Multifactor Authentication — MFA

Why introduce MFA?

If your organization has not yet implemented multifactor authentication, you are at significant risk. The traditional password is no longer enough when logging into applications.

The reality is that your credentials are frequently compromised. Passwords are already out there on the dark web for a bad actor to purchase, along with your username. This is why relying on a single factor — your password — is no longer sufficient to protect your accounts and your business.

MFA requires three authentication factors to verify your identity:

1. Your username — something you know
2. Your password — something you know
3. An exclusive token — something only you have access to

By adding that third factor, even if a bad actor has your username and password, they still cannot access your account without the token that only you possess.

Different forms of MFA

There are several common methods for delivering that second factor of authentication:

• SMS — A code sent via text message to your phone
• Authenticator app — A time-based code generated by an app on your device (preferred method)
• Phone call — An automated call to verify your identity

Why authenticator apps are the preferred method

While SMS and phone call verification are better than no MFA at all, they have significant weaknesses. Both depend on a static phone number that can be compromised if exposed. If someone gains control of your phone number through a SIM swap attack, they can intercept your verification codes.

Authenticator apps are superior because they require the original phone and are tied only to that device. The codes are generated locally and never transmitted over the network, making them significantly harder to intercept.

A well-known example of SMS vulnerability: Jack Dorsey's Twitter account was compromised through a SIM swap attack, illustrating that even high-profile individuals with strong security awareness can be victims when relying on SMS-based authentication.