The Microsoft MFA Warning: What It Means for Multi-Factor Authentication
The Microsoft MFA warning issued recently was accurate and necessary, but it also left people a bit confused about multi-factor authentication. Here’s the bottom line, from our cyber security experts.
When you log in to an account, you need to prove that you are you. Signing in with a username and password shows this because of something you know (one factor). Two-factor authentication (2FA) requires something you know AND something you possess. The classic example of 2FA is when you enter a PIN number at the ATM. Your PIN number is the something you know and your ATM card is the something you possess.
Multi-factor authentication (MFA) involves at least two factors, but the thing you possess isn’t a single-purpose item, like your ATM card.
Phone Based Multi-Factor Authentication (MFA)
Some people choose to use a specialized hardware device for MFA. But, for most people, the thing they possess for MFA is their smartphone. Here’s how it works:
- You set up multi-factor authentication on an account (e.g., online banking).
- The next time you log in from a new computer or device, you will be prompted to verify it is you by entering a code.
- You get the code you need from your smartphone.
There are a few different ways that the code can appear on your cell phone and some are more secure than others. We’ll rank them here and then explain each further:
- MFA by app. By far the most secure option. If you have this choice use it.
- MFA by text. This is less secure than using an app, but it is more commonly available. So, if MFA by app is not an option, enable MFA by text.
- MFA by push notification. This is less secure than either of the above options, but still better than not using any multi-factor authentication.
- MFA by email or phone call. These methods are no longer considered safe and you should not use them. Cyber criminals have figured out ways to trick people into providing access to their accounts by faking emails and phone calls.
The Microsoft MFA warning was urging people to choose MFA by app. But MFA by text or push notifications are still preferable to no MFA at all. As more companies make MFA by app an option for their accounts, you should move away from the text and push methods.
MFA by App
This is NOT included in the Microsoft MFA warning. In fact, it is by far the most secure method of multi-factor authentication.
When you choose MFA by app, you need to install an authenticator app on your phone. There are many free, secure options in both the App Store and Google Play, but If you are running Microsoft Teams, the Microsoft Authenticator is the best choice.
You use the same authenticator app for all the accounts you have activated MFA by app. After you log in to an account, you’ll be prompted to enter the code from your app. You simply open the app to view or copy the code to complete your sign in. Each account will have its own code in the app and they all change every 30 seconds.
The benefit of MFA by app is that, without having your physical phone in their hands, no one can access your account — even if they have your username and password.
MFA by Text
This is one of the methods that Microsoft is warning people about. With MFA by text, the code you need to authenticate your login is sent in a text message (SMS).
The problem with MFA by text is that cyber criminals have found a way around it, called SIM swapping. Basically, they convince your phone carrier that they are you and move your phone number to another device. Then THEY will receive the MFA by text and be able to access your account.
While SIM swapping is a real risk and is happening more and more, MFA by text is still better than no MFA at all. So, if MFA by app isn’t an option, choose MFA by text.
MFA by Push Notification
Push notifications are messages that pop up on your phone and can often be accessed even when phones are locked. MFA by push notification may send you a code to enter or just require you to click a button. It can be easy to authenticate by mistake. (Remember that last time you didn’t mean to say yes to that in-app purchase?)
Like MFA by text, this method puts your accounts at risk if your SIM card is compromised. Again, while not the first choice, MFA by push notification is still better than no MFA.
Choosing Multi Factor Authentication Options
Use MFA by app whenever it is an option. Then choose by text and, last, by push notification. Don’t enable MFA if the only options are email or phone call (and let the company whose account you have know that their MFA options are antiquated).
As companies like Microsoft get the word out, more and more accounts should have MFA by app as an option. So even if you have to choose another method now, check back every few months to see if the by app method has become available.
You May Get Hacked
Know What to Do with our Checklist
Whether you've been hit by ransomware or are just worried about a ransomware attack, this checklist can help. This one page checklist has simple instructions to help your team act fast and feel confident in how to respond. Print, post and prepare your team wo know what to do in a ransomware attack.