Understanding Multifactor Authentication: Types, Pros, and Cons

Understanding Multifactor Authentication: Types, Pros, and Cons

/! elementor - v3.19.0 - 28-02-2024 /

Multifactor authentication (MFA) is a security measure that requires users to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. Instead of relying on just a single password, MFA combines different types of checks to make it significantly harder for attackers to break in, even if they manage to steal one of your credentials.

Let’s delve into the different types of MFA and their pros and cons.

---

Something You Know (Password or PIN)

This is the most common form of authentication and involves something that only the user should know, like a password or PIN.

Pros:

• Easy to implement and use.
• Works across almost every platform and service.

Cons:

• Vulnerable to brute force attacks, phishing, and forgetfulness.
• Often reused across sites, making one breach a gateway to many.

Using strong, unique passwords with a password manager can greatly reduce the weaknesses of this factor, but on its own, it’s no longer enough for meaningful protection.

---

Something You Have (Token or Smart Card)

This involves something the user physically possesses, such as a token, smart card, or a mobile device (for app-based codes or push notifications).

Pros:

• Hard to duplicate, provides physical evidence of authentication.
• Hardware security keys (like YubiKey or Titan) can be resistant to phishing and many online attacks.

Cons:

• Can be lost or stolen, implementation can be expensive.
• May require additional hardware and user training.

Hardware-based MFA is particularly valuable for high‑risk accounts (email, financial accounts, cloud storage, admin accounts) where the impact of compromise is severe.

---

Something You Are (Biometrics)

This involves identifying a user by their unique physical or behavioral characteristics, such as fingerprints, facial recognition, or voice patterns.

Pros:

• Very secure, hard to fake.
• Convenient and fast; no codes to type or tokens to carry.

Cons:

• Can be intrusive, raises privacy concerns, and biometric systems can be expensive.
• If biometric data is stolen or spoofed, you can’t “reset” your fingerprint or face.

Biometrics are most effective when stored and processed locally on a secure device (like a phone’s secure enclave) rather than in a central database.

---

Strengthening SMS-Based Two-Factor Authentication

SMS-based two-factor authentication can be strengthened by using a unique number or Google Voice number with a locked-down Google account, reducing the risk of SIM swap attacks. Services like Efani can also provide extra layers of security.

Pros:

• Enhances security compared to password-only logins.
• Reduces risk of SIM swapping when paired with a hardened, separate number.

Cons:

• Requires additional setup, reliance on third-party services.
• Still weaker than app-based or hardware-based MFA, since SMS can be intercepted or redirected.

Whenever possible, treat SMS as a minimum baseline and move to app-based or hardware-based MFA for your most important accounts.

---

App-Based TOTP (Time-Based One-Time Passwords)

Many services support authenticator apps (e.g., Google Authenticator, Authy, 1Password, Aegis) that generate time-based one-time passwords. You scan a QR code once, and the app generates rotating 6-digit codes.

Pros:

• More secure than SMS; codes are generated locally on your device.
• Works offline once set up.
• Widely supported across major platforms and services.

Cons:

• If you lose the device and have no backup of your TOTP seeds, you may be locked out.
• Initial setup can be confusing for less technical users.

Using an authenticator app is often the best balance of security, convenience, and cost for most individuals and small businesses.

---

Backing Up TOTP Seeds and Hardware Security Keys

Backing up Time-based One-Time Password (TOTP) seeds in encrypted storage like VeraCrypt or Cryptomator is crucial. This ensures that even if your primary device is lost, you can still access your accounts. Similarly, having backup hardware security keys is a good practice.

Pros:

• Provides a safety net in case of device loss, enhances security.
• Reduces the need to go through lengthy account recovery processes.

Cons:

• Requires careful management, risk of losing backups.
• Poorly protected backups can become a single point of failure if compromised.

When backing up TOTP seeds or storing backup keys, treat them like master keys to your digital life: strong encryption, offline storage where possible, and clear labeling so you (and only you) know what they are.

---

Choosing the Right MFA Strategy

Not every account needs the same level of protection, but certain accounts should always have strong, phishing-resistant MFA:

• Primary email accounts (they reset everything else)
• Financial, crypto, and investment platforms
• Cloud storage and password managers
• Work accounts with access to sensitive or regulated data

A practical approach is:

1. Enable MFA everywhere it’s offered.
2. Prefer app-based or hardware keys over SMS where possible.
3. Keep at least one secure backup method (backup keys, recovery codes, or encrypted TOTP backups).

---

In conclusion, while MFA provides an additional layer of security, it’s important to understand the pros and cons of each type and choose the one that best suits your needs. Remember, no system is foolproof, and maintaining good security practices—such as using a password manager, keeping software updated, and being wary of phishing—is key to protecting your data.

For more information, visit our FAQ Page.

To enroll in a Steele Fortress Protection Plan to enhance your overall cybersecurity, please visit our Protection Plans Page.

---

Related Articles

• Google’s Advanced Protection Program: A Shield for Everyone
• Key to Unbreakable Security: The Un-phishable Guardians of the Digital Realm
• Top 10 Privacy and Security Tools for Advanced Users