What is multi-factor authentication (MFA) and why should I enable it?
Multi-factor authentication, or MFA, is a way of confirming that you are who you say you are and it’s usually used along with your username and password. It’s authenticating that you’re you and not a hacker who has stolen or guessed your username and password.
It’s a super easy way to stop attackers from getting access to your company and all its (and your) data!
How does it work?
After you’ve entered your username and password, you’ll be asked for a second factor to confirm it was you trying to login. This won’t happen every single time you log in, so you won’t be bombarded with phone notifications constantly.
Each app will have a different way of doing multi-factor authentication, so some may send you a login code in a text message; others may ask you to use an authenticator app, such as Google Authenticator, Microsoft Authenticator, or Duo Security. They are free to use and you set them up a single time. After that, you just get notifications on your phone that ask you to confirm you’re you, or give you a short code to enter during login.
It looks something like this, with or without the hot beverage:
Why should I bother setting up MFA/2FA/2SV?
Multi-factor authentication is an incredibly effective way of keeping bad guys out of your and your company’s data. If every employee sets up and uses multi-factor authentication for every SaaS app they can, it makes the entire company that much safer from hackers. This isn’t just our opinion - tech leaders and cybersecurity experts agree:
Microsoft: “One simple action you can take to prevent 99.9 percent of attacks on your accounts”
AWS: “MFA is the best way to protect accounts from inappropriate access” - Top 10 security items to improve in your AWS account
Google: “On-device prompts helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks." - New research: How effective is basic account hygiene at preventing hijacking
UK National Cyber Security Centre (NCSC): “One of the most effective ways of providing additional protection to a password protected account is to use MFA.” - Password policy: updating your approach
and even the US president: “The President is calling on Americans to move beyond just the password to leverage multiple factors of authentication when logging-in to online accounts.” - FACT SHEET: Cybersecurity National Action Plan | whitehouse.gov
How often will I be prompted to authenticate?
Luckily, you don’t have to do this every single time you login. Most apps will send you a prompt if it’s been awhile since your last login, if you’re on a new computer or phone, or just every once in awhile even if you’re using it regularly, just to confirm that you are who you say you are.
What if I get an alert on my phone, but I didn’t log into the app it’s asking me about?
Confirm that it wasn’t you logging in by selecting “no” “deny” or a similar negative response on the prompt. It would also be a good idea to let your security or IT team at work know when this happens so they’re aware that someone might be trying to get access to your account.
What if I get a lot of alerts or notifications from the same app on the same day?
If you’re getting a bunch of notifications about your account, it could be a hacker trying to get you to allow them into your account. Continue saying “No this wasn’t me” or “deny” or a similar negative response to block the attacker and let your security/IT team know immediately.
Is two-factor authentication (2FA) different?
Nope. MFA and 2FA are just different ways of saying the same thing. Different companies and organizations use different terms for the exact same thing. We think it’s just because they’re trying to confuse everyone and, hey, it’s working!
What about two-step verification (2SV)?
Guess what? 2SV is exactly the same as MFA and 2FA. You’re most likely to run into the two-step verification (2SV) phrasing when using Google.