Back to Playbook
security

MFA Fundamentals: Beyond the Password

A comprehensive guide to Multi-Factor Authentication: Why it matters, the hierarchy of security factors, and how to prevent modern bypass attacks.

The Death of the Password-Only Model

For decades, the "username and password" combination was the sole gatekeeper of our digital lives. However, in an era of massive data breaches and automated "Credential Stuffing" attacks, a password is no longer a wall—it is a screen door. Attackers can buy billions of leaked credentials on the dark web for a few dollars, and then use automated scripts to try those combinations on every major service. Multi-Factor Authentication (MFA) is the industry's response to this reality, adding a second (and sometimes third) layer of defense that is independent of your password.

1. The Three Factors of Authentication

MFA is based on the principle of requiring verification from at least two different "factors." These factors are categorized into three distinct buckets:

  1. Something You Know: This is your traditional password, a PIN, or the answer to a security question. This is the most common and also the most vulnerable factor because it can be guessed, phished, or stolen from a server database.
  2. Something You Have: This is a physical or digital asset that you possess. Examples include your smartphone (receiving a code or push notification), an Authenticator App (generating a TOTP code), or a physical Security Key (like a YubiKey).
  3. Something You Are: These are biometrics. Your fingerprint, your facial structure (FaceID), or even your vocal pattern. These are incredibly difficult to replicate but come with their own privacy considerations.

The Golden Rule: True MFA requires factors from different buckets. Using a password and a PIN is not MFA (it's just two things you know). Using a password and a YubiKey is true MFA.

2. The Hierarchy of MFA Security

Not all MFA is created equal. Attackers have evolved their tactics to bypass weaker forms of authentication.

SMS and Voice (Low Security)

SMS-based 2FA is the most common but also the most vulnerable. It is susceptible to SIM Swapping, where an attacker tricks your mobile carrier into porting your number to their device. Once they have your number, they can intercept your 2FA codes and reset your passwords. Furthermore, SMS codes are sent "in the clear" and can be intercepted by sophisticated actors.

TOTP / Authenticator Apps (Medium Security)

Apps like Google Authenticator, Raivo, or 1Password generate a "Time-based One-Time Password" (TOTP). These are significantly more secure than SMS because the codes are generated locally on your device and never sent over the network. However, they are still vulnerable to "Real-Time Phishing," where an attacker tricks you into typing the 6-digit code into a fake website.

Push Notifications and Number Matching (Medium-High Security)

Push notifications (like those used by Google or Microsoft) are convenient but prone to "MFA Fatigue" attacks. An attacker spams your phone with login prompts until you hit 'Approve' out of frustration or by accident. Number Matching solves this by requiring you to type a specific number shown on the login screen into the app, ensuring you are actually at your computer.

FIDO2 / WebAuthn Security Keys (High Security)

Physical security keys are the "Gold Standard." They use public-key cryptography to authenticate with the website. Because the key only communicates with the legitimate domain (e.g., google.com), it is phishing-proof. Even if you are on a perfect replica of a login page, the key will recognize the domain mismatch and refuse to authenticate.

3. Failsafe MFA Strategy

Implementing MFA is only half the battle; you must also plan for when your MFA device is lost or broken.

  • Redundancy: Always register at least two MFA methods. For hardware keys, this means having a primary key on your keychain and a backup key in a safe.
  • Recovery Codes: Almost every service provides "Backup Codes" or "Recovery Codes" when you enable MFA. These are one-time use passwords that bypass MFA. Print these codes. Do not store them in your email or on your computer.
  • The "Master Key" Rule: Ensure your primary email address and your password manager have the strongest possible MFA (Hardware Keys). If these two anchors are secure, you can recover almost any other account.

For more information on securing your primary accounts, see our Account Recovery Playbook.

Ready to secure your accounts?

Browse the Playbook