Multi-Factor Authentication (MFA) or Two Factor Authentication (2FA or TFA) is when a secondary (or more) authentication method is used to verify the users identify. This is normally carried out by validating the user has something physically (such as a smart phone, token, smart card etc) or that they are something (such as biometrics including fingerprint and face scan technologies). Modern MFA techniques leverage smart phones and one-time codes via SMS or app-based login approval.

It’s now commonly accepted that modern MFA techniques block 99.9% of attempts to take over an account, but why is this?

In traditional criminal investigations, investigators often look at three key elements, means, motive and opportunity.

Unfortunately, with account take over, particularly when the system is internet based, all that is required to carry out an attack is an internet connected device, anywhere in the world. This means that billions of people have both the means and the opportunity to commit account take over attacks.

Multi Factor Authentication combats this problem by requiring a secondary verification method which is much harder to fake from different physical locations.

When a Modern smart phone is used for MFA, a third verification is often added, seamlessly to the user. Most modern phones will require either a pin code or face/fingerprint scan to unlock them, and in doing this the user has provided a third identity verification.

It may not seem like a much, but by glancing at an iPhone and pressing the accept button within an authentication app, the user attempting to login has verified that their face biometrically matches the face of the approved user, and they have performed this biometric check on the only device in the world that will allow access.

Defeating MFA is not completely impossible, but in most cases gaining access to an account protected by MFA becomes far too hard for an attacker, and they look for easier targets.

The usual process of a criminal breaking into an account would involve them using a list of a million or more-email address, along with a database of billions of possible passwords and using a high powered computer to attempt combinations over and over again until one works.

When an account is protected by MFA, breaking into that single account would require targeted physical action, such as pickpocketing a device or sim-swapping, then the attacker would have to overcome the devices biometric verification, only then could the criminal begin attempting to guess the password, and each guess would take several seconds, rather than millions per second for non-MFA protected accounts. Its for these reasons that MFA is able to block 99.9% of attempts to illegitmately access accounts.

Almost no criminals have the means to overcome MFA, and even those that do know that they will have much more lucrative results pursuing the other 999,999 accounts, each of which can be targeted in a matter of hours, rather than spending many weeks trying to break into a single MFA protected account.

MFA should be set up where ever it is available, but if that is not possible at the very least it should be enabled for a users more important accounts, such as internet banking and email.

It’s not something often considered, but most modern online system rely on email accounts as a backup verification. If the user forgets their password, the ‘I’ve forgotten my password’ functionality will send a message with password reset instructions to the users’ emails address.

If a criminal were to gain access to an email account, they can use it to reset many other passwords and ultimately gain access to many other accounts. This is why it’s important to have a very strong password/passphrase, which is not used anywhere else, and to enable MFA for email accounts.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500