Skip to content
Phish Wiki

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA), sometimes referred to 2-Factor Authentication (2FA) adds an extra layer of security to an account. Enabling it requires another step to login to an account beyond a password.

There are 3 common methods available for MFA: Security Keys, Authenticator Apps, and SMS (from most to least secure). This resource will be going over each option and evaluating the benefits/drawbacks.

Security Keys/Passkeys

Security Keys are the newest and most secure form of MFA. They allow you to use either system biometrics (e.g. Face ID, Touch ID, Windows Hello) or physical security keys (e.g. Yubikeys) to access your account. Your device registers a key with the service, and sends the data to the service when you login. Services are never given access to biometric data.

Security Keys are the best method out of the three, being simple to use (integrated into your devices), and importantly, phishing resistant. The way they are designed, key data will never be sent to a domain it was not registered on.

Unfortunately, due to being a newer technology, many services do not provide support for security keys——but support is rapidly growing.

Authenticator App/TOTP

Authenticator Apps are another option for MFA available in most services. In this option, you register a QR code (or manually enter in a code) with an authenticator app (such as Authy or Google Authenticator). This app will then generate a code every 30 seconds, which can be used when logging in.

It is important to keep in mind that unlike security keys, authenticator apps are still phishable.

SMS/Text

Finally, we have SMS MFA. This method sends you a text message with a code when logging in. Note that SMS is the weakest form of MFA, and should only be used if no other options are available. Still, having some form of MFA is better than none.

SMS MFA is vulnerable in multiple ways, through bad actors intercepting text messages, and through ”SIM Swapping” to take over a phone number.

What if I lose access to my MFA method?

In the worst case scenario, such as your devices being lost or stolen, there is still a way to recover your account. When enabling MFA, services allow you to download backup codes which can be used to recover your account when needed. It is important to download these codes when enabling MFA, just in case.

These backup codes should be stored in a secure place, such as a password manager (or even printed out if you want) in order to keep them secure and accessible.