What is multi factor authentication?

Estimated reading time
min

Multi-factor authentication (MFA) is a security measure that requires two or more forms of identification to grant access to devices and accounts.
If you want to help safeguard your accounts and devices, activating MFA is essential – it adds an extra layer of security between your data and cybercriminals.
Different MFA options include using a unique code sent to your phone, a face or fingerprint scan, a physical banking token, or even an authenticator app.
Setting up MFA will vary based on the account or device you wish to protect – it may be a security setting you can switch on, a prompt when downloading an app, or it may be a feature that’s part of the program like a one-time passcode you receive by SMS.

When it comes to looking after our valuables, we sometimes need additional security measures to keep things safe and secure.

You might park your car in the garage and lock the doors for a double dose of security. Or you might set your house alarm, lock the main door, and secure the flyscreen to ensure no one – not even a cockroach – can get inside.

So, taking extra precautions to help protect your accounts and devices makes sense.

Multi-factor authentication (MFA) involves taking two or more steps to verify your identity when you log into an account or device or do something specific, such as processing a large transaction. It’s easy to set up (we’ll explain how), and it’s a quick win for adding an extra layer of protection between your accounts (or devices) and criminals.

Although 43% of Australians use MFA when it’s available, many still rely on simple and easy-to-crack passwords.¹ When you use MFA, you’re helping to keep your personal information and money safe from cybercriminals. That’s why we will teach you the basics of multi-factor authentication – from explaining how it works to setting it up and more.

What is multi-factor authentication?

Multi-factor authentication is a security measure that requires you to verify your identity using two or more of the following:

Something you know, like a password or passphrase.
Something you have, like a phone with a verification code or an authenticator token.
Something you are, such as a fingerprint or facial scan.

Common types of multi-factor authentication

Here is a quick list of the common types of MFA you might use:

A token that shows a time-sensitive PIN or code on the screen. After a set period, such as 30 seconds, the PIN or code will change into a new one.
A biometric scan of your face, fingerprint, or eye.
An authenticator app that generates random one-time PINs or codes for multiple accounts. Like the token, these codes are time-sensitive and will change after the time limit.
A code you receive by text, email, or a call. This is a unique code that you can only use once.
You might need to answer security questions that only you know the answer to. For example, you might be asked, ‘What is the name of your first pet?’ or ‘What is the model of your first car?’.

How is two-factor authentication different?

While MFA and two-factor authentication (2FA) are often used interchangeably, they’re a little bit different. MFA requires at least two different factors to verify your identity, whereas 2FA only requires two. MFA is generally considered a more potent form of security for your accounts and devices when available, as the option to add more detail, such as ‘something that confirms who you are’, protects you even if your other details have been compromised – for example, if your logins were shared in a data leak, or if your phone has been compromised in a porting scam.

How does multi-factor authentication work?

When you have enabled MFA, you go through a series of steps to log into your account or complete an action such as transferring a large amount of money.

For example, you might log in with your password (step one), then enter a code sent to your phone via text message or an authenticator app (step two).

If entering your contact details is part of the MFA process, they must match the records on file. This can stop cybercriminals from receiving the verification codes intended for you.

But multi-factor authentication is not always something you need to manually turn on or set up to benefit from. Sometimes, a company may want to increase security and introduce MFA as an extra identity verification step. This can often be through a one-time code or by prompting you to select your authentication method.

Why is multi-factor authentication important?

MFA adds extra layers of security between your accounts and anyone trying to get into them. Even if a cybercriminal cracked that first layer of protection, MFA provides extra steps that can help prevent them from accessing your account further.

For example, if a cybercriminal guessed your social media account password and you have enabled MFA, they will not be able to log in. This is because they don’t physically have your phone to receive a unique code or your thumbprint to scan.

Another reason to turn MFA on is that you can be notified of suspicious login attempts on your accounts. When MFA is active, you’re likely to get a notification asking for a face scan or one-time passcode, which can give you an opportunity to block it, report it, and update your details to secure your account.

How to set up multi-factor authentication

The process for setting up MFA can vary depending on the device or account and the type of security available. For example, you might be prompted to turn on MFA when you set up your new smartphone or download an app. Or you might have to go into the security or privacy settings to turn it on manually, setting up your secret questions or entering your biometrics, such as a face or fingerprint scan.

Here’s how you can check if MFA is turned on for your device or app:

Go to the security or privacy settings on your account, app or device
Select the MFA option
If it’s not activated, follow the prompts to turn it on

If you’re unsure whether MFA is available or how to set it up, search for the resources and documentation of the business, program, device, or account.