What Is MFA? How to Set Up Multi-Factor Authentication

Posted on Oct 23, 2023 by Elly Hancock

Relying on a username and password used to be enough to keep your accounts secure — but not anymore. A combination of weak passwords, freely accessible email addresses, browser-saved logins, and clever cybercriminals means your accounts are more vulnerable than ever. It’s easy for other people to gain access to your sensitive data. That’s why multifactor authentication is important.

Multifactor authentication adds another security layer to keep unauthorized individuals out of your accounts, so only you can unlock them. Where do you start? Stick around to read more about MFA and how it works, plus how you can set it up on your accounts.

What Is Multifactor Authentication?

Multifactor authentication (MFA) is a method of verification to determine if you are who you say you are when logging in to your accounts. Think of MFA as more doors you need to get through before getting to your account. Your username and password combination is the key to unlocking the first door, but you’ll need another key to get through the next door and the next. These keys are MFA. 

MFA is designed so only you (in theory) can verify your identity. For example, if your MFA setup asks for your biometrics, a hacker won’t be able to provide them — a cybercriminal might have the first key, but it’s very unlikely they can unlock the second door. Regardless of how clever they are, it’s near-impossible with our current technology for someone to replicate your fingerprint.

How Does Multifactor Authentication Work?

MFA works by asking for additional verification when logging in. First, you’ll enter your username and password, then you’ll need to pass the MFA checks you’ve set up. These verification steps can include:

  • Something you have. This usually involves sending a push notification to a device or account you own, like your mobile phone, email, or authenticator app.
  • Something only you would know. This could be a PIN code or an answer to a question, like your pet’s name.
  • Something unique about you. This usually means biometrics, such as your fingerprint, face ID, or voice.

Depending on how you set up MFA, you may need to complete a combination of steps. 

2FA vs MFA: What’s the Difference?

Two-factor authentication (2FA) is a type of MFA method. The difference between the two comes down to the number of verification checks they require. Accounts with 2FA enabled ask you for a second verification method along with your username and password. Those using MFA might ask you to complete three or more checks. This is common for sensitive accounts, like your banking apps or workplace apps. 

Sometimes you can complete verification steps via the app you want to use, or you might need to use a separate authenticator app. For instance, Microsoft has a separate authenticator app if you set up 2FA for Outlook. It depends on the app or website you’re using. Once you’ve passed the authentication steps, you can access your account. 

Many services also provide 2FA with cookies and geolocation services enabled. This means if someone accesses your account from another device or location, you’ll get a warning about suspicious activity. Services such as Gmail and Facebook require you to have 2FA. 

What Is Two-factor Authentication Used For?

2FA is incredibly important for protecting your accounts. Otherwise, anyone with your email address and password could log in to your social media platforms, email inbox, or banking apps and steal your information. Login credentials are frequently leaked, so it’s only a matter of time before someone gets their hands on yours. 

Don’t think it’s that easy? Cybercriminals can use a variety of ways to snoop on your connection and steal your passwords, especially on public Wi-Fi hotspots. These hotspots don’t have the same level of security as your home network, so cyber thieves can easily intercept your connection. They can then use your credentials to log in to your accounts, putting you at risk of identity theft and fraud. 

Some cybercriminals even sell your details on the dark web for financial gain. Most of the time, you wouldn’t even know. 

Using a VPN is a good way of securing your connection to help protect your passwords. PIA VPN encrypts your connection which masks your online traffic in unbreakable code, so no one can see what you’re doing. This means cybercriminals can’t see your traffic or snoop on your usernames and passwords. 

Remember, though, a weak password is still a weak password, whether you use a VPN or not. So, it’s still important to keep those doors to your account firmly locked with MFA. 

What Are Authenticator Apps?

Have you ever received a one-time password (OTP) via SMS? Authenticator apps are similar to that, but they generate a random passcode that expires after a certain amount of time.

Cybersecurity experts consider these apps more secure than SMS 2FA. When a hacker tries to break into your account, they’ll also need access to the authenticator app on your phone. Usually, these apps ask you to log in using a passcode or biometric data like your fingerprint before you can see the OTP. The codes on these apps also expire quickly, so criminals only have a small window of time in which they can get access to your phone, copy the code, and break into your system.

SMS OTPs, on the other hand, just appear on your device and are valid for up to a few minutes. Cybercriminals can easily copy SMS OTPs if they get access to your device or do a SIM swap on your phone.

