Cyber threat actors have become smarter and more creative about how they steal your login credentials (user name and password) to access systems.  It no longer takes a large-scale data breach where your credentials get sold on the dark web for them to obtain what they need to login as you and access your sensitive personal and company data.  Seemingly innocuous requests can be embedded in emails and fake web pages which look authentic, but serve to capture your login information.  When this happens, a threat actor can have open access to your account….unless there is something else stopping them from logging in.  In comes multi-factor authentication (MFA).

This process is called “multi” factor because it uses multiple vectors to validate that it is actually you who is logging in to a system.  Most commonly it is something that you know like your username and password, and something you have such as a token with a code on it or an application running on your phone which provides the code.  If a threat actor does come into possession of your login credentials, they would attempt to login but then be prompted for the multi-factor code.  Unless they have cloned your phone or stolen your token fob, then they are out of luck.

MFA is not fool proof and threat actors are inventing new ways to defeat this process as well, but it is still the simplest way to stop them in their tracks if they are less sophisticated or less determined hackers.

The last key point about MFA is that you should use it in ALL the systems that make it available to you.  This would include:

  • Cloud based email
  • Desktop login
  • Cloud based applications
  • Any other services that allow you to enable MFA

Some services such as Microsoft 365 and Google Workspace have mandated it for all accounts as it is so critical for keeping hackers at bay.

Multi factor authentication is a simple way to keep your data and information out of the hands of threat actors.  The minor inconvenience of having to enter the code pales in comparison to the pain you will experience if they take access to your email and start sending email as you.