Open in app

Sign in

Write

Sign in

What is Multi-Factor Authentication?

Tristan
ACM at UCSD
Published in
11 min readMay 14, 2021

When I first started thinking about how I wanted to start this article, I thought at first to come at it from the angle of why everyone should be using multi-factor authentication, and in truth be told borderline criticizing those who don’t use it. I thought about it a little more and I decided that’s not the way to do it. Recently, Google said they are going to start turning on multi-factor by default on all ‘eligible accounts’, so I don’t even have to push it on people as it seems the tech industry will do that for me. Instead, I am going to use my time on this article to inform people, both techie people and lay people, on how multi-factor authentication can boost your security, privacy, and even potentially make it easier to login to accounts you may share with your family and friends (more on this later). So without further ado, let’s jump in.

The best place to start is asking the question of ‘What is multi-factor authentication?’ Now a lot of people might get upset at this question and say well you should know what it is because a lot of different accounts support it. I don’t think this is the way to look at it though. Let’s start with the technical definitions of what is considered ‘authentication’ in the security world (and yes a lot of this can apply in the real world outside of technology as well). At this point in time, there are 5 categories of authentication: 1) Something you know 2) Something you are 3) Something you have 4) Something you do and 5) Where you are. So these are factors (as referenced in Foundation of Information Security) of security and using more than one of them is multi, hence the name multi-factor. That’s a great start, but what does each of these mean for us? Well, let’s do a quick definition and example of each of these:

1) Something you know is probably the most common of the factors that you see in technology and your day to day life. The password you enter to see your email account, the pin you use to access your work or debit card, or even those weird security questions that some accounts use to verify you are all things that you know. It also tends to be called the weakest in security since we humans (yes including me) tend to be terrible at remembering things and making up original things. Think of 5 of your most used accounts and their passwords. Are they all the same and if they aren’t do they use a similar base for the password with slightly different variations? If you answered yes, don’t be embarrassed, we all do it, but that’s what we are here to learn about!

The common password above in the wild

2) Something you are is one that has become much more prominent in recent years on more mobile technology such as smartphones and laptops. Think of the fingerprint scanner (ex: Touch ID on iPhones) or face scanner (ex: Windows Hello) on your phone or laptop. These are actually fairly secure since replicating a biometric attributes is fairly difficult for the normal person. This does not mean it’s impossible and there have been instances of people taking fingerprints from water glasses at restaurants, making 3d printed faces, and even printing pictures of irises and using contact lenses to fool scanners. Scary stuff, but that doesn’t mean that you should immediately turn off your fingerprint scanners and face scanners because quite frankly, it would have to be targeted at you specifically, so at that point your threat model would be significantly different from a normal person. One thing I will mention in closing is that once this particular form of authentication has been compromised, it is compromised forever unless you can change fingerprints or faces, so out of all of these it is the one that cannot be changed.

Fingerprint is something you are

3) Something you have is the factor that you may not think you use, but that you actually use fairly often. So, as a few examples of something you have in no particular order: debit cards, identification such as driver’s license, and physical keys (both real and things like Yubico keys). As you can tell, out of all the factors we have listed so far, this one is one of the few that would be fairly difficult to replicate without stealing something or having advance knowledge of a particular security model. However, like other factors, it is still not invulnerable. If someone steals your keys, then this entire factor is basically moot, assuming you have nothing else in place. Often, it is also fairly difficult to change something like a house lock for every door and same goes for things like debit cards, if they get stolen. As we will talk about later, this is often why things like Yubico keys (physical keys for online accounts) and Debit cards require something like a password or PIN to access, even if you have the key or card. Another common form of this factor is one-time codes, those 6 digit numbers that change every 30 seconds that you might have in an app on your phone. This form is one that would require someone to steal your phone, which is why it constitutes something you have.

Yubico Key for online accounts

4) Something you do is one of the more uncommon ones and often is the least used in the security world because it tends to be the most unreliable in terms of false positives. An example of this would be doing something like a Captcha which is those popups online that have you confirm if really blurry pictures have buses or bikes. While this may not seem like authentication, you are authenticating that you are a human, not a bot. I think everyone here can agree that Captchas are annoying. They do serve their purpose of keeping bots out of sites and logins, but they are generally not a great experience for the user. I can’t tell you the amount of times I’ve failed a Captcha because of the unreadable word or weird looking buses, that even with my college eyes, I cannot for the life of me read. The point being is that this authentication factor isn’t usually used for security, but actually tends to be one of the better ones because it is so difficult to replicate. Not only this, but it can be changed fairly easily too unlike something you are.

We all hate it, but it does ‘authenticate’ you

5) Where you are is the factor you probably have the least direct interaction with, but is probably the one that has allowed you to find attackers more than any other factor on this list. Take your Netflix, Google, or Amazon account as an example and let’s say you live in Canada. If you or another person attempts to login to any of these accounts from Germany then these accounts will often block you and send an email to the associated email on the account. It usually says something along the line of ‘Hey, we noticed some suspicious activity on your account that is being logged in from Germany. Was this you?’ Unless you’re actually in Germany, usually this means your account password has probably been compromised and it’s time to change it. This is the most common form of authentication and this one is fairly hard to spoof without breaking the account login, it isn’t uncommon for companies to let accounts still be logged in and instead just warn the customer via email, so take of that what you will.

