June 4, 2022
Matthew Kirkland

2FA vs. MFA – What’s the difference?

The difference between two-factor authentication (2FA) and multi-factor authentication (MFA) is massive for your data security. One is very secure, whereas the other is vulnerable to several known social engineering technics. Keep reading this article to find out which one you should be using.

2FA vs. MFA – What’s the difference?

In the past, passwords or single-factor authentication have been the primary authentication factor for most online services. However, as hacking techniques have become more sophisticated, single-factor authentication alone has proven to be an insufficient form of security.

Two-factor authentication (2FA) & multi-factor authentication (MFA) add an extra layer of protection by requiring users to present two or more authentication factors before being granted access.

Multi-factor authentication (MFA) combines something you know (usually a password) with something you have (usually a digital device-specific token or key fob) and/or something you are (biometrics).

Two-factor authentication (2FA), on the other hand, requires a user to provide two authentication factors to verify their identity when logging in. The first factor is typically something the user knows, such as a password. The second factor is usually something the user has, such as an SMS or one-time email code.

Real-world examples:

  • When two-factor authentication is enabled, you will be sent a unique one-time code via SMS or email to enter and gain access when you try and log in to an online account.
  • When multi-factor authentication is enabled, you will be required to input a unique code from an authenticator on your device, use a physical security key or use the facial recognition or fingerprint biometrics found on newer cell phone devices.

Multi-Factor Authentication (MFA) is more secure & the future of internet security.

Multi-factor authentication makes it very difficult for hackers to access your account without having physical access to your device. To log in to online services, you will need to use an authentication factor specific to your device or something you physically have.

The most common method is using an authenticator app. Authentication apps provide a rotating 6-digit code that is only generated for your device. When you try and log in, the online service will verify this code with the authenticator solution and grant access if correct.

The MFA solution we use is Google Authenticator, but other common solutions are Microsoft Authenticator and LastPass Authenticator.

At Nerds On Site, during our Security Awareness Training for data protection of critical business user accounts, we promote three authentication factors, a password manager (LastPass), an authenticator app, and a physical security key (YubiKey).

When combining three authentication factors to confirm user identity, a remote hacker will not be gaining access.

  • A password manager ensures the user has unique & complex passwords for every application or online login. LastPass lets users know if they have weak passwords and has an integrated dark web monitoring function, letting users know if the passwords have been compromised.
  • An authenticator app provides an authentication solution requiring a physical device code.
  • A security key adds an additional physical authentication factor.

Note for businesses; if you have or are looking into cyber insurance, you will not be eligible for insurance as of 2022 if you do not enable multi-factor authentication on remote & critical infrastructure. Strict user authentication is becoming the cornerstone of the underwriter’s policies.

We anticipate authentication methods of the future will require at least two factors, minus the password. These two factors will likely be an identifier (like your email) and something you have (like biometrics, face, or authenticator app).

Passwordless MFA is starting to gain traction in the higher technology field, with it now commonplace on technology such as Microsoft Azure active directory.

Another authentication method currently growing in popularity used alongside MFA is the Single Sign-On (SSO). Lastpass describes SSO as:

“Single sign-on grants authorized employees or users access to applications with one set of login credentials, based on a user’s identity and permissions rather than having them memorize multiple, strong passwords. Single sign-on relies on SAML (Security Assertion Markup Language), a secure, behind-the-scenes protocol, to authenticate users to cloud, mobile, legacy, and on-premise apps.

SSO is one component of the LastPass Identity suite. When combined with enterprise password management (EPM) and secure multifactor authentication (MFA), it brings visibility and security to every user and access point, for businesses of all sizes.”

The biggest complaint with MFA and secure authentication methods will always be user convenience, so SSO aims to tackle this problem by combining the two.

Two-Factor Authentication (2FA) is better than single-factor authentication.

Two-factor authentication is better than having only single-factor authentication. It is marginally more convenient than MFA, but it is significantly less secure, and it has to do with how you handle your passwords.

Most people are bad with passwords, and cybercriminals know this. It’s common practice to use a combination of two or three passwords and then add a number or symbol on the end when being forced to change. It’s even more common for people to use things that are important to them; if you have a dog named Happy, your passwords may be Happy1 or Happy! When requiring six characters.

Also, it’s common for people to re-use passwords in several work & personal spaces, so if you’ve ever been part of a data breach (You can check by using haveibeenpwned), your passwords may be available to cybercriminals on the dark web.

Ok, so why is this important?

If cybercriminals know that people typically use the same passwords in a similar variation, it may be straightforward to gain access to your other accounts. For example, if you were part of the 2016 LinkedIn hack that exposed millions of emails and passwords and you’re still using the same logins, they may be able to gain access to your email.

This means that email two-factor authentication is not useful, as the malicious third party can access the code as they have access to your email.

So, what about SMS? That’s secure, right?

No. SIM Swapping is common. If you’d like to know about SIM swapping in detail, Mozilla did an extensive article Mozilla Explains: SIM swapping.

Data breaches often include personal information, like your name, telephone number, address, postal code, and email. Bad actors can use this information to call your cell phone provider and switch the sim card on file to their own, completely negating your SMS two-factor verification.

You may be thinking this won’t happen to me & that it sounds like a movie, but it is common, and you should not rely on SMS or email verification for security.

Which One Should You Use?

Given a choice between 2FA vs. MFA, it’s clear that multi-factor authentication is the best of the available authentication factors. Multi-factor authentication adds an extra layer of security by requiring device or you-specific information instead of one-time codes.

Nerds On Site provides on-site Business IT Solutions & IT Security Services to small-and-medium businesses (SMEs) in almost all major cities in the United States & Canada. Founded in 1995, we’ve specialized in making technology more pleasurable, productive, and profitable. If you’d like to know more about our business services, don’t hesitate to contact us.