important to you?

Multifactor Authentication (MFA) offers multiple layers of protection for accessing accounts on websites, mobile phones, tablet computers and desktop applications (or apps). One way of explaining the concept of MFA is to compare it to placing your housekeys in a safe deposit box (a secure container with limited access) that can only be opened by a biometric facial scan of only your face—a unique authentication method personalized to one person that would be difficult for a hacker to breach or imitate.

MFA also has other names; it is sometimes called two-factor authentication or two-step verification. Regardless of the name used, MFA is a cybersecurity measure for any account that requires anyone logging in to prove their identity in multiple ways. It usually operates by someone entering their username and password into a website or app, and then authenticating their identity through a separate action, such as with a facial or fingerprint scan. Alternatively, MFA may require the user to respond to a one-time use code sent in a text message on a mobile phone that must be entered within an allotted time, or respond to an email sent to the account’s registered email address. Some accounts will require the user to approve access with a standalone authenticator app on their mobile phone, such as either Microsoft^® or Google^® Authenticator.

Why require more than an action (or a set of actions) to prove that you are you? Because MFA has proven to be effective at making it hard for hackers to access your online accounts, even if they know your passwords. While no cybersecurity method is perfectly secure, MFA has shown that, overall, it is a useful method for improving security and preventing illegal access to personal financial, social media, gaming and other types of accounts.

MFA may take a small amount of additional time to set up for all of your secured accounts, but once you have MFA active, proving your identity with MFA usually adds just a few seconds to the log-in process.

More and more types of accounts are enacting and then requiring MFA by users

Increasingly, accounts are being required to use MFA by the companies supplying the accounts, but if a user is given a choice to have MFA, they should opt in for it to be active. MFA adds an entire layer of security on your important accounts beyond your passwords. Your data is precious and important—multiplying its protection is highly recommended.

Because of the enhanced security MFA can provide, it’s a good idea to implement multifactor authentication for any account that permits it, including (but not limited to) all accounts associated with:

• Work
• School, including high school, colleges and universities
• Email
• Credit cards
• Banking
• Investments
• Online stores
• Online auction sites
• Instant messaging
• Social media
• Videogaming platforms

What are some forms of MFA that someone might encounter on their accounts?

MFA may take several different forms, depending on how an account supplier enacts it. Some of the more common MFA forms include:

• Inputting an extra personal identification number (PIN) as well as your password
• The answer to a security question, such as “What town did you go to high school in?”
• A code sent to your email address or texted to your mobile device that you must enter within a short span of time or the code deactivates and a new code must be initiated
• Biometric identifiers, such as facial recognition or a fingerprint scan
• A standalone authenticator app that requires you to approve each attempt to access an account by clicking either an “approve” or “deny” button or by selecting and confirming a matching code between the account and a mobile device
• An additional code either emailed to an account or texted to a mobile number
• A secure token, which can be a separate piece of physical hardware such as an encrypted, insertable USA key fob, that verifies your identity with a database or system. The fob may also have a fingerprint verification scanner built into it.

MFA adds an entire layer of security on your important accounts beyond your passwords.

Can MFA be hacked?

While MFA is one of the more recent—and better—ways to secure personal accounts, there have been reported instances where hackers have bypassed MFA. However, some of these situations involved a hacker seeking MFA approval to access an account multiple times, ultimately with the account owner approving the log in, either due to confusion or annoyance. Attempts to log in to accounts with stolen credentials over and over with approval being requested of the account owner is known as an “MFA Fatigue” attack.

If you are receiving MFA log in requests and you aren’t trying to log in, do not approve the requests. Instead, contact the account provider right away and change your password for the account immediately to a unique password you have not previously used. Also, if you reused that password for any other account, change that one to something unique too. Ideally, use a virtual private network (VPN) whenever accessing accounts and changing passwords. Always protect one-time passcodes received via text messages or emails like passwords, and don’t share them with anyone.

While MFA is typically safe and one of the best ways you can bolster the security of your personal accounts, using it doesn’t mean that you can let down your guard and be less vigilant about other aspects of online security.

Besides MFA, there’s more to know more about improving personal online security…

More information on protecting yourself, your network and your personal computing and communications devices is available from free, monthly Delta Community Financial Education Center webinars on many different money and security-related topics. Please visit the Financial Education Center's Events & Seminars page to register for its no-cost, on-demand webinars.

Delta Community’s blog and security posts have more detailed recommendations on handling online personal security:

• Avoid fake check scams.
• Learn check-writing tips.
• How to hang up on imposter scams, part 1.
• How to hang up on imposter scams, part 2.
• Did you know that only scammers get paid with gift cards or cryptocurrency?
• Think for a minute, and then don’t click 'unsubscribe' from spam emails and texts—managing spam.
• Learn how to make your mobile and online payments safer.
• How to protect yourself online while working or learning from home.
• Why to question your security questions.
• ​How to secure your home network.
• You should know how to tell if someone’s stolen your identity and how to prevent it.
• How to get a stronger password and use a password manager.
• Be on the lookout for phishing, smishing and vishing attacks.
• Be vigilant for spoofed phone calls.
• Harden your email account against an attack