While they’re more secure than SMS 2FA, authenticator apps aren’t a perfect solution. For one, it’s important to use a trusted app like Google Authenticator, Authy, or LastPass. Otherwise, you’re handing your login access over to malware apps on a silver platter. You’ll also have to link your account to the app, and not all services work with authenticator apps either.

How to Enable 2FA

Now you know how MFA works, let’s look at how to set it up. Most popular platforms still use 2FA even though MFA is considered more secure. Mainly because it makes logging in easier for you and means less work for them. You can enable 2FA on your device, as well as for certain apps and websites. We’ve provided instructions for some of the most common MFA uses below.

Enable 2FA for iPhone/iPad/macOS

  1. Head to Settings on your Apple device
  2. Click on your Apple ID
  3. Select Password & Security 
  4. Click Two-Factor Authentication and select On
  5. Enter a trusted phone number to receive codes
  6. Enter the code shown on your phone

Once you’ve set up 2FA on an Apple device, you can add other trusted devices to your account. Follow these steps:

  1. Sign in with your Apple ID on the new device
  2. You’ll be prompted with a PIN code on one of your trusted devices
  3. Enter the PIN code on the new device to set the device as trusted

Enable 2FA for Android

  1. Open Settings
  2. Find your Google account and click on Security
  3. Select 2-step Verification under Signing into Google
  4. Click Get Started and follow the on-screen steps
  5. Select your chosen authenticator app and press Continue to activate 2FA  

Enable 2FA for Outlook

  1. Head to the Security Basics Microsoft login page and log in to your account 
  2. Select More security options
  3. Look for Two-step verification, and select Set up two-step verification 
  4. Follow the on-screen instructions and scan the QR code with your phone to finish setting up 2FA.

Enable 2FA for Gmail

  1. Open your Google account on your device
  2. Click on Security in the left-hand navigation panel
  3. Under How you sign in to Google, look for 2-step verification and select it
  4. Click the Get Started button
  5. Enter your Gmail account password and follow the on-screen instructions

Enable 2FA for Facebook

  1. Log in to your Facebook account
  2. Under Settings & Privacy, select Settings
  3. You’ll see a Meta Accounts Center banner — click See more in Accounts Centre
  4. Select Password and security
  5. Click Two-factor authentication and choose an account (you can also set it up for Instagram at the same time)
  6. Enter your password and follow the prompts 

Add Authentication to Secure Your Accounts

Keeping cybercriminals away from your personal information is tough. Cyber thieves are clever and have plenty of tricks up their sleeves to bypass your hard-to-guess passwords. Thankfully, MFA can step in to keep them out.

MFA requires highly personal and hard-to-access information to unlock the doors barring access to your account. Verification checks like one-time passcodes (OTP) and your fingerprint are hard for even the most skilled cybercriminals to get around. It might take a few extra minutes to log in to your app, but if it means your information stays safe, then we’d say it’s worth it.

FAQ

Are MFA and 2FA the same thing?

MFA and 2FA both work in the same way. Two-factor authentication requires two verification checks, while MFA needs at least two checks and sometimes more. MFA is more common with highly sensitive apps and websites, such as when you access work servers remotely or use online banking.

What are the three types of multifactor authentication?

After entering your username and password, you’ll need to pass additional verification checks with MFA. It can use up to three factors to verify your identity. These include, using something you own (like a mobile device), answering a question or providing information (like a PIN code), or providing something unique to you (biometric data like your fingerprint). 

Some platforms, like Facebook, let you choose which checks you want to complete, while others select the MFA verification steps for you. 

What is the most common example of multifactor authentication?

One-time passwords (OTP) are the most commonly used MFA method. This means the platform sends a PIN code or password to your chosen device, usually a mobile phone, when you’re logging in. You then enter the code on the app or website to gain access to your account. 

These codes are typically time-sensitive and will be unique each time you log on, so it makes it incredibly difficult for anyone other than yourself to log in. That changes if they have physical access to your device, can access your phone remotely, or did a SIM swap. So it’s always important to keep your devices safe even if you use MFA, especially on public Wi-Fi.

Is two-factor authentication safe?

Yes. It’s not 100% safe, but nothing ever is. Hackers have been known to bypass 2FA checks to gain access to your device or accounts. That said, 2FA is one of the safest ways to secure your apps. It’s unlikely cyber thieves can get access to a one-time passcode (OTP) on your phone or answer a security question only you know the answer to.