Security Bloggers Network 
SBN

What is MFA and Why You Should Enable It

by Avoid The Hack! on March 22, 2023

The biggest takeaway is: MFA can prevent account takeovers where credentials are compromised. That’s it.

Different forms of MFA exist, but in most cases enabling MFA is better than not enabling MFA – especially on important/crucial accounts.

From a security perspective, if the question is “Should I enable MFA?” Then yes, you definitely should. MFA is an added layer of protection from unauthorized account access.

What is MFA?

Multifactor Authentication (sometimes referred to as two-step authentication or 2FA) (MFA) is a multi-step approach to authenticating a user.

MFA requires a user to provide “proof” that they are indeed who they say they are, beyond providing the traditional username/password for logging in to a service/website.


grey login button

For example, you may login to your bank from a public computer. While you know it’s you logging in, your bank may find it suspicious because you’ve never logged into your account from this machine before.

Different forms of MFA

There are different forms of MFA; some are more secure than others.

Text-message (SMS) and email based MFA are generally regarded as the weakest forms of MFA.

Time-based One Time Passwords (TOTP) and Fast Identity Online (FIDO2, generally hardware keys), are generally regarded as the strongest forms of MFA.

Weak(er) forms of MFA


deny symbol in white on red background

SMS is an insecure protocol because it does not use encryption. With the rise of SIM-swapping attacks, where malicious actors successfully “steal” your phone number and port it over to a device totally under their control, SMS as a MFA method is far less secure.

Despite this, it is probably one of the most common forms of MFA used as of writing. Most US banks and other key financial institutions and government agencies primarily use SMS as a form of MFA.

Email is another common MFA method. While arguably more secure than SMS-based MFA (though this mostly depends on steps the user has taken to secure email accounts), email accounts are especially vulnerable to malicious takeovers from multiple attack vectors – especially phishing.

Email itself is still a popular vector for phishing attacks, so in theory a user’s email account could be compromised due to clicking on a malicious link sent directly to their inbox.

Strong(er) forms of MFA


green check in black box

TOTP (using an “authenticator app”) is considered a secure form of MFA for most users out there. The code users enter to satisfy the MFA requirements is randomly generated, using a shared secret between your authenticator and the server. The code expires after use, or if the “alive” period for the code lapses – whichever comes first.

FIDO2 is objectively the most secure authentication protocol available.

FIDO2 eliminates the need for shared secrets and allows for passwordless authentication in addition to supplying/supporting 2FA and MFA. In most cases, even if a user falls for a phishing attack, FIDO2 is phishing resistant. Some phishing attacks that may compromise the shared secret between the authenticator app and the server (thus, circumventing TOTP) are also thwarted if using FIDO2.

FIDO2 is typically used when authenticating with a hardware key, such as a YubiKey or NitroKey. Hardware keys replace verification codes in most cases.

TOTP is generally more common than FIDO2, but support for hardware keys is rapidly growing – for example, in January 2023, with the release of iOS 16.3, Apple officially introduced support for using a hardware key to lock/unlock the iPhone.

Why you should use (strong) forms of MFA

MFA protects against unauthorized access and account takeovers in the event login credentials are compromised.

In the modern threat landscape, there are many ways account credentials could become compromised, such as (but not limited to):

  • A user could unknowingly install malware designed to harvest account credentials.
  • A user could input account credentials into a convincing phishing website.
  • A user’s credentials could be leaked in a data breach.
  • A user could reuse a password (or one similar enough) that’s included in “combo lists.”


blue fingerprint with a solid black background

Given the amount of different attack vectors and threats to the confidentiality of login credentials, it’s also easy for users to underestimate due to no fault of their own; it’s difficult for this post to even capture all the nuances of how account credentials could be leaked.

However, let’s cover a few that most users are bound to experience…

Thwart some phishing attacks

While FIDO2 (typically hardware keys) is the only authentication/MFA method that is labeled as directly resistant to phishing, the presence of MFA can deter an otherwise successful phishing attack to attempted account takeover.

For example, let’s say a user is tricked into clicking on a malicious link. The malicious website presents itself as a carbon copy of the user’s banking website. The user enters their credentials into the phishing website, which then captures the credentials for the attacker to use later.


white keyboard and mouse; keyboard has a red enter button saying get me out of here

However, when the attacker attempts to sign into the user’s bank account, they must present the code sent to the mobile phone number on file for the account. The attacker does not have access to the user’s phone to retrieve the code, so the attacker fails the MFA step, effectively thwarting the unauthorized login attempt.

Naturally, in this specific example, if the attacker knew the phone number they could attempt to socially engineer the user to give up the code – but this is beyond the scope of this post.

To close the loop on this example, the user should be alerted that there was an unauthorized sign-in to their bank account. They should use a different device to visit the official and known domain for the bank, login, and change their password.

Combat weak or compromised passwords

Users frequently use (and reuse) fundamentally weak passwords. These poor practices help make password attacks like brute forcing and credential stuffing easier to successfully carry out for malicious actors.

Brute force and credential stuffing attacks

Brute force and credential stuffing attacks are nearly-always automated password attacking methods.

At their core, brute force attack assume user passwords are weak.

Brute force attacks are guess work, where the attacker(s) rely on raw computing power to try different combinations until coming across a “winner.” Technically, this password attack is considered “100%” successful because eventually there will be a correct guess – similar to trying every single combination on a padlock.

However, if the correct answer quite literally takes the attacker a million years to complete, even at thousands of guesses per second, then usually the juice isn’t worth the squeeze; a lengthy and complex password is simply harder to guess than a short, non-complex password.

In the scenario where your password is weak enough to be guessed

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/use-mfa

Avoid The Hack! ,