Cybersecurity Awareness Basics
How to avoid identity theft, frauds, scams and more. Click below for more information.
Read our latest Fraud Newsletter: Citizens Fraud Update - Spring 2025
What is Multifactor Authentication (MFA) and Why Should You Use It?
You can protect your online accounts with more than just a password.
Multifactor authentication (MFA) adds another layer of protection—think of it like securing your front door with both a deadbolt and a keypad lock. MFA is a simple, effective way to keep hackers out, even if they manage to get your password.
What is multi-factor authentication?
Multifactor authentication, often called MFA, is a security feature that requires you to verify your identity in multiple ways before accessing an account. You might also hear it called two-factor authentication (2FA) or two-step verification.
Here’s how it works: when logging in, you provide your username and password as usual, but then you add another step to prove it’s really you. This second step could be a fingerprint, a code sent to your phone, or even a notification from an app.
Why bother? Because passwords alone can be stolen or guessed, especially if they are short, use common words, and are reused. As a reminder: each password should be unique, at least 16 characters long, and a random string of characters. MFA makes it exponentially harder for cybercriminals to break into your accounts. Even if they know your password, they’ll hit a wall.
MFA increases the security of an account by 99%
According to guidance by the Cybersecurity and Infrastructure Agency (CISA) and backed up by research from Microsoft, enabling MFA can prevent 99% of automated hacking attacks.
The math makes sense. If you require both a password and another factor like FaceID to increase your protection, the account's security basically doubles!
It's important to remember that these statistics refer to automated attacks. You still need to be on the lookout for social engineering hacks, like phishing, where cybercriminals try to trick you into giving them your password or MFA code.
How does MFA work?
Enabling MFA means tweaking your login process just a bit:
- Enter your username and password.
- If correct, you verify your identity in a second way.
Depending on the account or service, this second step might involve:
- A text or email with a one-time code.
- A prompt in an authentication app like Google Authenticator.
- A biometric scan (e.g., fingerprint or facial recognition).
- A physical security key.
Most MFA systems are quick and seamless, adding between five and 30 seconds to your login time while almost doubling your security.
Types of multifactor authentication
MFA usually requires two factors, which is why it is sometimes called two-factor authentication. One factor is your password. The other factor can include:
- One-time passwords (OTP): Codes sent via text or email expire quickly.
- Authenticator apps: Apps like Duo or Microsoft Authenticator generate time-sensitive codes or send push notifications to approve logins.
- Biometrics: Scans of your fingerprint, face, or voice.
- Hardware tokens: Physical devices, such as USB keys, that connect to your computer to verify your identity.
- Security questions: Answers to personal questions, like your first pet’s name or high school.
- PINs: A secondary password unique to the service.
MFA fans will say these factors break down into three categories:
- Something you have: text message codes, authenticator apps, and hardware keys.
- Something you know: passwords, security questions, and PINs.
- Something you are: biometrics.
While any form of MFA is better than no MFA, we recommend using authenticator apps, biometrics, or hardware devices as second factors. Text message codes and security questions are more vulnerable but are still better than only a password.
Where should you enable MFA?
MFA is common nowadays, and many services allow you to enable it. Start by checking the accounts you use daily. Some familiar platforms that typically allow for MFA include:
- Banking: Secure your financial data with MFA for online banking and payment apps.
- Email: Protect your inbox, which often holds sensitive information and links to your other accounts.
- Social media: Keep your accounts safe from unauthorized posts or takeovers.
- Online shopping: Add an extra layer of security to your stored payment details.
If a service offers MFA, turn it on—especially for accounts involving finances, sensitive information, or personal data. And honestly, most of our accounts today involve sensitive personal information you don't want hackers to have.
Can MFA be hacked?
While MFA is highly effective, it’s not invincible. Some cybercriminals use social engineering to trick users into granting access. For example, they might flood you with MFA requests, hoping you’ll approve one out of frustration or confusion.
If you receive an MFA request and you aren’t logging in, don’t approve it. Instead:
- Contact the account's platform immediately.
- Change your password for the account.
- Update any other accounts that use the same password – this is why every password should be unique to the account.
Despite rare instances of bypasses, MFA remains one of the strongest defenses against unauthorized access.
Is a passkey the same as MFA?
Passkeys are a newer login technology that we're very excited about. In a sense, they are a form of MFA, but neither factor required is a password. In this way, they pave the way forward for a passwordless future. Instead of a password, generally, the factors involved are the possession of a device and biometrics, like a facial scan. If you're prompted to set up a passkey, try it out! They are simple to set up and are incredibly secure.
Why MFA is a must
Your data is valuable, and MFA takes your protection to a new level. This simple tool adds a robust layer of security that can stop hackers in their tracks.
Don’t wait for a hack to teach you the hard way—take action today. Enable MFA on all accounts that offer it and enjoy the peace of mind that comes with knowing your digital life is well-protected.