How to Protect Yourself With Multifactor Authentication

Quick Answer

Multifactor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism.

How to Protect Yourself With Multifactor Authentication article image.

Data breaches, hacking and phishing can leave your online accounts vulnerable, and enabling multifactor authentication (MFA) is becoming a bare-minimum measure to help keep your information secure. Previously, two-factor authentication was standard, but as thieves became more sophisticated and insistent, security measures had to evolve to protect user data.

You might have been forced to use MFA before, such as when you try to create or sign in to an account and have to enter a code that's emailed or texted to you. However, you can often set up and require MFA on many accounts.

What Is Multifactor Authentication?

Multifactor authentication (MFA) is an identification method that requires someone to use two or more types of information to confirm their identity. In general, you'll do this by sharing information from two or more of the following three categories:

  • Something you know: Information that you can share, such as a password, username, PIN or personal information.
  • Something you have: An object you can confirm you possess, such as a card, phone or badge.
  • Something you are: A unique part of you that you can use to identify yourself, such as your fingerprint, voiceprint or a face or eye scan.

Using MFA enhances security because it can keep someone out of your account even if they have some of your information. For instance, they might know your username and password from a data breach. However, they still can't get into your account unless they can take or replicate something you have or are.

Multifactor Authentication Verification Methods

Companies and consumers can implement MFA in different ways. One common form of MFA is SMS-based verification, which is when you try to sign into an account and have to enter a one-time password (OTP) from a text message. You're entering something you know—the username and password—plus using the OTP to prove that you have the phone in your possession.

Other MFA verification methods include:

  • Authenticator apps: Authentication software, sometimes called a software token, is a program that generates limited-time OTPs. These can be standalone apps, such as Google Authenticator, Authy or Microsoft Authenticator. But other security software, such as password managers, may also offer authenticator apps as an additional feature.
  • Push authentications: Rather than entering a code that an app generates, some authenticator apps use push notifications that allow you to verify a login attempt with a single click.
  • Hardware and security tokens: There are also standalone physical devices (which could look like small thumb drives) that you can use for verification. These may generate OTPs, or you may have to plug in the device or hold it near a phone that has contactless near-field communication capabilities.
  • Biometrics: Additionally, you may be able to use your biometric data as a second form of identification via a fingerprint or face scanner on your phone or laptop. Some security tokens also support biometric authentication.

There are pros and cons to the various options, including trade-offs between cost, ease of use and security.

For example, while SMS-based verification could be free and simple, its popularity has also made it a target for fraudsters. Some have figured out how to swap or port a victim's phone number to a new phone, and then receive and use the OTP to log in to the victim's account. As a result, it's not the safest option available.

It's also a game of cat and mouse as criminals look for new ways to break into your accounts. Major phone carriers now let you turn on security measures to protect yourself from SIM swapping and porting attacks. However, you still have to watch out for fraudsters that use bots to trick victims into sharing OTPs instead of taking over the victim's phone number.

How to Set Up Multifactor Authentication

The process for setting up MFA depends on which verification methods the company supports and which method you want to use. In some cases, you might not be able to enable MFA at all, or the company might only support MFA via text messages.

When it's an option, enabling MFA via text message could be as simple as clicking a checkbox in your profile. Setting up a new authenticator app or device might be trickier, but it's still generally a straightforward process. If you're unsure where to begin, see if the authenticator method's creator or the website you're trying to secure offers tips or a walkthrough.

You can also try to see which types of MFA a company supports before creating an account by checking the website's resource pages or a site like the 2FA Directory. The directory lists many popular companies and their support MFA methods, and it has links to some of the company pages where you can read more about enabling MFA.

Additional Ways to Protect Yourself From Attackers

Turning on MFA is an important part of keeping your accounts secure from hackers and fraudsters, but there are also other measures you should consider taking:

  • Use a password manager. Having strong and unique passwords can help keep a single data breach or hack from compromising all your accounts. A password manager makes it easy to create, save and input these passwords on your computer and phone.
  • Don't share personal information online. Fraudsters can use personal information to impersonate you, which might allow them to persuade a company representative to change your account settings or let them open a new account or loan in your name. You can also use a free privacy scan to see what's already online and try to get your information off people search sites.
  • Beware of phishing, smishing and vishing. Criminals may use phishing, smishing and vishing attacks to impersonate a company or government representative and trick you into sharing your personal information or authentication code. Or, they might get you to click on a link that infects your device with malware. Beware of any inbound messages or calls, especially if the sender is trying to scare or threaten you.
  • Use non-SMS methods for MFA. For your most important accounts, consider using a hardware or security token, if it's supported. Or, at least try to use a non-SMS form of MFA. If these aren't available, SMS MFA is better than nothing.
  • Enable SIM swapping protection. Look into your phone carrier's options for preventing SIM swapping and porting. Major carriers may assign you a PIN or let you temporarily lock your account, which keeps others from taking over your phone number.
  • Watch out for MFA fatigue attacks. Several major corporations have had data breaches after attackers repeatedly tried to log in to an account, prompting the target to receive MFA push notification requests. Don't fall for it and hit approve if this is happening to you, or your account could be compromised.

Many companies are also working behind the scenes to improve account security. For example, even if you haven't turned on MFA, when someone tries to log in to your account, the company might review the device data, location, time of day, typing speed and other biometric data. If they suspect it might not be you, they may require MFA via a text or email—which is also why you might get sent a text with an OTP when you log in from a new device.

Take an Active Approach to Your Cybersecurity

A few simple steps, such as using a password manager and enabling MFA, can go a long way in keeping your accounts secure. If you're worried about identity theft and hackers, you can also look into an identity theft monitoring program. While they can't prevent a data breach, they can help tell you if your information was compromised or if someone is trying to open a new credit account in your name. Experian IdentityWorksSM also comes with insurance and fraud support services that can help you if you're the victim of identity theft.

The purpose of this question submission tool is to provide general education on credit reporting. The Ask Experian team cannot respond to each question individually. However, if your question is of interest to a wide audience of consumers, the Experian team may include it in a future post and may also share responses in its social media outreach. If you have a question, others likely have the same question, too. By sharing your questions and our answers, we can help others as well.

Personal credit report disputes cannot be submitted through Ask Experian. To dispute information in your personal credit report, simply follow the instructions provided with it. Your personal credit report includes appropriate contact information including a website address, toll-free telephone number and mailing address.

To submit a dispute online visit Experian's Dispute Center. If you have a current copy of your personal credit report, simply enter the report number where indicated, and follow the instructions provided. If you do not have a current personal report, Experian will provide a free copy when you submit the information requested. Additionally, you may obtain a free copy of your report once a week through December 31, 2022 at AnnualCreditReport.