Column: Multifactor authentication is a necessity in today’s world

Columnist John Agsalud.

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

As everyone knows, we in IT love our acronyms. One of the latest that’s been thrown around is MFA, which stands for multifactor authentication. In our cloud-based world, MFA goes a long way toward improving security. But what is all the fuss about?

The concept behind MFA is quite simple. It is basically a secondary check upon login to websites or software applications. The first component, or “factor,” is a password. The second factor can be a multitude of options but usually is mobile phone-based. In current practice these two factors are the only ones used. In fact, MFA is sometimes referred to as 2FA. However, some logins require more than two factors, such as a specialized USB stick, or even biometric data such as fingerprints or iris recognition.

MFA has been around for decades now but has really only become practicable with the ubiquity of the smartphone. Back in the day, MFA required the user to carry around another device, such as a USB stick, which added cost and inconvenience. But nowadays, anyone who’s going to log in anywhere carries a smartphone.

So how does it work? As many have already experienced, when logging in to a website, the user is told to check their phone for a one-time code. Enter the code and — voila! — you’re logged in.

Simple, right? But there are a few things that need to be in place for this all to work. First, when setting up your account, you must enter your mobile phone number. If it’s a website or application specific to your organization, you have to make sure your employer has the correct number. While many are loath to give up the digits, there’s just no way around this. Anecdotally, to date, we have not heard of any abuses of information shared in this manner.

Make sure, if given the choice, you opt to use MFA. While this is changing, there are still some websites that support but don’t require MFA. If it’s a website specific to your organization, check with your IT department.

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

All mobile devices sold within the past five years, if not more, have the capability to be locked with a passcode, facial recognition or fingerprint. Make sure to turn this on — not just for MFA, but for security in general.

If supported, use an authentication app instead of SMS text. Examples of third-party authenticator apps include Authy as well as authenticators from Google and Microsoft. Some password managers such as LastPass offer the service as well.

An authentication app provides secure, encrypted communication of the one-time code. SMS is not encrypted, which has led some to criticize its use as a secondary authentication factor. The fact of the matter, however, is that secondary authentication via SMS is still substantially more secure than no secondary authentication at all.

Email is also an option for secondary authentication. But as far as security goes, email authentication trails SMS considerably.

While MFA might seem like a pain, it is a necessity in today’s world. The extra steps required more than offset the security it provides.

John Agsalud is an IT expert with more than 25 years of information technology experience in Hawaii and around the world. He can be reached at jagsalud@live.com.