You’ve likely seen or heard of two-factor or multi-factor authentication, but what exactly is it, and is the increased security worth the extra effort?
Two-factor authentication (abbreviated 2FA), and multi-factor authentication (abbreviated MFA), provide an extra layer of security when authenticating (signing-in) to a website. Authentication can be done with something you know (such as a password), something you have (such as your mobile phone, which will display a time-based password through an authenticator app), or something you are (such as a fingerprint). Historically, authentication has been done using only a password, but if someone steals or guesses this password, they can access your account. Since accounts that use 2FA / MFA require at least one other method of authentication, attackers that have a password still won’t have access to an account – a very good thing indeed!
So we now know that 2FA / MFA provides additional layers of authentication which make it more difficult for an attacker to hack into your account, but what’s the difference between 2FA and MFA? Simply put, 2FA refers to using two methods for authentication, while MFA refers to using two-or-more methods. Throughout the rest of this article, I will simply use the term 2FA.
There are several different types of 2FA. These include mobile authenticator apps, text message, and physical hardware tokens. Any of these are better than not using any form of 2FA, but physical hardware tokens are by-far the best. This is because they are bound to the website you originally set them up on, meaning that only the real site (and not a phishing website) can authenticate with the key.
If you want an example of just how powerful hardware-based 2FA is at preventing phishing attacks, look no further than Cloudflare. In 2022, cyber criminals launched a highly sophisticated phishing attack, in which text messages were sent to over 70 staff from multiple different numbers in just the first minute. The messages were disguised as official company communications, prompting staff to log in to change their password or view their updated schedule. Three of Cloudflare’s staff clicked the link and were taken to a phishing website.
After entering their password, the phishing site prompted users for a Time-based One Time Password (TOTP) – a code that is sent via text message or generated by an authenticator app. If Cloudflare had been using this method of 2FA, the three accounts would have been compromised. Fortunately, Cloudflare staff had all been issued physical security keys, and as they’re bound to the website they were originally set up on, the attack was thwarted.
Google can also be used as an example of just how good physical security keys are. In 2017 Google mandated that all of its 85,000 staff use physical security keys, and since then, not a single employee has fallen victim to a phishing scam on their work-related accounts.
That being said, any form of 2FA is better than none, and these days it’s important that you have it enabled on all critical accounts, such as email. Vertex Cyber Security works with many companies implementing preventative measures to protect against phishing and other cyber attacks. If you have any enquiries or would like to discuss, feel free to contact us on 1300 2 CYBER (29237) or .
Here‘s more information from the Australian Government.
