- SmallBiz CyberWiz
- Posts
- What is MFA and why you need it
Since passwords are easy to guess, crack, or steal, most cybersecurity pros advise an additional layer of security. The most popular one is called multi-factor authentication, or MFA. It’s basically a secondary password that gets generated on the spot, making it impossible to crack, and relatively harder to steal.
That way, even if you lose your password (let’s say, you get infected with an infostealer malware and your passwords get stolen), the criminals still can’t get into your accounts.
There are a couple of popular MFA methods. Depending on the situation, one might be better than the other. Here are the most popular ones:
Most popular MFA methods
1. SMS codes – Your bank or email sends a one-time code to your phone. Convenient, but vulnerable.
2. Email-based MFA – You get a verification link or code via email. Better, but emails can also be compromised (especially with infostealing malware).
3. Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) – A code refreshes every 30 seconds inside an app. More secure than SMS, and requires the cybercriminal to have access to both your password and your smartphone.
4. Hardware security keys (YubiKey, Titan Security Key) – A USB or NFC device you physically insert/tap to log in. One of the safest solutions, but inconvenient (you need to carry the device around with you, and you’re at risk of losing it).
5.Biometric authentication – Fingerprints, facial recognition, or even retina scans. Hard to fake (unless someone’s really into Mission: Impossible-level schemes).
MFA risks and how to dodge them
While MFA is great, it’s not bulletproof. Here’s what could go wrong and how to avoid disaster:
SIM Swap Attacks – Hackers convince your phone carrier to transfer your number to their SIM, intercepting your SMS codes (even though it sounds far-fetched, it happens all the time. Even the SEC fell victim once). That’s why I don’t really recommend SMS for MFA.
Phishing Attacks – Scammers trick you into entering your MFA code on a fake login page. This also happens all the time, as there are multiple phishing kits that enable this. Here’s an example. Always double-check URLs and don’t enter codes unless you initiated the login.
Losing Your MFA Device – If your phone or hardware key is lost, you could be locked out. That’s why you should always set up backup options.
Which services absolutely need MFA?
If you have MFA fatigue, at the very least, enable it for:
Email accounts (Gmail, Outlook, etc.) – If hackers control your email, they can reset all your passwords.
Banking and financial services – Because money.
Social media accounts – Prevent embarrassing (or reputation-damaging) hacks.
Cloud storage – Your personal/business files need to stay private.
Any service that holds customer data – If you run a business, protect your clients!
How to avoid locking yourself out
Like I said, MFA is fantastic, but if you lose access to your authentication method, you’re in for a world of hurt. Here’s what you should ABSOLUTELY do while setting up your MFA:
Backup codes – Many services give you one-time-use backup codes. Print them out or store them in a secure password manager.
Multiple authentication methods – Set up more than one method (e.g., an authenticator app + a hardware key).
Account recovery options – Make sure your email and phone recovery settings are up to date.
Password manager – Some password managers (like 1Password and Bitwarden) support storing MFA codes, making life easier.
When I was a kid, people were buying so-called ‘lion claws’ for their cars, as an added layer of security against theft. The rationale was - cybercriminals are lazy, they’ll move on to easier targets if you’re properly secured. That rationale still works today - if a hacker sees MFA on your account, they’ll rather pick on someone else. So, take five minutes out of your day, enable MFA, and sleep better.
Got a story about MFA saving (or ruining) your day? Hit reply - I’d love to hear it!
Until next time, stay safe!
Sead from SmallBiz CyberWiz