The Genius of MFA Codes
Multi-factor authentication or two-factor authentication (MFA or 2FA, respectively), is one of the best ways you can protect your accounts from bad actors and malicious users. Even if hackers get a hold of your username and passwords (sometimes routinely leaked in data breaches online) they won’t be able to get into your account without access to MFA’s secret weapon: the code.
See, MFA works like this: After you enter your username and password correctly, your account then asks you to enter the code presented on your trusted device. This code can take a few forms: The most popular is the SMS code, in which the account sends the code to your cellphone via text message. Another option is an authentication app, which generates random codes every 30–60 seconds. Apple has a built-in MFA system wherein it sends a code directly to your trusted device: Unless you have physical access to that device, you won’t be able to retrieve the code.
Apple can do this because of its tight-knit ecosystem. However, you’ll likely be presented with the option to go with SMS or authentication app. While any MFA is better than none, the safer route is to go for the authentication app to generate your codes. Here’s why.
When you receive your codes via SMS, you run the risk of SIM swapping: Hackers can trick your carrier into giving your number over to their SIM. Once that happens, all incoming text messages will head their way, giving them access to the MFA codes if they have your login credentials.
If you set up MFA with an authenticator app, however, this risk is eliminated: Hackers would need physical access to your unlocked phone in order to open the authenticator app and retrieve the code. Plus, unlike SMS, authenticator apps regenerate the code frequently: If the code was somehow compromised, it would be useless after less than a minute.
That said, again, any MFA is better than no MFA. If you have SMS set up, that’s fine: SIM swapping isn’t a common occurrence, and the risk of it is outweighed by the benefits of having MFA set up for your accounts. Just remember: Never give out your MFA code to anyone: If your “bank” calls you and tells you to let them know what the MFA code is for your account when attempting to log in, hang up.