Centennial College logo

Multi-Factor Authentication

What is Multi Factor Authentication (MFA)?

A cyber security practice that requires the use of more than one authentication method (factor) to verify a user’s identity. There are 3 types of factors:

  1. Something You Know
    • E.g., password, passphrase, pin, and more

  2. Something You Are
    • E.g., biometrics: fingerprint, retina, voice, face, and more

  3. Something You Have
    • E.g., mobile phone, access card, digital token, and more

Why Use MFA?

Creates a layered defense that makes it more difficult for a person/entity to access data for which they are not authorized.

Two Locks are Better than One!

Having two or more authentication steps makes it harder for attackers to breach an account. If an app, device and/or service offers MFA, enable it!

Password Best Practices

  • Use numbers, letters, & special characters to create long & complex passwords.
  • Have a different password for each account, & never reuse old passwords.
  • Never reveal/share your password with anyone & don’t record your passwords where they can be seen/found. Consider using a reputable password manager.
  • For more information about good password practices, refer to Account Management and Passwords

What Are MFA Bypass Attacks?

Cybercriminals are always looking for ways to reach valuable data. MFA bypass attacks try to avoid and circumvent multi-factor authentication using a variety of methods.

Here are some of the more common forms of MFA bypass attacks:

  • MFA fatigue attacks: The attacker delivers a high volume of requests for you to authenticate access—also known as spamming with push notifications. This is intended to gradually fatigue the user until they accidentally accept a request or do so to stop the requests.
  • Token theft: One example is a “Pass the Cookie Attack,” where an attacker can bypass MFA authentication by compromising browser cookies.
  • Voice phishing (vishing): An attacker calls a potential victim and impersonates a trusted source. The victim is asked to accept an MFA request under a false premise. For example, the attacker may ask the user to reset a password following a breach.
  • Adversary-in-the-Middle (AitM) attacks: A new breed of phishing software can bypass MFA. Attackers use these tools to compromise browser sessions and steal credentials or session cookies in real time.

How To Avoid MFA Bypass Attacks

First and foremost, remember to use strong, unique passwords for each account, and make sure you and your organization have MFA switched on. To help avoid MFA fatigue attacks, you can set limits on how many push notifications can be sent before locking the account. Take That Extra Step Without a doubt, new attack methods will continue to evolve. So, whether you are at work or at home, you should always opt for MFA when it’s offered. It’s worth taking a few extra seconds to protect your accounts, devices, data, and systems.

Don't Fall Prey; Use MFA!