Keep Your Data to Yourself with Multi-Factor Authentication


Looking back over the articles I’ve written for the Gazette, I see many of them mention multifactor authentication (MFA), also known as twofactor authentication. Simply put, this is an extra control on your information beyond passwords. Even if your user ID and password are stolen, this added level of authentication can keep the bad guys from stealing your data.

To recap, MFA takes several forms. In its simplest iteration, after entering your ID and password, you get a text message with a unique code that expires in a short period of time. Enter this code on the website or app and you’re in. Other forms of MFA include a special app that generates the same kind of codes, or small hardware keys you need to insert into your computer.

Like all cybersecurity issues, the bad guys have not been idle, content to let MFA thwart their efforts. They have devised ways to get around this extra level of protection, and you need to be aware of these to remain safe.

Some MFA methods allow you to keep a list of backup passcodes. If your phone is lost and you can’t receive text messages, these backup codes can allow you to get through the MFA process. However, if the bad guys get access to these codes, they can also get in. If you download the codes for future use, make sure not to leave them somewhere an electronic interloper might be able to access. The best method is to print the list and then delete the electronic version.

Another issue is so-called MFA fatigue. Say the bad guys get your user ID and password, and then ask your online account to send you an MFA request. Although you can answer NO to these attempts, if they send them multiple times, you may assume it’s a legitimate need after a few tries, and allow it. That’s doubly bad—now not only do they then have access to your account, but they can insert a phone number they control as an approved device. You’ve effectively lost control over your access. It’s better to always say no if you don’t recognize the request. Some MFA apps allow you to report a fraudulent attempt as well, which is a good idea.

These days, your cell phone number is used to identify you in many scenarios—frequent shopper programs, health appointments, as well as being used for MFA. If the bad guys uncover your cell number, they can sometimes trick your cellular provider into forwarding your number to one that they control. Then any MFA requests involving only a text message will automatically get routed to the bogus number. The solution? It’s two-part. First, be careful with your cell phone number, and giving it out. Secondly, if the MFA you’re using has an option beyond just a simple text message (such as an authentication app), always use that.

For more information on modern ways to keep your information secure, see my article “What’s a Passkey and Why Do I Need One?” in the June 2023 edition of the Gazette. 


Please enter your comment!
Please enter your name here