Two-Factor (2FA) and Multi-factor authentication (MFA) add additional levels of protection to an account log-in. When you have to enter only your username and one password, that's considered a single-factor authentication. Two-factor requires the user to have two out of three types of credentials before being able to access an account. Multi-factor requires the user to have all three types of credentials before being able to access an account.
You should protect any online accounts where your payment information, reward points, personally identifiable information, money, investments, cryptocurrency, credentials, medical records, and payment card, need to be best protected. These online accounts can include your: Banking, Finance, Investment, Utility, Subscription, Government, Health, Retail Shopping, Social Media, and Technology Accounts.
Three types of user credentials:
- Something you know - Password, PIN, or Pattern.
- Something you have - Smartphone, ATM card, ID Card, App, Security Token FOB, etc.
- Something you are - Fingerprint, Facial Recognition, Voice, Behavior, Location, etc.
Why is multi-factor so effective? It’s pretty easy for bad guys to guess weak passwords - especially with all the personal information available today via social media. But hackers will have a heck of a time obtaining that something you have - such as the hardware or software security token or mobile phone you’ve authorized for verification texts. You need to have that mobile phone or token in hand to get the information you need to access your account.
EXPERT TIP - Use one form of Account Login Authentication for logging in, and a second, different Account Login Authentication for recovery.
Types of Account Login Authentication Methods
SMS Texts - This is the method where you're required to enter your password and then a one-time code that gets texted to your phone number.
Pros:
- You don't need an expensive smartphone to receive texts.
- In some cases, the code can be sent to you in the form of a robocall to have the numbers read aloud.
Cons:
- If your smartphone batteries die, you can't receive texts.
- If you’re traveling overseas or don't get service, you can't receive texts.
- To receive multi-factor texts, you have to provide your phone number to the company that issues them.
- This method is less secure than the others:
- Scammers can use phishing scams to try and steal passcodes.
- Fraudsters may trick you into entering a code into fake websites.
- Criminals can clone your phone number. That is known as "porting". Porting is when a criminal intercepts the text code by taking your existing cell phone number and transferring it to a different fake account.
Phones and Phone Apps - Apps allow your smartphone to act as a security key.
If you choose to use a mobile app, such as Google Authenticator, you must scan a QR code presented by the site you wish to visit into the app. Once you do that, the app will continually generate the numerical codes required for log-in. You also have the option to print out an image of the QR code for safekeeping. If you lose your phone, you just scan the code into a new one.
- Google Authenticator is available for Android and iOS phones, but you need to have a Google account to set it up.
- Other popular Account Login Authentication Apps include Microsoft Authenticator, Authy by Twilio, Symantec VIP, and Duo Mobile.
Pros:
- Because the App key is stored on your phone, you can use this method even if the device isn’t connected to a network.
- If by chance someone manages to steal your phone number, they would still need your phone to retrieve the App key.
- It is less susceptible to phishing, because it doesn't rely on a passcode.
- You can get push notifications through the app.
Notifications without an App - Instead of installing an app, you can also set up a push-based system.
- Google Prompt which sends notifications to all the phones signed into your Google account when a new log-in is detected. The notifications include location information for the log-in attempt. You then have the choice of approving or denying the attempt. Google prompts prevents account hacking by sending notifications securely to only your signed-in devices.
- Apple has adopted a similar approach for its products.
Zero-factor authentication (0FA) - Emerging technology for frictionless mobile authentication.
- In zero-factor authentication, the user does not need to supply any information to authenticate at login or for sensitive transactions. Rather, the smartphone does the work.
- By using this 0FA method, the vast majority of legitimate users enjoy friction-free login, leaving additional authentication friction for the high-risk logins.
What makes this possible?
- Modern smartphones have built-in technologies and sensors.
- Advanced location technology that is being used for zero-factor authentication uses the combination of WiFi, GPS, cellular and Bluetooth signals to identify unique location environments and is able to pinpoint locations within a 10-foot radius. Using this location precision, it is now possible to create a unique location behavior pattern for each user that can be used as a unique identifier.
- No two users have the same location behavior pattern and each user’s location behavior pattern is dynamic and constantly changing, making it extremely difficult to mimic or forge.
- If a fraudster attempts to login into a user’s account with stolen credentials, and the location pattern does not match, then login will be flagged as high-risk, requiring additional authentication steps in order to proceed.