By now it is generally acknowledged that passwords alone do not provide enough cyber security. Multifactor authentication (MFA) is being widely adopted, and security firm Halock predicts global growth from $11.1 billion in 2021 to over $23 billion in 2026. However, Halock warns (halock.com/best-practices-for-multifactor-authentication-mfa-login/) that not all MFA solutions are equally good.
MFA is based on three identification strategies:
- Something you know - username, password, answers to pre-selected questions.
- Something you have - cell phone or mobile app.
- Something you are - facial or fingerprint scan.
MFA uses two or more of these strategies in the login process.
MFA does not end data breaches. It can't secure vulnerabilities or prevent human error. It must be part of an in-depth security strategy.
MFA can fail if it relies on a cell phone message which for various reasons cannot be delivered on a timely basis. It can be annoying when frequently required, tempting users to circumvent it. Using a cell phone to transmit a code can be problematic; the phone could be stolen or the code intercepted if not encrypted. Hackers can also use malware to transfer codes to other devices.
Microsoft now discourages phone-based MFA in favor of authentication apps and security keys.
As with all cyber security, using MFA requires keeping up with threats and technology.