DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA)

A light, beginner's guide to multi-factor authentication.

Tanya Janca user avatar by
Tanya Janca
·
Oct. 02, 19 · Presentation
Like (4)
Save
Tweet
Share
13.23K Views

Join the DZone community and get the full member experience.

Join For Free

metallic-silver-safe

Recently, you may have noticed me calling out several Canadian banks for not allowing users to add multi-factor authentication (MFA) to their online banking accounts. This blog post will detail what I mean by this, why it’s important, and why I’m pushing for it.

Me, hassling a Canadian Bank about their lack of MFA

Me, hassling a Canadian Bank about their lack of MFA

You can follow community activities online on this topic with the hashtag #MFAally.

Two-factor or multi-factor authentication (2FA or MFA) means using more than one factor to prove that you are the real, authentic, you. A “factor” of authentication is a method of proving who you are, to a computer. Currently, there are only 3 types: something you have, something you are and something you know.

You may also like: Add MFA to Your Spring Boot App in 20 Minutes.

Something you have could be a phone, computer, token, or your badge for work. Something that should only ever be in your possession.

Something you have

Something you are could be your fingerprint, an iris scan, your gait (the way you walk), or your DNA. Something that is physically unique to you. 

Something you are

Something you are

Something you know could be a password, a passphrase, a pattern, or a combination of several pieces of information (often referred to as “Security Questions”), such as your mother’s maiden name, your date of birth, or your social insurance number. The idea is that it is only something that YOU would know.

When we log into accounts online with only a username and password, we are only using one “factor” of authentication. Many times accounts that are broken into or data is stolen, it is often due to someone using only one factor.

When passwords are breached, users that have a second factor of authentication are still protected. When someone tries to brute force a system or account that has MFA enabled, even if they eventually get the password, they won’t have the second factor in order to get in. Using a second factor makes your online accounts significantly more difficult to break into.

Microsoft Authenticator app
Microsoft Authenticator app

When Cloud Shell logged me outon stage (how embarrassing!) at #MSIgniteTheTour in Hong Kong this past winter, I used my username and password (2 things that I know, meaning two of the SAME factor), plus the Microsoft Authenticator app (something I had), on my phone (something else that I had), which asked for my fingerprint (something that I am).

That means I logged back in using all three factors of authentication. Even though I know it inadvertently made a great demo of the Microsoft products I was using, getting logged out mid-demo was embarrassing...

Demo-failure aside, let’s talk about what MFA is, what it is not, and why it is so important.

Examples of MFA

Multi-Factor: Entering your username and password, then having to use a second device or physical token to receive a code to authenticate. The username and password are one factor (something you know) and using a second device is the second factor (something you have).

Not multi-factor: a username AND a password. This are two examples of the SAME factor; they are both something that you know. Multi-factor authentication means that you have more than one of the different types of factorsof authentication, not one or more of the same type.

Not multi-factor: using a username and password, and then answering security questions. These are two of the *same* fact, something you know.

Me attempting to demonstrate “Something you know”

Many in our industry are in disagreement as to whether or not using your phone to receive an SMS (text message) with a pin is a “good” implementation of MFA, as there are known security flaws within the SMS protocol and some implementations of it.

My (potentially unpopular) opinion is that I would rather have a pretty-darn-good second factor of authentication rather than only one factor, and that if this is the trade off (convenience versus perfect security) to convince the average user to adopt 2FA, I’m in favour of using SMS as a second factor.

The number one piece of security advice that Azure Security Center gives anyone and everyone is to enable multi-factor authentication on all of your subscriptions; protecting the keys to your (cloud) kingdom is paramount. In fact, enabling multi-factor auth (MFA or 2FA for short) is industry best practice, and is constantly prescribed by security professionals to technical and non-technical people alike for all of their important accounts. Yet strangely, less than 10% of accounts on Google and other popular platforms have 2FA enabled. Why?

I suspect that the reason is 2 fold; 1.) it’s not always convenient and 2.) the public simply does not understand the risk. And while most of us are not in a position to change #1, every one of us can work on changing #2.

I’d like to appeal to you, dear reader, to try to explain MFA to someone in your life, at work or at home, and ask them to enable it on their important accounts. I’d also like to ask you to enable 2FA for yourself, both at home and at work, if you haven’t already. It might save you or someone you love from some serious heartache.


Further Reading

  • REST API Security.
  • Introduction to DNS Security.
Multi-factor authentication authentication Factor (programming language) security

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How Do the Docker Client and Docker Servers Work?
  • Why Does DevOps Recommend Shift-Left Testing Principles?
  • Unleashing the Power of JavaScript Modules: A Beginner’s Guide
  • Upgrade Guide To Spring Data Elasticsearch 5.0

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: