Your Authentication Options Explained | 2FA, MFA, and more

By February 22, 2019 Security Tips 2 Comments
Arm holding a cell phone

Cybercriminals are skilled lock pickers. They know the best opportunities to break through security barriers. Their motivation is simple: transform digital data into hard cash.   

With enough information on hand, cybercriminals can open a new credit card account in your name and proceed to max out the credit limit within days or even hours. They know how to transfer funds from your account to theirs, whether it be your personal an online bank account, or using payroll information to divert deposits. It’s a scary reality, but it’s not impossible to defend yourself.   

This is where multi-factor authentication can make all the difference.   

Two-factor Authentication, Multi-factor Authentication, and the Forms They Take 

Two-factor authentication adds, you guessed it, a second layer of access protection. It works by using something you know (such as a passphrase that protects your vault of usernames and passwords), and something you have, a random passcode generated on your mobile phone or a hardware token (think key fob on your keychain). The second factor of authentication can also simply be your fingerprint or other biometric form.   

Multi-factor authentication goes one step further, and requires two or more factors of authentication. This requires something you know (e.g. password or passphrase), something you have (e.g. SMS code), and something you are (e.g. a fingerprint). Multi-factor authentication is a common best practice for organizations to enhance security. 

Authentication, regardless of how many factors involved in the process, is a simple piece of technology that is easy to install and use – as simple as any other mobile phone app you download to your iPhone or Android device.   

The most popular forms of authentication available to any person or business include:  

  • SMS Code: A unique, one-time code consisting of six numbers that get texted to you. Admittedly, SMS Codes do have some weaknesses compared to other forms of authentication like a hardware token. Compromising a mobile phone can compromise the conduit of your SMS code. No matter what, though, a cybercriminal will have to spend time trying to bypass SMS verification.  
  • Authentication applications: You can use one of the many authentication apps available to download on your phone. This works very similarly to the SMS code – but instead of sending a text message, you will get an alert from the application on your phone, asking you to approve access.  
  • A hardware token is a device that generates an encrypted one-time passcode often in the form of a string of six numbers that you then use in the same way as if that passcode came via a text message. This is a separate device you carry along with you. Some might consider a hardware token to be less convenient as it isn’t already on that mobile phone you keep close, but it does become a stronger form of authentication as it doesn’t rely on a separate device to transmit an access code.   
  • Biometric authentication uses what you’ve already got on you at any time of day, because biometric authentication uses something you are. Examples include using your your fingerprint, voice, or face as a factor to authenticate into the application. This “form factor” isn’t so hard to remember because biometrics simply use a unique measurement found on your own biological body. And because biometrics are based on you, it’s incredibly difficult for a cybercriminal to replicate.  

Some forms of authentication can be stronger and tougher to break than others. It’s not unlike what you choose to protect your own home – from a deadbolt on your front door, or that same deadbolt along with a physical security service like ADT. Both will keep the bad guys out, you just need to balance added security and convenience.   

Back to those clever cybercriminals for a moment. They know that a key path of least resistance can be a simple password that can be easy to guess or crack, used across multiple online accounts and apps. Without an extra layer of security, the opportunity to lose your shirt becomes all the greater.  


    • Amber Steel says:

      Here’s our official statement on this report: “This particular vulnerability, in LastPass for Applications, our legacy, local Windows Application (which accounts for less than .2% of all LastPass usage) was brought to our attention by researchers through our Bug Bounty Program. In order to read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer. We have already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in this report. To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind. At this time, we have no indication or reason to believe that any sensitive LastPass user data has been compromised. As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible.”