Multi-Factor Authentication | What is it and why you must have it!
In addition to following best practices for your passwords, Multi-Factor authentication is an additional safeguard used to protect your accounts and should be a part of your personal security policy. In conjunction with the use of strong passwords and password managers, multi-factor authentication (referred to as MFA) offers an easy to use and highly secure method of protecting your accounts and data.
Almost all major sites and services on the internet today offer the ability to enable MFA. The most common forms of MFA for sites today are time-based one time password (TOTP) or SMS message verification. Of these 2 options, TOTP is more secure and what I prefer to use personally. TOTP adds to the authentication process a one time password that rotates at an interval of time (30 seconds is typical). This additional TOTP is entered after your username and password are successfully validated and acts as a second form of authentication (I wont go into the technical magic that makes this possible).
The TOTP option you install an app on your phone – like Google Authenticator or Authy – and enable the feature in the settings section under your favorite account such as your Facebook. Once enabled, you use the authenticator app to scan a QR code that is displayed in your account when enabling the feature. It will likely prompt you to verify that you are enabling it and enter the 3 digit code before saving your changes. That’s it! The next time you go to log into that account, you will need your username and password as well as the authenticator app and TOTP code that it generates.
IMPORTANT NOTE: During the process of enabling MFA on your accounts, you are typically also provided a set of ‘recovery codes’. These codes are VERY IMPORTANT to keep. I suggest that you store these in your password manager along with the credentials for the account. I typically paste these into the ‘notes’ section of the account entry in my password manager. They are used to unlock your account in the event that you lose your MFA device (typically your phone). Without these, you may NEVER be able to get back into your accounts if you lose your MFA device!
The SMS verification option is a bit simpler in that you receive an SMS message to your phone after you successfully authenticate with your username and password and are prompted to enter the code you received before logging in completely. While this is better than no MFA, the TOTP option is more secure and highly recommended wherever possible.