Safer? Sure! MFA / 2FA Best Practice

Still wondering how to create the perfect password for your online account? Don't worry, these days will soon be over. Let's talk about what really matters: Multi-factor authentication (MFA) or, as it is usually called, Two-factor authentication (2FA).

Why is a password no longer enough?

Quite simply: Because passwords are insecure. Either they are too weak, you use them for several accounts at the same time or they end up on the net due to data leaks. Even the strongest passwords don't provide protection against phishing attacks where scammers steal your login data.

This is where 2FA comes into play. It's like a second lock for your digital door. You don't just log in with something that you know (your password), but also with something that you have (like an app or a hardware token) or something you are (Like your fingerprint.)

In short: 2FA is the best defense against most hacks. In fact, Microsoft estimates that 2FA 99.9 % could prevent all account hacks. This is a number that should not be ignored.

Authenticator apps: The classic in your pocket

Forget SMS codes that can be easily intercepted. Authenticator apps are the gold standard for 2FA. Apps like Google Authenticator or Microsoft Authenticator are the easiest and most secure solution for most of us.

How it works’s:

1. You activate 2FA on a website.
2. The website will show you a QR code.
3. You scan the code with your Authenticator app.
4. Done! The app now generates a new six-digit code every 30 or 60 seconds.

The next time you log in, enter your password and then type in the current code from the app. The cool thing about it: The codes work even when you're offline.

Benefits of Authenticator apps:

Safer than SMS: The codes are generated directly on your phone and are immune to SIM swapping attacks.
Doesn't cost anything: The apps are free.
Comfortable: Most of you always have your smartphone with you anyway.

But keep in mind: If you lose your phone, you're thrown up. Be sure to save the recovery codes that the websites give you when setting up 2FA!

Authenticator tokens: The keychain for your security

You want to put another shit on it? Hardware tokens such as the YubiKey The right thing for you. These are small USB sticks or NFC devices that you have to plug into your computer or mobile phone to log in.

How it works’s:

1. You log in with your password.
2. The website calls for the second factor.
3. You plug your YubiKey into the USB port or hold it to your smartphone.
4. A quick push of a button on the token – and you're in it.

Advantages of hardware tokens:

Phishing resistant: The token checks whether you are really on the right website. Phishing websites are immediately recognized and rejected.

Super safe: Since the token is physically disconnected from your computer, it cannot be hacked.

Do not remember any codes: No typing, no stress. One press of a button is enough.

But keep in mind: Hardware tokens come with extra costs and it can be tedious to always have them with you. You also have to be careful not to lose them.

What should you use?

For most of us it is Authenticator app The perfect choice. Popular apps are, for example, the Google Authenticator, there are in the Android and Apple Universe or other Microsoft or open source solutions, even Completely in the browser is possible. Most password managers also offer this functionality.

It offers an A fantastic balance of safety and comfort. But if you want to protect particularly sensitive data or just play it safe, Hardware tokens A worthwhile investment.

And remember: Any type of 2FA is better than none at all! It's best to start immediately and protect your most important accounts. Your digital self will thank you!

---

Here are the other important elements of multi-factor authentication (MFA), briefly and crisply explained.

What you are: biometrics

biometrics It is based on your unique physical characteristics. This is not only safe, but also super convenient.

• Fingerprint and facial recognition: These are the best known biometric methods we know from unlocking our smartphones. They are fast and very hard to fake. However, the data can be sensitive and once compromised, it cannot be easily changed.
  
• Irisscans and voice recognition: Less common, but very safe. They are often used in highly sensitive areas.

What you do: Behavioural analysis

This method is for professionals and is mostly used in the background. She analyzes how you behave online to check if you really are you.

• Behavioural profiling: Systems learn how to log in normally – which devices you use, at what time of day, from where. If there is a discrepancy, for example a login at night from a foreign country, additional authentication is required.
  
• Keyboard and mouse dynamics: Yes, the way you type or move the mouse can also serve as an identity feature. This is still relatively new and is mainly used for continuous monitoring during a session.

Where you are: Location-based authentication

Your location is used as a factor. If you try to log in from an unusual location, the system becomes suspicious.

• IP address and geolocation: Your login attempt will be compared to your location. If you normally log in to Berlin and suddenly want to log in from Tokyo, the system might require additional verification.
  
• Geofencing: An even more precise method that defines a specific physical area. Logins are only allowed within this zone, which is especially useful in companies.

Ownership-based authentication that goes beyond the app

While authenticator apps are the most widely used, there are other ownership factors that are often used in the industrial and banking environment.

• Certificates and Smart Cards: Digital certificates are files on your device that automatically establish a secure connection. Smart cards are physical cards with a chip that require a PIN and are often used for access in corporate buildings or government agencies.
  
• SMS and email codes: Although widespread, they are considered less secure because they can be easily intercepted by hackers (SIM swapping). For this reason, experts advise against using them for sensitive data. They are better than nothing, but not the safest choice.
  
• Phone calls: Similar to SMS, but here a code is read to you. The problem is the same: This method is susceptible to phishing and is hardly in use today.