Skip to content

Multi-factor Authentication#

Instead of just a password we add in a second factor. The most common these is the one-time password (OTP).

You might have heard of Google Authenticator? or perhaps Microsoft Authenticator?

These applications are used as a second form of authentication and fall under the idea of "something the user has". Combined with "something the user knows", like a password, you now have two-factor authentication.

If we come back to our situation above, where the user's password is compromised, the account should be safe from compromise because the user has enabled and implemented multi-factor authentication. That means the hacker who has compromised the password would have to get a hold of the thing "the user has" - in most cases, their mobile phone.

So, a user sets a decent password/passphrase, which is unique to each account (what they know), and implements a TOPT token as a second form of authentication (what they have). A hacker has to get both items to breach the account (in most cases - there are many other attack vectors.)

I advise you to install Google Authenticator or Microsoft Authenticator. I prefer Microsoft's as with a Microsoft account, I can backup the account and the secrets backing the codes. If you change device they follow you. Google Authenticator doesn't support this.