Multi-Factor Authentication (MFA)

Adding layers of security beyond just a password.

What is MFA?

Multi-Factor Authentication (MFA) adds an extra layer of security to your accounts by requiring two or more verification methods:

  • Something you know (password)
  • Something you have (security key, authenticator app)
  • Something you are (biometric)

Why Use MFA?

  • Significantly reduces account compromise risks (often cited as 99.9% reduction for some attacks).
  • Protection against password-based attacks like credential stuffing and brute force.
  • Defense against phishing attempts that steal passwords.
  • Often required for compliance with security standards.

Types of MFA

1. Authenticator Apps (Recommended)

These apps generate time-based one-time passwords (TOTP).

  • Google Authenticator
  • Authy (Offers cloud backup)
  • Microsoft Authenticator
  • FreeOTP (Open Source)
  • Aegis Authenticator (Open Source, Android)

2. Security Keys (Most Secure)

Physical hardware devices using protocols like FIDO2/WebAuthn.

  • YubiKey (Various models)
  • Google Titan Security Key
  • Thetis FIDO U2F Key
  • SoloKeys (Open Source)

3. Biometric Authentication

Uses unique biological traits. Often used as a device unlock method which then grants access to other factors.

  • Fingerprint scanners (Touch ID)
  • Face recognition (Face ID, Windows Hello)
  • Voice recognition
  • Iris scan

4. SMS/Email Codes (Use with Caution)

Codes sent via text message or email.

  • Vulnerable to SIM swapping attacks (SMS).
  • Email accounts can be compromised.
  • Subject to interception.
  • Generally considered the least secure MFA method. Use only if no other option is available.

Best Practices

Enable MFA Everywhere Possible

Prioritize these critical accounts:

  • Email (Your master key!)
  • Financial services (Banking, Investments, Crypto)
  • Password Manager
  • Cloud storage (Google Drive, Dropbox, iCloud)
  • Social media
  • Work/School accounts

Prefer Security Keys & Apps

Use authenticator apps or security keys over SMS/Email whenever offered.

Secure Backup Codes

Store backup codes in a safe, offline location separate from your password manager.

Multiple Methods

Configure more than one MFA method for critical accounts when possible.

Regular Audits

Periodically review MFA settings and remove old/unused devices.

MFA Security Checklist