The Importance of Multi-Factor Authentication (MFA)

Michael Potter
Jun. 29, 2018 by Michael Potter

A Simple Way to Increase Your Online Security

Verifying someone’s identity has been an issue for millenia. If you are a Roman general commanding your legions in 250 BC, how might you be sure that some unknown messenger is truly from the emperor, like they claim? How could people in ancient, secret-societies prove their membership, and how could one be sure that a royal decree actually came from the king? If you wanted to enter a prohibition-era speakeasy, how could you prove you weren’t a cop? Historically, authenticating identity has typically been done through several different methods including signatures, secret handshakes, spoken passwords, or stamping with a unique, personal seal. Today, our society has no less of a demand for identification and authentication, however our increasingly digital world has defined the need for modern methods of authentication.

Types of Authentication

Security experts generally agree that there are three main categories of authentication:

  • something you know, like a password or pin
  • something you have, like your passport, driver’s license, or debit card
  • something you are, like biometrics and signatures

While one of these things can be used to confirm somebody’s identity, for better assurance multiple forms of validation must be used. It is possible that somebody has obtained one these factors in order to pose as you; maybe they’ve stolen your pin or forged your signature. But how likely is it that this same someone looks like you, knows your passwords, and has fingerprints identical to yours? It is the need for stronger authentication that drives the modern push for “Multi-Factor Authentication.”

Multi-Factor Authentication, or MFA, is where more than one of the three forms of authentication are used. 2FA is a moniker referring to exactly two of these factors. In its modern form, you will typically need to provide your password as well as a code obtained from a device in your possession. These codes are called One-Time Passwords and can be either sent to your device through a seperate communication channel, or generated offline.

Many sites will support MFA through text message, where a code is generated by the company, sent to your phone in a text, and then typed into the site by you. While this is particularly convenient, it is also somewhat less secure than generated codes. There are documented instances of an attacker pretending to be someone else and gaining control of that person’s phone number, essentially routing all texts to the attackers device.

A safer alternative is the TOTP protocol (Time based One Time Passwords). This is a protocol designed to allow an offline device to generate pseudo-random codes in sync with another server. This works by passing a token from the server to the client’s device through some sort of out-of-band transmission, usually by pointing your phone’s camera at a QR code or typing out the token. Then, when you need a code, your device generates a six digit number based on the shared token and the current time. This time-based auth has several implications. First, the generated passcode changes roughly every 30 seconds or so meaning that unless an attacker has possession of your device, they have no way of reliably spoofing this code. Secondly if your MFA device’s clock is out of sync, your generated password won’t line up with the password generated by the server, a common issue for frequent travelers.

While there is dedicated hardware out there to generate TOTP codes, for most people it is sufficient to download one of many smartphone apps to do the job. Popular TOTP apps include: Google Authenticator, Duo mobile, and the open source andOTP. Keep in mind however, that losing your phone or buying a new one may result in a loss of access to your accounts. Most services will provide a short list of pre-generated, one time passcodes in case this happens. Make sure to keep these codes in a safe location, or take a picture of the QR code and print off a copy (again, kept in a secure location).

MFA with your SparkPost Account

In order to keep your SparkPost account as secure as possible, we highly suggest enabling MFA on your account. It’s a simple step that will really help secure your account in the case of an accidental password leak or a workstation breach. For a simple guide to setting up MFA, you can reference this doc.


Related Content

Email Security’s Hidden Complexity: Are Termites Eating Your House?

Any company working with customer data or providing any service online needs to pay close attention to security and get their "house" in order.

read more

Why Attestations Are Just One Part of Your Cloud Security Program

Attestations are a necessity for any cloud security program. Here’s why you need to look beyond just checking the boxes to ensure your perimeter is secure.

read more

How to Protect Your Personal Devices From Online Security Threats

With the slew of new technology gadgets, there is an increased risk of mobile and online security threats. Here are a few tips to keep your devices safe.

read more

Get started and start sending

Try SparkPost and see how easy it is to deliver your app’s email on time and to the inbox.

Try Now

Send this to a friend