Tech View: Multifactor authentication still best way to keep data safe

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

With all of the data breaches in the recent past, one characteristic stands out. Very few accounts that are protected by multifactor authentication, or MFA, are hacked. And those that are hacked are usually violated with the aid of social engineering.

Yet some folks are still averse to it, either purposely not enabling it because it takes a modicum of effort to set it up and use it, or outright claiming inaccurately that MFA doesn’t help or, worse, makes your account less secure.

First, let’s review how MFA works. The concept behind MFA is quite simple. It is basically a secondary check upon login to websites or software applications. The first factor is a password. The second factor can be a multitude of options but usually is mobile phone-based.

In current practice these two factors are the primary ones used. Biometric data such as fingerprints, faces and eyeballs are becoming more and more popular. The gist is that there must be more than one factor used to log in, made up of something you know, like a password, and something you have, like an app on a smartphone, or a body part.

In current practice the app sends you a code after you enter the correct password. This code is sent via an authorization app, a native mobile app, iMessage, email or SMS text. Authorization apps include Google Authenticator, Microsoft Authenticator, Authy and others.

Many financial institutions include security code functionality in their native apps, and recently we have seen an increase in the use of Apple’s iMessage texting to send out codes. These are all highly secure, encrypted methods of code distribution and should be used if available.

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

Code delivery via email is less secure, as messages could pass unencrypted through way stations on the internet on the way to your inbox, but is also less common.

Where the peanut gallery primarily criticizes MFA is in the use of SMS texting for code delivery. SMS texting is not encrypted and could theoretically be stolen as it flies through the air to your phone. Arguably, it is easier to steal an email-delivered code than an SMS-delivered code. But SMS delivery is far, far more common and tends to provide a false sense of security.

While there have been stories about the interception of SMS-delivered codes, the fact of the matter is they are few and far between.

In fact, most cases of SMS-delivered codes being compromised involve social engineering. It can’t be said enough: Never give out your security code! No matter who calls and asks for it, scams include the FBI, HPD, Microsoft, Google, Facebook … the list goes on and on.

So while it’s not the most secure method of MFA, SMS texting is still much better than nothing at all.

If you have sensitive information with any website, whether financial, health or identity, make sure to use its MFA offering. If it doesn’t have an MFA offering, it’s time to find another provider.

John Agsalud is an IT expert with more than 25 years of information technology experience in Hawaii and around the world. He can be reached at jagsalud@live.com.