Where you login matters

That was a lot, but now we have listed and defined the ‘factors’ that will help us understand multi-factor. Multi-factor is defined as any authentication that requires 2 different factors from the above list and no, using two of the same factors above does not count. For example, having a password and then having to use a fingerprint scanner is a two-factor authentication since it’s a combination of something you know and something you are, but we already know this, so why is having the same factor such as two passwords not multi-factor? It is true that it would theoretically make it harder for an attacker to get access to an account if both passwords were completely different passwords and you didn’t know one of them. So that’s easy right? Well not exactly and yes, that is how that would be secure. The problem with using the same factor is that often it is easy to find the same factor if it is used in conjunction with the same factor. Take our password example and consider how the average person makes a password. It’s not hard to show that humans are not very good at coming up with original ideas. Take passwords where the word ‘password which has been seen 3,861,493 times in it’s plaintext and hashed form according to haveibeenpwned. That’s crazy, but now consider somebody who has to make two passwords for an account. Yeah imagine using password and then password1. This is the problem with using the same factor. We can even switch out the second password for those security questions that some companies require you to fill out like the name of your best friend, birthday, and SSN. However, somebody who is looking to break into your account can easily find most of this information online through a Facebook profile (which doesn’t even need to be yours!) or through some googling.

What happens when you use password as your password…

Alright we are officially through the background, but why do we need multi-factor? Straight off the bat, it is more secure. If an attacker breaks into any of your accounts because they know your password, they are immediately blocked by another layer of authentication that requires them to get a hold of another factor that might be significantly harder to acquire. Now this does not mean you should make a weak password and strong second factor. The idea is that having two layers of security is better than one, which doubles the effort it takes for an attacker to get into your account. What about accounts that aren’t important like that random account you made that one time to access a sketchy movie online or something like that? Well, if you put your real name, email, birthday, or logged in, you have already given information to that account that is personal to you. It can be used to potentially steal your identity or build a profile for you that can be used for social engineering. Even just logging in means the site has your ip address which could lead to somebody finding your general location. That is a threat that you should be worried about. Or what about somebody using that same information to threaten a family member saying all these things they know about you and then using that information to get money out of them without ever having to make the actual threat? That is the potential harm of not utilizing more secure login tools like multi-factor authentication. Yes it is more inconvenient, but in the long run it could save you a lot of trouble, time, and even money. A lot of people will say that I have nothing to hide and that if they get access they can’t do anything with my accounts because I have nothing important on there. We have already tackled this a little bit, but let’s go in-depth.

Let’s tackle the argument of I have nothing important and/or nothing to hide. The simple argument I will make against this is the question: “Would you leave your front door open and unlocked?” I think the immediate answer would be no. You may have nothing to hide, but I think most people would be reluctant to leave their front door open to the world. What about the nothing important argument? Well, if you forget your bank password, how do you reset your password? One word. Email. So, when I say that you should use multi-factor on something like your email, it’s not because I am trying to make it more inconvenient for you, it is because somebody who has access to your email can reset most passwords to every other account you own, including banks, cellular accounts, and even things like your work accounts at times. Ironically, enabling multi-factor on all of these accounts might save you from somebody that manages to break into your email. The idea is that you assume you are already compromised and you are making it harder for an attacker to move across all your other accounts even if one is compromised. This is the power of multi-factor authentication. Everyone, no matter who you are should use it. Google is already going to make it a default for any eligible accounts and if you don’t already have it enabled, you should enable it. I will attach a few resources below for the most common email accounts and other accounts to get you started.

In conclusion, I hope I was able to persuade you on why you should use multi-factor authentication for your accounts and even if you don’t fully agree with me, I do hope that you at least consider making your one factor accounts a little more secure. My goal here is not to force my security posture on you, but to make you more aware of the dangers of overlooking security as a secondary thing in this online world that we live in. We are constantly seeing news and articles of ‘accounts being hacked’ or ‘accounts being breached’ when it was a bad password and no multi-factor authentication. Sometimes that’s all it takes to get access to a whole corporate network. The hackers you see in movies are for the most part far and in between. So what can you do? Make a long password — the longer the better — and make every account a different password as a first. Any account that has multi-factor (2-factor in most cases) should be turned on. Share and spread this article around to inform your friends and family about the risks that they expose themselves to everyday!

If you have any questions or feel that anything is incorrect, please reach out to tristantjan@pm.me and stay safe out there as we learn about this digital world together!

References:

Some accounts that allow multi-factor authentication:

Information Security
Cybersecurity
Multifactorauthentication
Passwords
Cyber

--

--

Tristan
ACM at UCSD

Written by Tristan

1 Follower
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams