Not All MFA Methods Are Equally Secure

When it comes to protecting your accounts, a strong password is a must. However, adding multi-factor authentication (MFA) is even better. If your strong password is ever cracked, or exposed in a data leak, MFA will stop someone with access to your password from breaking into your account.

But while any MFA method is better that not using MFA at all, not all methods are equally secure. Let’s look at your main options:

SMS

SMS MFA verification is the most common form of MFA right now. If an app or website supports at least one form of MFA, this is almost always the method that they offer. With SMS MFA, the app or site will send an MFA code to your phone number via text message. You retrieve that code from your messages, then plug it in in the appropriate place online. It’s much more secure than password alone, as a bad actor would have to have access to your phone or phone number too in order to retrieve this code for themselves.

It isn’t foolproof, however. Bad actors can take over your phone number in what’s known as a SIM swap attack: If someone takes over your number for themself, they can intercept all your SMS MFA codes, and log into your accounts on your behalf. This, of course, is a highly specific threat, and isn’t likely to happen to most, but it is a vulnerability in the method.

Email

Email is another common MFA method, and is similar in convenience to SMS: When you try to log into your account, you will receive an MFA code sent to your email address. Retrieve the code from your inbox, plug it into your sign in page, and you’re in. This method is as secure as your email account itself: If you use an easy to guess password without MFA on your email account, bad actors can break into your email and intercept any MFA codes you trigger. However, a properly protected email account can make this method a good option. There is the hitch that most email is not end-to-end encrypted, but for practical purposes, it’s secure enough.

Authenticator app

An authenticator app is arguably the most secure method offered to the general public: With an authenticator app, you link the app to your account during MFA setup. When you go to log in, you need to open the authenticator app, go to the account in question, then retrieve the code. You then plug the code in the sign in page, and you’re set. This is the most secure option in many cases, since you need physical access to the device running the authenticator app, which usually means your smartphone. While that runs a small risk in the event a thief steals your phone while knowing your passcode, for most remote hacking, using an authenticator app will block most hacking attempts.

There are plenty of authenticator apps out there to choose from: Microsoft Authenticator is Microsoft’s option, while Google Authenticator is Google’s. If you want something with some more features and options, there are a series of third-party apps available as well.