Gravity Blog

Home / Blog / Multi-Factor Authentication

Multi-Factor Authentication

November 20, 2020 - Mark

Last month, Microsoft's director of identity security (Alex Weinert) wrote a blog stating that it's time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms.

… I know most of those words, but I've never seen them in that order before.

Yeah, that's fair. To start at the beginning, MFA (or 2FA) is Multi-Factor Authentication (or Two Factor Authentication). Simply, it waits until someone passes the first factor (usually a user name & password), and then contacts you to make sure you want that login to happen. Adding the second part / factor into the mix. Meaning that someone who "wants in" to your account, needs to have access to your other method as well.

In another one of his posts, Alex states:

Your password doesn't matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.

While I'm not sure I agree with the assertion that passwords don't matter*, that isn't the point. The point is that a second part to the verifying is important. (*That said, he's in a much better position to form that opinion than I am. He has a massive amount of statistics available to him. So there's a good chance he's right.)

Anyway, for a while now systems and services had the choice: give every user a physical device to use, or plug into what people have available. Namely, email and phones. Automated systems would email, call or SMS/text you a code, and you put it in the system from your end and it was happy. But as email can be delayed or slow, many people favoured phones.

Since then, there have been specific apps made called authenticators. An authenticator is a program/app that you put on your phone, which gets involved in the login process. It either prompts to see if it's you, or the system you're using asks for a time sensitive code from the authenticator. They key information here is that the authenticator only comes into the picture after the password is entered. So if you get one when you're not actively trying to login, you know that your password is being used.

Now, as you would expect, both Google and Microsoft have created these apps (there others of course, i.e. the one from LastPass). And some companies have created one just for their own services too, such as Steam & Blizzard (two computer game companies). In many cases, you can use any authenticator for any service. The important part is they all add that extra point of protection on your accounts.

And just before we jump back to the present, in September of 2017, Forbes reported that researchers were able to reset a Gmail account's password by intercepting the SMS/text code intended for the owner. And now, SIM swapping is a thing.

Which brings us back to now. Now is the time that you take the time to get an authenticator.

Ok, I'm sold. But who let's us use this non-sms MFA thing, anyway?

Apart from the few names I noted above, banks, Facebook, Twitter, Amazon, etc. The Commonwealth Bank even issues a physical USB token to it's business customers, which means – just like a car – you have to the key to login. While many other Australian banks seem to use their own mobile banking app.

A service I use doesn't have one of these fancy-pants authenticators - only offering SMS MFA. I should just disable the SMS's, right?

Not so fast. Any form of MFA is better than nothing. Hopefully, that service will roll out another method soon. Until then, leave the SMS thing working.

NB - Did you know, there is actually a third factor of authentication? The first factor is something you know (i.e. username, password). The second factor is something you have (i.e. your phone, a USB key). The third factor is something you something you are - in other words biometrics (i.e. fingerprint, voiceprint).