Tips & Advice

Top MFA myths busted

David Strom 5 May 2022

If you need some ammunition to fight for its acceptance across your company, we’ll bust a few MFA myths and help you convince folks to get onboard.

Multi-factor authentication (MFA) is probably one of the best ways to secure your computing environment. 

We've discussed how to use MFA to secure your social media accounts as well as how to use it to secure your Wordpress website. We also have a more complete explanation of what MFA is and how it works. Put simply, it’s necessary (and wise) to rely on something more than just your password to log in to your various online accounts. 

And given that today is World Password Day, it’s more than appropriate that we discuss this issue in detail. 

Why should you care about MFA in the first place?

The need for MFA protection has taken on more urgency as numerous attacks (such as those experienced by Equifax, Marriott, and Facebook) have gotten attention and shown that had more users implemented MFA, their accounts wouldn’t have been compromised. 

Earlier this year, we wrote about new phishing methods discovered by academic researchers. Last year, Google enabled MFA by default on all of its accounts. And most recently, GitHub announced that they will require all users who contribute code to use MFA by the end of 2023.

But for all of its utility, MFA still has its resistors. If you need some ammunition to fight for its acceptance across your company, we’ll bust a few MFA myths and help you convince folks to get onboard. 

1. I’ve been using the same password for all of my logins for years and have never been compromised.

This excuse is more common than you’d think, and it’s typically spoken by people that should know better than to reuse their password even once, let alone for dozens of accounts. To see why, simply head over to Have I Been Pwned? or Avast Hack Check, type in your email address, and see how many breaches come up in the results. For many email addresses, there will be more than a dozen different breaches listed, some going back a handful of years or more. If you go through the effort to update your passwords, you might as well add on MFA to really protect your digital identity.

2. I already use SMS as my MFA method.

While having SMS as a second authentication factor is better than nothing, it can’t be seen as a reliable form of protection and might give you a false sense of security. As mentioned by Brian Krebs, there’s an “entire ecosystem” of workers who can be bribed to defeat SMS authentication factors. 

A better MFA method is to use a smartphone authenticator app. Authenticator apps display a random six-digit number that is only valid for one minute. When you log in to your accounts, you need to type in the number in the time allotted to gain access. 

 Here’s a current review of several authentication apps, many of which are free to use. The most common vendors have applications available for both Android and iOS devices (Authy also has desktop apps for Mac, Windows, and Linux). 

3. I don’t have time to set up MFA.

While this myth may have been true some years back, current MFA tools have gotten more straightforward, easier to use, and don’t take all that much time to configure and deploy. The trick is getting started: once you have installed an authenticator app on your phone, using it it quickly becomes second nature ⁠— it just takes a few seconds to enter the random number generated for you in the app. 

4. I don’t want to use my phone or phone number.

Some people don’t want to link their phones to their logins for privacy reasons. This is where having a desktop authentication app (such as Authy) can be used, as long as you are using one of your desktops when you want to log in.

Another alternative to the smartphone apps is to purchase a hardware “key” that can be used as the additional security factor. YubiKey, SoloKeys, or Google’s Titan Security keys all do the trick and cost around $50 apiece. When choosing this option, you’ll want to have at least two keys and keep them stored in two separate places, just in case you lose one. 

5. What, me worry?

For those of you old enough to remember Alfred E. Neuman, there are numerous excuses and myths around this old chestnut. For example:

  • “My business is too small to be a target”
  • “I don’t have to worry about insider threats or man-in-the-middle attacks
  • “I don’t have anything worth stealing”

Unfortunately, each of these lines of reasoning are invalid. Whether as an individual or as a small business professional, your stolen identity can be used to gain entry into much more valuable data; it can also be used to open phony bank accounts or obtain illicit tax refunds. A stolen account can also be used to launch ransomware or phishing attacks, which could make your business liable for damages. 

Don’t delay: Get MFA today and deploy it across all of your accounts.