What is Multi Factor Authentication?

What is Multi Factor Authentication, and how can it protect you?

Multi factor authentication (MFA) is becoming more and more common, but what really is it? When you sign in to your online accounts, a process called authentication, you prove to the service you are who you say you are. Usually you enter just a username and password, but sites are becoming safer and more secure by requiring you to enter more information. You’ll use multiple different factors - something you know, something you have, or something you are - to log in and stay secure.

For example, Roblox offers two factor authentication (2FA) to secure your account. When you log in, you might need to scan your fingerprint or enter a code from an app or email. This keeps hackers from taking over your account if they guess your password. A Roblox account can contain Robux, rare items, or it can even be used to run a popular game, and hackers will try to get access to all of these.

Example of 2FA offerings on Roblox

(If you have a Roblox account, you can click here to see your own account’s security settings)

How does it work?

When you type in your password, you utilize a single-factor authenticator. You use something that you know, and only you should know what it is. There are three kinds of factors for authentication: something you know (like a password), something you have (like a phone or physical key), or something you are (like a fingerprint or your face). MFA means that you need more than one factor to log in. You typically type in your username and password, then accept a prompt on your phone to confirm the login attempt. If you use both something you know and something you have, like a phone, then the attacker would need to physically steal your phone to log in. This is impossible for the average hacker who is likely hundreds or thousands of miles away from you and won’t be able to hijack your phone.

Why do sites use it?

Hackers can easily get access to massive lists of usernames and passwords. Since 2007, data breaches and password leaks have become more common and more intense. You can search sites like haveibeenpwned to find if your account is one of nearly 12 billion that is the victim of a data breach. Hackers use programs to automatically try these combinations of usernames and passwords on other websites and log in to those accounts. According to the Verizon Data Breach Investigations Report, 43% of compromises used stolen credentials. If you use the same password for different sites, such as a game, Netflix, and your Gmail, then the attacker can log in to all of those accounts once they discover one password.

What if it fails?

However, 2FA doesn’t always work. If a hacker steals someone’s password and copies a fingerprint like in a spy movie, then they could log in to the account and take control of it. Additionally, hackers can convince people to let them into an account or network. These attacks are called social engineering attacks, and they work by attacking the person instead of the computer. You might know that scammers call and pretend to be foreign royalty then ask for money, but some use even more advanced techniques.

This September, both Uber and Rockstar Games were hacked by a teenager using social engineering techniques. To hack Uber, he repeatedly attempted to log in using an employee’s stolen credentials. MFA prevented him from logging in with just the credentials, as it required the legitimate employee to confirm the login. He then texted that employee, claiming to be tech support, and that the employee needed to accept the MFA prompt so he could fix it. The victim was convinced and allowed the hacker to sign in. He used this account to find even more passwords, and was able to access the full network from there. He reportedly used a similar technique to hack Rockstar and leak footage of their upcoming game, GTA 6. During both of these hacks, MFA slowed down the attacker, but he was able to get around it using social engineering.

Hackers also target average users using malware they buy online. A hacker might ask people to play their game, but the “game” will have code hidden in it to steal your passwords. This is increasingly common on platforms like Discord, since the scammer can use stolen accounts to send the virus to everyone on the victim’s friend list. The screenshot shows an example of how an attacker will pose as your friend, using their hijacked account, and try to hack you with the same method.

Example of a scam message

It’s important to watch out for these scams and know how to deal with them when you come across one. Always beware of deals that seem too good to be true, and never download programs that strangers send you. You should tell a parent or trusted adult if you’re targeted or hacked, and immediately change your passwords if you are. If you were infected with a virus that targets a specific program, you should uninstall it and run an antivirus scan before reinstalling it.

Conclusion

To keep it short, multi factor authentication is a great way to protect your online accounts. It stops hackers guessing your password or reusing leaked ones. You should definitely enable it for anything important, like your email or important programs, and consider it in other places like games and websites.

Thanks for reading!