Not All MFA is Alike
We’ve recommended using multi-factor authentication (MFA) many times on the blog. It is a security tool that is simple to set up and use and provides an additional layer of security to your account. In fact, according to Microsoft statistics, your account is 99.9% less likely to be hacked if you use MFA.
Options for MFA
When MFA is enabled on an account, you must provide three pieces of information: your username, password, and an additional unique code. Your username and (strong!) password are chosen by you when the account is created. When enabling MFA, you will have options for how to receive the additional code.
The first option is to have the code sent via phone call or text message when you begin the login process. This option is less secure because these codes can be intercepted by hackers. Users can also fall victim to SIM swapping, which redirects all the phone’s content, including access codes, to the hacker. Further, if your cell network goes down, you may be unable to access important accounts.
The second option is to obtain a code from an authentication app. Authentication apps can provide unique, one-time codes for any account linked to it. For example, Google’s Authenticator app can provide links to your work and personal email accounts, your timekeeping site, your favorite shopping sites, and your personal banking app. This option is safer because the code only lives on your device within the app. It does not go through your cell network like the code in option 1. It is possible, though less likely, that your phone could be hacked and the authentication app could be compromised.
The third, and safest, option is a security token. It is similar to the app except that the codes live on an independent piece of hardware. The token is extremely difficult to hack, but it would have to be purchased and may not connect as seamlessly as an authentication app to all of your personal accounts.
We highly recommend enabling MFA wherever it’s available. Based on ease of use and security, choose app authentication over phone or SMS delivery. However, if phone or SMS is the only option, use it. While potentially less secure, it is still one more layer of security between a hacker and your personal account information.