So what is MFA all about?

MFA (Multi Factor Authentication) or 2FA (2 Factor Authentication) is a simple yet effective way of improving the security of application services by adding another means of checking your identity when logging in.

The trouble with passwords as the sole means of authentication is that even while a password may be secure in that it is complex, not used on more than one account and is stored in a password manager, it is still vulnerable to being stolen. There are a number of different ways that this can happen – one of the most common methods is for the attacker to send an email to the intended victim which contains links to a fraudulent website or has a malicious attachment (a so called phishing attack) which is designed to capture usernames and passwords and store them for later use by the attacker.

MFA adds another layer of protection by requiring a second authentication factor. Passwords provide one factor – “something you know”, other factors are “something you have” such as a smartphone or hardware key and “something you are” such as a fingerprint or facial recognition which are examples of biometrics.

Passwords and biometrics work well when they protect a physical device. For example, smartphones with high resolution cameras can be configured to require both a PIN and facial recognition to access the phone. For web application and cloud services, passwords and smartphones apps or SMS texts are commonly used. For simplicity, we will use the example of a smartphone app.

To use MFA, the service provider must support it and will give a list of the iOS and Android apps that can be used with their service. Many of these apps are free. To use MFA, the account owner typically registers their smartphone app with the service by scanning a 2D barcode. From that point on, anyone attempting to login to the account must provide the username and password as normal but must also enter a time-limited code which is sent to the registered smartphone app. Some service providers allow the authentication app to display a notification that a login is being attempted and all the user needs to do is to tap an onscreen button to allow or prevent the login without opening the app. Many service providers including Microsoft Office 356 and Google allow administrators to make MFA usage mandatory for all their user accounts.

To see how this works in practice let’s revisit the scenario from the CommSec blog article “Anatomy of a Phish”. In brief, Billy is attempting to hack Rodney’s email account for nefarious purposes and has sent Rodney a phishing email. Rodney has clicked on a link in the email and his Office365 username and password have been captured by Billy’s fake webpage. In the previous scenario, the attack was successful, and Rodney’s stolen email account was used to relieve a customer of a large sum of money much to the embarrassment of his employer.

However, this time, Andy the IT Manager has enabled and enforced MFA for all the company’s Office365 users. Now when Billy uses the stolen credentials to attempt to login to Rodney’s email account, he is also asked to enter the code that has been sent to Rodney’s smartphone which he does not have access to, therefore he cannot login and so the attack fails. Embarrassment and legal proceedings avoided!

The moral of the story is that you should use MFA for personal or work accounts where your service provider offers it. Doing so is free and greatly improves your online security. A word of warning for personal accounts though – ensure that you set up an additional security verification method such as your home or office phone that can be used to access your account in case your smartphone is lost or stolen!


Ian Shiel is Head of Operations in CommSec