What are the Types of MFA? (& the Best MFA For Your Business)
Passwords are outdated.
Hear me out.
For $18, Alice Henshaw, a blockchain engineer currently working at Uniswap Labs, cracked 11 million passwords with a rented-out GPU and open-source software. She ran the program for 20 hours and had an 80% success rate in guessing the 14 million leaked passwords.
So what does this alarming news mean for you?
Passwords – particularly weak, repetitive passwords not in a password manager – aren’t enough to protect your business’ data.
Companies need to start implementing additional security measures to ensure no breaches. One of the best ways for businesses to do this is to implement two-factor authentication (2FA) or multi-factor authentication (MFA).
At ITS, we’re responsible for keeping our client’s IT infrastructure safe from hackers. There are a variety of MFA strategies that we discuss with the customers under our care, which are:
- Email codes
- Text and call one-time passwords (OTPs)
- Biometric verification
- Physical key
- Authenticator app
By the end of this article, you’ll have a strong understanding of what these MFA methods are. You’ll know which one is the best option for your business.
1. Email Codes
The first kind of MFA is an email code. Essentially, a code – either numbers, letters, or a mix of both – will be sent to you through email for verification.
Email code is one of the most common and convenient kinds of MFA. It doesn’t require you to do anything new. You don’t need a working cell phone or a cell plan. Your existing email account is enough.
However, this convenience poses a significant risk factor. Authentication through email is the easiest to bypass. If someone gets into your email, they can easily defeat the two-factor authentication because they can access the code.
Additionally, if they hack your email, they can click “forget password” on your online account. Thereby getting access to change your password and potentially locking you out.
Although this is one of the most widely used MFA types, if possible, we recommend using an alternative.
2. Text and Call One-time Passwords (OTPs)
The second kind of multi-factor authentication is a One-time Password (OTP).
Text and call OTPS are alternatives to email codes. However, they’re identical to email codes – just sent through different forms of communication.
After you enter your username and password, a one-time password in the form of a PIN will either be texted or read to you through a call.
Aside from needing a phone, it doesn’t require additional steps like downloading an app.
But it does have its drawbacks. One drawback is it has a time limit. So if your reception is weak or you’re not near your phone, you may not be able to retrieve the code and authenticate in time.
More importantly, this authentication method is also vulnerable to hackers. They can get access to your OTP through sim cloning and sim swapping. Therefore, authentication through text and call tokens is unadvisable.
3. Biometric Verification
Another type of MFA is biometric verification.
Biometric verification can be anything from fingerprint identification up to facial recognition. Users with smartphones or computers with this feature can further strengthen their online protection.
Although more convenient than OTPs, biometric verification is often used to replace passwords. But when used alone instead of a password, there are still gaps in protection.
Simply put, biometric verification alone is not multi-factor authentication and is not recommended.
4. Physical Key
While the previous types of MFA have been virtual, a physical key is something you can hold.
Users will insert the physical key into the device or computer to access information. Companies will offer physical keys to their highest value users. Typically a physical key is the best option to protect sensitive accounts and data like banking, insurance, and investment information.
This key is considered one of the most secure methods of MFA.
However, a hardware token is not for everyone despite the added security. One, it’s costly. Businesses with budget limitations may not be a good fit for securing all team member’s email accounts due to cost restrictions.
Additionally, because it’s physical, it can be misplaced and lost.
Although typically too expensive, the physical key helps to remind us that aside from security, we also need to consider ease of access for the type of MFA you choose.
5. Authenticator Apps
The final option is an authenticator app. The authenticator app is an application that you download from your phone. The big companies – such as Microsoft, Google, and Apple – have their own authenticator apps for their users.
It provides you with two authentication options. You can either receive a notification that someone is trying to access your account, and you can approve or decline verification.
Or you can open the app and see the verification code that updates every thirty seconds and input it into the account you’re accessing.
The authenticator app provides an outstanding balance of convenience and security. Even though this method requires a phone, a cell plan, and the application installed, it gives a smooth user experience once everything is set up.
We recommend this type of MFA for both security and ease of use.
However, not all accounts or institutions support this type of MFA.
If your account or vendor supports the authenticator app as an MFA method, it is the best option. Always check if the account you’re setting up allows authenticator apps.
About to Implement MFA in Your Organization?
Out of the five kinds of MFA, getting an Authenticator App is the best option. Enabling MFA in your organization adds another layer of security companies need in 2022.
However, it’s easy to say “Get MFA!” – it’s another thing to actually do it.
In our experience as an MSP, all businesses can set up MFA.
But they encounter many challenges when setting up the best cybersecurity practices. Before implementing MFA, read “Cybersecurity Challenges for Small Businesses, and How to Solve Them” to prepare for setting up MFA.