Hello fellow travelers on the Internet, this is Nate Abbott trying to be helpful, as usual. We are going to answer a couple of questions here, and then provide some helpful advice.

What is Multi-Factor Authentication, or MFA?

In case you haven’t heard about this, it is a way to increase the security of your access to websites and Internet accounts that could cause you personal or financial harm if they were compromised. Most major websites now offer MFA to users, and it is best thought of this way:

• Single-factor authentication is generally something that you know, namely a unique password that you keep secret.

• Multi-factor authentication requires more than one thing to gain access, something that you know, plus something that you have, or something that you are.

  • MFA requires at least two of the following: a password is something that you know. Your fingerprint is something that you are. Your Mobile Phone is something that you have.

  • Any two of those things provides you with good Multi-Factor authentication because it is much harder for a hacker to get those two things rather than just the thing that you know, which might leak out somehow.

  • Example 1: Your password, plus your cell phone number. After you provide your password, the website sends you a text or a call with a code that you must enter.

  • Example 2: Your password, plus an authenticator app. It provides an orchestrated time-based code that you may only use once in a 30 second time window.

  • Example 3: Your password and a fingerprint scan.

How are the hackers cracking this system?

First, they must gain access to your password. This happens very frequently because of the history of massive data breaches that have occurred in the last decade around the world, and because people tend to re-use passwords to make their lives simpler.

Once the hackers have your password, if they find that you are using MFA, then they trigger a massive number of prompts to your cell phone in the hopes that you will acknowledge one in order to quiet down the annoyance. Once this is done, they can register their own device as an MFA factor and they own your account. I won’t go on at length about how hackers can leverage a single account breach into comprehensive control of all of your accounts and an effective and difficult-to-resolve identity theft. If you are trying to do any substantial financial transaction, then you will find yourself in some prolonged pain. Over time, an attacker can ruin your credit rating and your reputation, even implicating you in crimes if they are persistent and successful enough. You do not want this to happen.

What can you do?

1. Use a password manager and make sure that all of your passwords are random, strong, and used for only one account. You have to have a different, strong password for each account that you have. I recommend LastPass as a password manager, but there are now many good ones.

2. Enable MFA on as many accounts as you can tolerate. The more the better. Use the app based authentication wherever possible, and familiarize yourself with Google Authenticator, Microsoft Authenticator, and any other Authenticator that you may want to use. You may need two or three to cover all of your MFA accounts.

3. Make sure that you only respond to MFA requests when you are trying to access an account that requires the specific access requested. There should be only a one-to-one relationship between your login attempts and your MFA prompts. If you start to receive unexpected MFA prompts, do not approve them. Put your phone on Do Not Disturb if you have to. Once a lull comes in the requests, log into your account and change your password. Understand that you will have to be sure that you are approving only the MFA request for your own login and not for the attackers. This may require patience.

In Summary…

Yes, MFA is a good thing, please use it. Adopt and master your password manager. Watch out for MFA bombing, and never authorize anything that you haven’t explicitly requested yourself. Don’t be tricked by false claims that the company is testing security or similar words. There can only be a one-to-one relationship between your login requests and your MFA authentication responses. Never for any reason other than your own need to access your online account.

If you want to read more, you may find this story interesting: https://www.wired.com/story/multifactor-authentication-prompt-bombing-on-the-rise/