Multifactor Authentication

Multifactor Authentication (MFA) is a security feature offered by many websites, applications and devices that dramatically improves account security. Sometimes MFA is also referred to as Two-Factor Authentication or 2FA. Technically, MFA could refer to a system where there are more than two forms of authentication.

Anyway, here’s how it works. If you have MFA setup for a given account (website, application or device), when you log in with your username and password, that account server is going to ask for a second, independent form of authentication before it will actually let you into the system. It’s kind of like when you open a bank account and they ask to see a picture ID and some other form of identification, like your social security card or a passport. It’s much harder to pretend you are someone you’re not when you have to prove who you are in two different ways!

Multifactor Authentication Methods

We recommend registering at least two devices for multifactor authentication, so if you lose one you can protect yourself by wiping the data remotely and then use the other to authenticate. With MFA, the second authentication can be done using one of several different methods so let’s take a moment to go over some of the most common ones.

Mobile device application “Push” method:

The most popular way to get that second form of authentication is through a “push” to an application on your mobile device. There are a variety of authenticator apps that are free and easy to set up and even easier to use for authentication!

With this method, the account server that you are trying to log into will send a “push” to you mobile device. This push is a notification that will pop up on your mobile device and say something along the lines of, “Hey, someone’s trying to log in to this website, is it you?  Should we let them in?”  Usually there is a big green button and a big red one so that you can easily answer “yes” or “no” with one touch. If you hit yes, you’re in. But if you didn’t make the original login request, you know that someone has your password and is trying to log in to your account. You can hit the “No” button and their access will be denied. You can then go log in yourself and change your password so that the attacker is back to square one. It’s simple, yet extremely effective security.

The primary advantage of this method is that an attacker not only has to compromise your password, but also has to have physical access to your mobile device and has to be able to log in to that device. The odds that all of that will happen are extremely low. As in, practically zero if you are using decent passwords and you keep track of your phone. Another advantage of this method is that you get a real time notification when someone is trying to log in to your account. As mentioned above, you can use this knowledge to quickly respond by changing your password.

Mobile device application code method: 

Sometimes the account server won’t send you a push but it may ask you to type in a unique code that is generated by the authenticator app on your mobile device. These codes are short (maybe 6 digits) so it may seem like they are not very secure. The cool thing is that the codes are re-generated every minute or so and they are based on an algorithm that is known only to your authenticator app and the account server you’re trying to connect to. It would be extremely difficult for a hacker to guess the right 6 digit code under those circumstances since the timeframe is so short.

Again, the main advantage here is that the attacker has to have physical access to your mobile device and the ability to log in to it. One downside is that you don’t get any real-time notification if someone tries to log into your account. Usually this method is an option as a backup to the push method as well. Most authenticator apps will support both methods.

SMS Code Method: 

This method also uses your mobile device but it doesn’t use an application. Therefore, it works with non-smartphones. If you set up this method of MFA, when you log in with your username and password, the account server will send your mobile phone a text message with a one-time code. You will then type that code into the website or device portal where you entered your password.

This basically has all the advantages of the “push” method, it just isn’t quite as convenient because you have to type in the code. You will get that real-time notification of a login attempt because you will get a text message per attempt. One down side is that an attacker doesn’t necessarily have to be able to log in to your phone. They do have to physically have the phone but text messages often pop up on the screen of the phone even when the phone is locked.

Email Code Method: 

This method works very much like the SMS code method except that the code is sent to an e-mail account that you have pre-communicated with the account server you are trying to access. You will most often set this up when you register for the multifactor service you are using.

If you’re going to use this kind of MFA, you need to make sure that your email account itself is secure, which probably means that you should have MFA enabled for access to the e-mail account in question. The reason is that e-mail can be checked from anywhere, including the same computer terminal where the hacker is trying to log in to your account. In other words, this method does not require physical access to any independent device. That’s why you should have a strong password for your e-mail that isn’t used anywhere else. If you do that, then this method would essentially require the attacker to know two of your passwords. However, forcing them to have access to another device is a stronger, more secure option. If a website allows only this type of MFA, that’s fine. Go ahead and set it up and then require authentication to your mobile device for access to your e-mail. Then you’re golden.

Physical Token: 

This method used to be more popular before the advent of smart phones. A physical “token” is a small device that continuously generates codes in the same way that an authentication app on your mobile device would. It works just as well but it has the added downside that you have to keep track of this other device. These days our lives are tied to our mobile phones. You can imagine the possibility of losing a token and not even realizing it’s gone for a while. If you have one of these, keep it in a safe location. If you have to carry it around, maybe attach it to your keychain.  

MFA at Ohio State

Ohio State offers an MFA option to protect your Ohio State account when you log in to certain webpages or services using Shibboleth, which is the login service you are using when you enter your name.# and password. The multifactor authentication program is called BuckeyePass and it uses the Duo authenticator app.  We highly encourage you to sign up for BuckeyePass if you haven’t already. A few Ohio State systems already require it, and as security threats grow, even more systems will be added to the growing list protected by multifactor authentication. Visit buckeyepass.osu.edu to get started.

We also encourage you to enable MFA for your personal accounts whenever it is available. We recommend that you browse the security settings in all of your accounts and devices to see if there is an option to enable MFA. We also recommend that you check out twofactorauth.org. It’s a great website that will provide a list of websites, applications, devices, etc. that offer some form of MFA. It will also tell you what kind of MFA is offered.

One final word of caution

MFA is considered the “gold standard” of account security, but it isn’t entirely perfect. For example, if you may fall victim to a phishing attack and you are directed to a fake webpage. If you believe you are on a legitimate site and enter your username and password, there is nothing to stop the phisher from immediately plugging that information into the real account (the one they are impersonating). This will cause the real account to request your second form of authentication. If you then respond and plug a code into that fake website, you will have just given the phisher access to your account and allowed them to side-step the security. That’s why it’s really important to be vigilant against phishing attacks and other forms of social engineering.