What to Know about Multi Factor Authentication

March 23, 2021 Update: In light of this article, I now consider SMS as a second factor to be worse than nothing. https://arstechnica.com/information-technology/2021/03/16-attack-let-hacker-intercept-a-t-mobile-users-text-messages/.


How can you protect your money, your reputation and your privacy online? Strong passwords alone can’t do the job.

You need to know about Multi Factor Authentication, MFA. That raises two questions.  What is a factor and what is authentication?

There are three common factors. One, something you have, like a key, two something you know, like a PIN and three something you are like your face.  Authentication is the process of identifying yourself, proving that you are, who you claim to be.

Welcome my friend to WTK, the “What to know” show.  I’m your host Peter, Whelan

An example of a single factor is the key to your house, something you have. Your email and password are also single factors, something you know.  Check out my “What to know show on passwords” for an effective password management system.

Two factor authentication, 2FA is typically a combination of something you have and something you know. You’ve been using two factor authentication for years.  As you know, when you withdraw money from an ATM, you use something that you have, your bank card and something that you know, the pin. Those are two factors.  Multi Factor Authentication, MFA is when you have three or more factors.  Whenever you have the option of using MFA, take it.  The service you connect to determines what factors are available to you. 

SMS, texting a code to your phone is the most common factor offered. It’s also the absolute worst. I hate it.  It’s debatable if it’s worse than nothing. I’ll give you some tips to make it a better solution for you.  The problem is that mobile companies make it easy to hijack your phone number. Teenagers have been caught executing the “port out scam” also know as “sim hacking”.  Millions of dollars have been stolen with this method. Everyone from Selena Gomez to the CEO of Twitter has fallen victim to it.  

I know what you’re thinking, I’m not a celebrity, no one is going to target me.  You are relying on security through obscurity.   Anyone, including you, can be a target.  Shortly after I posted my “What to know show about bitcoin”, my phone number was highjacked.  Here’s what they do.  The criminal transfers your number to themselves and you lose phone service.  

Having executed a successful account takeover, all the text messages meant for you, go to the hacker. This opens a backdoor into your account.  It’s then easy for the hacker to reset your passwords, regardless of how strong they are. 

To get your phone number back, you’ll need to go to your mobile phone store, present photo ID, get a new SIM card, consent to a hard credit check and maybe a new phone plan. That’s if you’re lucky.  The criminal could empty your bank accounts, harm your reputation and destroy your credit rating.

But, let’s not make perfection be the enemy of the good.  I told you I’d give you tips on on how to protect yourself.

To make it less likely that a port out scam happens to you, take these 3 steps.  

First, ask your mobile company to restrict access to your account with a PIN OR require changes to be made in person with photo id. 

Second, request the credit rating agencies call you whenever someone tries to apply for a loan under your name. It’s free and I’ll include a link to that in the show notes.

Third, it’s important you keep your devices up to date. Have you noticed that after your devices get updated nothing has changed? That usually because security holes have been fixed. 

A much better factor is an authenticator app on a smart phone. Microsoft, Google and others provide these free apps.

You usually have your smart phone nearby, and it’s free for you, so I like that.  However, smartphones have a wide attack surface.  If the hacker can somehow access your phone, then they’ll have access to the authenticator apps as well.

Some phones have facial recognition or fingerprint readers, that makes them more secure.

A third factor can be something you are. Your face, your fingerprint. 

I like LastPass for password management. They now offer an adaptive multi factor authentication solution which includes many more factors such as the computer you are using, the time of day and where you’re located.

When you have the choice, use multiple factors to protect yourself.

To prevent an account takeover, the simplest and most secure method is a USB key with a finger print reader. This is a solution that has proven effective at Google, where they are under constant attack.  Products such as Yubikey cost between 20 and 80 dollars each. If you go that route, I recommend that you buy at least 2 keys.  If you have only one physical key and you lose it, you face a lengthy process to get back into your accounts.