SSW Foursquare

Do you use MFA instead of typing a password?

Last updated by Harry Ross [SSW] about 1 month ago.See history

The best protection you can provide for your password is to not solely rely on it. Multi-factor authentication (MFA) lets you use a mix of techniques when logging into an account. Typically this is made up of something you know (your password) and something you have (your phone - older people will remember RSA tokens).

Your phone can provide a second factor either through an installed authenticator app, or by receiving an SMS with a one-time password. Authenticator apps are recommended, as they are more secure than SMS.

We are now seeing biometric security using facial recognition, fingerprints, or in more advanced scenarios palm-vein scanning (and plenty of others too). While biometrics offer convenience and reduce our reliance on passwords, they usually replace username and password altogether (although rely on accounts that use them behind the scenes), rather than providing an additional factor (e.g., username + password + fingerprint).

Nearly any service you use now will support MFA, either through an authenticator app, SMS, call or even email if you have no other option. Ensure that it is enabled for everything you use.

mfa sms
Figure: OK example - SMS is less secure than other methods

Figure: Microsoft's Authenticator app in action

Passwordless sign-in

If you use the Microsoft Authenticator app, you can go one step further and get rid of the need to type a password. To enable passwordless sign-in:

  1. Open the Authenticator app, and tap on the account you want to enable it for
  2. Tap Enable phone sign-in and tap Continue

Now that it is enabled, you will need to change your default - next time you need to sign in:

  1. Instead of typing your password, select Use an app instead or Other ways to sign in
  2. Select Approve a request on my Microsoft Authenticator app

azure mfa useapp
Figure: MFA sign-in | Use an app instead

Note: The above option "Use an app instead" takes some time to reflect on your login prompt after you have made changes in your Authenticator App.

See detailed instructions from Microsoft.

Figure: Good example - Microsoft Authenticator app with Passwordless sign-in (recommended)

Use 2FA in Keeper

Keeper is a password manager which has an awesome feature inbuilt to store our MFA codes. Keeper has developed a fully-integrated security layer that adds two-factor codes directly to vault records.

Keeper works as a password entry authenticator with support for Google Authenticator, Microsoft Authenticator, and other Authenticator apps. To set up this integration, go to your password entry and click the Add Two-Factor Code button under the Custom Fields and File or Photo options. You can then upload a QR code or manually set up a connection to your account to authenticate via a time-based one-time password app.

2022 11 21 10 30 59
Figure: Good example - Google authenticator 2FA enabled and saved in Keeper

Matt Goldman
Chris Schultz
Ash Anil
Warwick Leahy
Security - End Users
We open source. Powered by GitHub