Hi! I’m Jim, and I’ve spent 25+ years in IT. If you’re reading this, it may be that you’re a longtime reader of the site. If so: Hello! Or maybe you got here via search engine. If so, also Hello! Most likely, you’re a family member, friend or client I referred to this page because I think this is truly important:
If you haven’t enabled Multi-Factor Authentication on as many online accounts as possible, you need to do so. Now. Like, RIGHT NOW.
After you read this.
Computer security is generally based on three factors:
Something you know is typically a username and password. Passwords have been around since the early days of computing because password systems are easy to incorporate into apps and operating systems. But the problem with passwords is that they can be stolen, leaked, guessed or brute-forced. And, paradoxically, the more complex IT tries to make passwords to defeat hackers, the more shortcuts users employ, because it’s difficult for humans to remember “secure” passwords like “6erA0a%b14f*h9Kcs5et909wi”.
Something you are is biometrics, like fingerprint or retinal scanners, or facial recognition. Such hardware (and the software that powers it) has only been reliable and affordable enough for mass use for a decade or so. While it’s a good solution for logging into a local device like a phone or desktop PC, it’s problematic over the Internet: how does a server in the UK know to trust a fingerprint scan from a PC in Texas?
Something you have is a physical device of some sort. Companies that deal in sensitive data pioneered the “RSA SecureID”, a flash drive-type device that displays a six-digit number that changes every 30 seconds. This is a PIN code needed, in addition to the username and password, to log in to certain company resources:
So: Multi-Factor Authentication (MFA) is simply using two (or more) factors at once. In modern usage, MFA typically requires a traditional username and password (something you know) and a code or PIN (something you have). Only instead of a dedicated security device, like the RSA fob, you just use an app on your phone.
The theory is that while hackers may be able to steal or guess your username and password, they’ll need a PIN to login… and since they don’t have your phone, they can’t get the PIN, so can’t log in. TAKE THAT, RUSSIAN HACKERS!
In summary, MFA can stop 99.9% of certain cyberattacks. If you’d like to learn more, click here:
Most websites offer two ways to send a PIN to you.
One is via traditional SMS. If SMS is the only option take it, because it’s better than nothing. In this case, you’ll just login with your username & password, then wait for the text message with the PIN to show up on your phone.
The other is via authenticator app, sometimes just called “mobile device”. If you see this option, please use it.
The problem with using SMS for authentication is, if hackers already know your name and address, it’s not difficult for them to impersonate you and port your mobile number to a new SIM. This means they get your SMS messages, which means they can log in to your account(s) since they’d now have your username, password and PINs.
This might seem like a lot of trouble for a hacker to go to, but lots of “high-profile” users (people with LinkedIn profiles) have had their phones hijacked this way. Because of this, most IT security groups want to move away SMS verification. While that probably won’t happen soon, authenticator apps are the future. So if you’re only just now starting to use MFA, it makes sense to start with an authenticator app.
But what, specifically, is it?
It’s just an app for iOS or Android that generates PINs (usually 6 digit, sometimes 8 digit) you enter to log into a website. Google makes such an app. Authy is a popular open-source one. Apple put one inside their default password manager.
I use Microsoft Authenticator because it was one of the first to have an online backup. If you have a Microsoft Account, you can back up your Authenticator configuration to it. And trust me, should you lose your phone, or upgrade to a new one, or wipe your existing phone, restoring from cloud backup is much easier than manually restoring each account.
How each website enables MFA varies, but generally you’ll:
1) Log in to the website, go to your “Account Info” or “User Profile” page and look for a “Security” or “Password” option.
2) There should be an “Enable Multi-Factor Authentication” or “Enable Two-Factor Authentication” option. Click that.
3) You’ll probably be given an option of getting your PINs via SMS, authenticator app (“mobile device”) and possibly email. Choose “authenticator app“.
4) On the next screen a QR code will appear on your computer’s monitor.
