All You Need To Know About Multi-Factor Authentication

Nick Olsen



Given the current COVID-19 pandemic and the rise in remote working, the need for strong passwords and secure account protection is greater now than ever before.

With many employees accessing sensitive information from outside of the office and potentially through unsecured devices/networks, now is the perfect time to look into the available options for securing your data, your logins, and your business as a whole.

Start with the password

Passwords are the first layer of authentication telling a website/application that you are the authorised user accessing the account. Let that sink in for a moment. A short series of characters is the only thing separating your account from someone else accessing it.

Therefore, the security and integrity of your passwords are crucially important to securing your accounts as the first layer of defence.

(For more information and guidelines on how to generate a strong password, have a look at this article on password security).

Why is password security so important?

81% of breaches are from stolen credentials. And, as most users by nature use the same password and email for the majority of their accounts, if one account is compromised, then all of their accounts are at risk. (Use this tool to see if your email has ever been breached).

This is where Multi-Factor Authentication comes into the mix as a secondary measure of protection.

Then add another layer of protection

What is Multi-Factor Authentication?

Multi-Factor Authentication (also known as 2-Factor Authentication) is simply a secondary layer of user authentication used to protect accounts from an unwarranted login. 

It relies on the basic model that you need a ‘known factor’ (your username and password), and a ‘possessed factor’ (something that only you possess) to log in. By requiring both individual factors, the application can confirm that it is you logging in and not someone who happens to know your password.

Multi-Factor Authentication is not a new tactic or some niche technique used by the most security-conscious and tech-savvy individuals.

In fact, according to LastPass’ 2019 Password Security Report, 57% of businesses globally use Multi-Factor Authentication.

However, in Australia, this figure is almost halved to only 29%.

What are the different types of Multi-Factor Authentication?

1 - Text/Email


Text/Email Multi-Factor Authentication is a good starting point as one of the entry-level authentication methods as it doesn’t rely on integration or additional apps and/or software.

Instead, a short 6 digit code is transmitted to the users mobile via SMS or email as these are considered the ‘possessed factor'.

However, this method is considered one of the least secure Multi-Factor Authentication tactics as the code can be intercepted if a breach has already occurred. 

For example, if a hacker has access to your email account, then this method is entirely redundant.

While more unlikely text messages can also be intercepted. There are numerous notable breaches of credentials of prominent individuals being compromised to gain access to important accounts, such as Twitter CEO Jack Dorsey’s Twitter account.

2 - Mobile App Authentication

Mobile app codes are one of the more well-known Multi-Factor Authentication methods.

These apps typically utilise a standard called a Time-Based One-Time Password (TOTP) Algorithm.

The TOTP algorithm generally produces a 6-digit code that is valid for a short time, often 60-30 seconds. This ensures that even if a hacker were able to access one code, it would be invalid after 60-30 seconds and thus useless to them.

Examples of Mobile Apps include:

  • Cisco Duo

  • Google Authenticator 

  • Authy 

  • Microsoft Authenticator 

If you would like one of these applications setup in your business please click here.

3 - Biometrics

Biometric-based authentication is an authentication method that can replace passwords, but to work as Multi-Factor Authentication, it needs to be in conjunction with them, using biometric information as the ‘possessed factor’. 

This includes utilising the characteristics of the user (fingerprint scanners, then iris scanners, then facial recognition) as the authentication.

Biometric-based security is an emerging technology in the desktop world, but smartphones and laptops have had the technology for some time now, first in the form of fingerprint scanners, then iris scanners, then facial recognition.

In the desktop/business world they are not highly adopted, with LastPass indicating that of all employees using Multi-Factor Authentication, only 1% use biometrics.

4 - Hardware Authenticators

Hardware authenticators are specialised devices used only for Multi-Factor Authentication and intended to be physically kept on you or in a secure place at all times. As such, these devices are intended to be more secure than phone/email authentication as they are not remotely accessible.

These devices work in a number of ways, the first generates a short code (often 6-digits) similar to mobile-based apps.

The second and more commonly used are devices such as the YubiKey and Google’s Titan Key, USB-based devices which must be inserted into a computer, removing the need for a battery.

These devices are simply plugged into a USB port when needed and, when prompted by the service, the user touches a button on them and the rest is taken care of by the device.

With the majority of cyber attacks coming from overseas, hardware authenticators are considered one of the most secure Multi-Factor Authentication methods due to not relying on codes that can be intercepted. In addition, due to these devices being specialised security devices and not connected to the internet, they are more secure than most software/app-based solutions. In fact, the YubiKey device is used by all Facebook Employees.

However, the first instance runs off batteries and requires constant charging which is one of the major downsides. They can also be easily lost or stolen in misplaced. If this is the primary way of accessing accounts, it can work negatively.

What's best for my business?

The need for Multi-Factor Authentication is more important now than ever before. The Australian Government found that between July and December 2019, almost 70% of all reported cyber security incidents under the Notifiable Data Breaches scheme involved compromised/stolen credentials. It’s likely that Multi-Factor Authentication would have prevented many of the data breaches caused by these stolen credentials.

There is no one size fits all and we recommend different solutions to our clients depending on their requirements.

Multi-Factor Authentication is one of the best and simplest steps to protect your business and also your personal accounts.

If you would like advice on Multi-Factor Authentication please reach out today

Join our Mailing List today

Our IT insights are yours.

Join our mailing list today and receive free IT insights straight into your inbox.