The recent Microsoft MFA warning has caused some confusion, leading some to think that multi-factor authentication as a whole was the target. As cyber security experts we’re setting the story straight about what Microsoft was really saying and how MFA is still your best cyber security tool.
MFA aka Multi-Factor Authentication: What It Is
Before you can use your computer or a smartphone, you have to “authenticate” yourself, usually with a password or PIN. That’s one-factor authentication.
When you go to a gas station and use your credit card you might be required to enter your zip code. That’s an example of two-factor authentication (2FA): pairing something you have (your credit card) with something you know (your zip code).
But cyber criminals are getting smarter and have found ways around that so multi-factor authentication has emerged. Basically simple but nonetheless scary to many people.
Types of Multi-Factor Authentication (MFA)
All MFAs involve two-factor authentication (2FA). MFA also makes use of a one-time password (OTP) that is generated and changes often. When you log in, in addition to your username and password, you need to enter the OTP. But there are different ways you can get that OTP and some are more secure than others.
Using an MFA app to generate your OTP is not included in the warning issued by Microsoft and is the most secure form of authentication.
You can download Microsoft Authenticator, Google Authenticator or several others from the App Store or Google Play. You then set up individual accounts within the app, which generates OTPs that refresh every 30 seconds. Whenever you’re prompted to enter an OTP, it’s as simple as opening the app to retrieve it.
With this type of MFA, cyber criminals will not be able access your account even if they have discovered your username and password because they don’t have the OTP. And the only way they could get the OTP is by physically stealing your phone.
Authentication By Text or Push Notifications
These types of authentication are part of the Microsoft warning because they are less secure than using an authenticator app.
With the text method, when you sign in to your account with your username and password, it triggers an OTP to be sent to your phone number by text (SMS). That doesn’t happen with push notifications. The OTP simply pops up and then disappears. Sometimes the push notification doesn’t contain a code at all but just prompts you to say “yes,” “ok” or otherwise acknowledge that you triggered the notification.
They are less secure than MFA by app because cyber criminals can steal your phone number without ever getting a hold of your phone. This is a crime called SIM jacking (or SIM swapping). Because it is on the rise, SIM jacking is likely the reason for Microsoft’s warning.
Microsoft warned against these two types of authentication because they want to encourage users to choose the app method (and site developers to include MFA by app as an option). While using the app method is preferable, it is not always available. It’s important to be clear that MFA by text or push notification is still better than having no MFA enabled at all.
If you need to choose one of these methods, MFA by text is better than by push notifications, which are inconsistent and can be easily clicked by mistake. If you use either, make sure to check back from time to time to see if the by app method becomes available for that site.
Multi-Factor Authentication (MFA) Bottomline
Choose to enable MFA using an authenticator app if you have the option. Don’t choose a less secure MFA method instead.
- If the app method is NOT available, choose text.
- If MFA by text is NOT available, choose push notifications rather than have no MFA at all.
There are times when you might not be allowed to have your smartphone with you, such as when working in high security areas. Hardware security keys offer even better cyber security than MFA with an authenticator app and don’t require a smartphone. The keys (e.g., Yubikey) are about the size of a USB with a screen to display your OTPs. Learn more about security keys.
MFA by email or phone call are not considered safe and are not recommended. Cyber criminals know how to mimic these prompts and use them to gain access to your systems.