5) On your phone, open the [Microsoft] Authenticator app and click the + symbol near the top of the app to add an account. On the next screen choose “Personal account” if you’re setting up MFA for a personal Microsoft Account. If you’re setting up MFA for a Microsoft 365 account for work or school, choose “Work or school account”. If you’re setting up MFA for any other website – Google, Facebook, Twitter, Amazon, etc. – choose “Other Account”.
6) On the next screen your phone’s camera should open. Take a pic of the QR code on your monitor. The account should automagically configure itself in your app.
7) Repeat for other websites.
This YouTube video shows how to set up MFA in an older version of Office 365. There are slight differences in how websites enable MFA, but the overall process is the same. And this video is less than two minutes, start to finish: setting it up in real life should take less time than that!
Here’s another video about setting up MFA in Facebook:
Once set up, the next time you – or a hacker on the other side of the world – tries to login, you’ll need to enter the password as usual, then open the authenticator app and enter the PIN for that site.
PART III: REALLY IMPORTANT STUFF YOU NEED TO KNOW. THIS ISN’T THE USUAL IT YADDA-YADDA
– Most “serious” websites – like your bank or healthcare provider – won’t let you “save” your MFA login, so you’ll need to use the authenticator app every single time you login to their sites.
– Most “lesser” sites – think Facebook, Twitter, eBay and Amazon – offer a “remember this computer” option after you enter your PIN for the first time. If you’re using a desktop PC that never leaves your house, sure – check that box if you want.
– Microsoft Authenticator allows you to set a PIN or require a fingerprint scan to open the app. You’re probably going to want to do that, since it’s guarding all your logins. Other authenticators have a similar feature – here are instructions for setting it up on Authy, for example.
– You NEED to make sure to update your alternate contact information on each site you enable MFA on, especially for accounts you really care about. Every Android user has a Google Account associated with their phone or tablet… and in many cases, they have years of Gmail, a few Google Docs, and a massive YouTube queue attached to that same account. But I know an embarrassing number of people who never update their alternate contact info. I’ve gotten panicked calls like “I forgot my Google password, but can’t reset it because it sends a recovery email to a Hotmail account I deleted six years ago” or “I’m trying to recover my Google Account, but it’s sending text messages to a phone number I haven’t had since 2009! Is there any way to change this?” The short answer: no. And even if you have no interest in MFA, making sure all your alternate contact info is up to date is always a good thing!
– Be sure to check your authenticator backup before getting a new phone or wiping your existing phone. I did a routine password change on my personal Microsoft Account password, then went to wipe my phone a couple weeks later to fix a specific issue. I checked Microsoft Authenticator and saw that it hadn’t backed up since the password change (because it uses a separate login from other MS apps on your phone). I gave it the new password and did a full backup after that. Crisis averted.
– Make sure you have full access to your backup destination. If you have a Microsoft Account via a Microsoft 365 work account, you can use that account to backup your info. But if you quit your job, you’ll lose access to the Microsoft Account, since IT will disable your account shortly after you leave the building. Maybe a personal account would be better?
– If you just hate MFA, you can stop using it. You just have to stop using it the right way. Login to every MFA-enabled website, then turn off MFA on the site. Try logging in via Incognito Mode afterwards to make sure MFA has been removed. Continue to the next site, until you’re sure MFA is disabled at every site. Then remove the authenticator app from your phone.
– Lastly, remember: if you uninstall the authenticator app on your phone without disabling MFA on each site or having a backup… congratulations, you’ve just gone and made your life very complicated for no good reason at all. You can’t just reinstall the mobile app, because you have to be logged in to the account to add MFA. But even if you could add a Facebook account, the key the server uses to generate the PIN on your particular app won’t be the same, because a key generated on December 10, 2023 will differ from the key you got when enabling Facebook MFA the first time on March 27, 2021.
Here are links to a few authenticator apps from the Google Play Store. iPhone users will have to search the app store themselves: