How to protect your data with multi-factor authentication (MFA)

Much of our lives are lived online these days, whether that’s posting an image of your family holidaying on social media to share with your friends or getting an email telling you when your internet shopping is going to arrive.  

More crucially, we use computers and phones to access all sorts of services, including our bank. Getting your social media account hacked might be embarrassing, but if someone manages to get hold of a password that sees money disappearing out of your account, it can be much more stressful. So how do you keep your details safe? 

One of the most useful and easiest ways to keep your information safe is to enable multi-factor authentication (MFA). As an Application Security Engineer here at Allica, I have years of experience helping businesses and individuals be secure online.

I wanted to share some key things you should know about MFA, including how to set it up and what it could protect you against. 

What is multi-factor authentication? 

Multi-factor authentication (sometimes called two-factor authentication or 2FA) adds an extra layer of security to your login process for digital accounts. You can set it up for your Allica Bank savings or business current account, your emails, or many of the apps on your phone. 

The normal login process that many of us use day-to-day is known as ‘single-factor authentication’. You use a single piece of data (your password) to verify your identity (your email address/username). 

With MFA, you add another layer of verification to this process. To simplify it, MFA is like adding a second, unique security check to your login process – on top of your normal password. 

By adding this extra step, it becomes much harder for bad actors to do any damage. If you use MFA, learning your password would no longer be enough for a criminal to access your accounts. 

What are the different kinds of MFA? 

The extra layer of security that MFA offers can take different forms. We've explored these below, along with the pros and cons of each. Each has its merits, but all are valid options if you want to add MFA to your login process. Go with what feels right – and easiest – for you. 

SMS verification 

After entering your login details, you’ll see another step on your screen that asks you to enter a ‘one-time password’ (OTP). This password will be sent to you via SMS (text message). You’ll then simply have to write (or copy and paste) the code into the box on your screen. 

OTPs are often only valid for a short amount of time – 15 minutes, for example – to add another layer of security. 

You might be asked to confirm the last three digits of your phone number before you can be sent the code. 

Pros 

• Availability – almost everybody has a mobile phone nowadays. 
• Familiarity – the vast majority of people are familiar with text messages. 
• User-friendly – you don’t need to download anything or go through a lengthy process. 

Cons 

• Security risks – SMS can be intercepted, or your SIM can be cloned. 
• Reliant on network – if you don’t have mobile signal, you won’t receive your OTP. 
• Potential costs – if you use this method when abroad, you could be charged according to your network’s international rates. 

Biometric verification 

Biometric means the recognition of individuals by their unique characteristics.  If your device has a biometric scanning feature, you can use this as an MFA method. Most commonly, this is your fingerprint or face. After entering your usual login details, you’ll be prompted to verify your identity with your biometric data. 

Pros 

• Convenience and familiarity – it’s built into many smartphones and laptops, so you may already use it. 
• Highly secure – this is a strong method of authentication. 
• Hard to forge – your face or fingerprint is unique and extremely hard to replicate. 

Cons 

• External data security – the companies’ that store your biometric data could be compromised. 
• False positives and negatives can occur – the systems aren’t 100% perfect and can sometimes return false results. The risk of someone having a similar fingerprint to you is very low, for example. 

One-time password app 

Similar to the SMS option, you can generate OTPs in a purpose-built app. The most popular include Microsoft Authenticator, Google Authenticator, and those linked to password managers (e.g. Bitwarden or 1Password). 

After entering your username and password, you’ll be asked to enter the unique code shown in your authenticator app, which changes after a set amount of time (sometimes as quick as every 30 seconds). 

Pros 

• Dynamism – codes in authenticator apps refresh incredibly quickly, making them harder to abuse. 
• Offline access – once installed, these apps will operate even without wifi or data   connection. 
• Multiple devices – the same authenticator app can run across all your devices. 

Cons 

• Compatibility – not everybody has a smartphone or wants to install a new app on their device. 
• Risk of losing device – if you lose the electronic device on which your authenticator app runs, you may not be able to recover your account. 
• Complex recovery – if you can recover your account, the process can be complicated. 

What can MFA help guard against? 

Individuals and businesses are equally at risk and bad actors are indiscriminate in who they target. MFA helps protect us, whereas single factor authentication (just using a password for authentication) is an easy weakness to exploit. 

To highlight just how impactful implementing MFA can be, it’s worth looking at the various attacks that this extra layer of security can prevent. 

Phishing attacks 

Phishing is a kind of ‘social engineering’; an attempt to get information from you that you wouldn’t normally share, by means of trickery or deception. A phishing attack could take the form of an email from a fake address purporting to be from your bank, for example. 

In this case, using MFA means that, even if your password is compromised through a phishing attack, the attacker would only have one of two necessary pieces of information they need to access your account. 

Brute force attacks 

In a brute force attack, an attacker attempts to guess a user's password by trying many different combinations. Attacks like this are most effective against accounts with common passwords, as they are easily guessed. 

MFA can prevent these attacks from working in the same way mentioned above. Even if an attacker guesses your password, they will get nowhere with it, as they don’t have your second factor needed to finish logging in. 

Lost or stolen devices 

If your device is stolen, having MFA enabled could severely limit the thief’s access to your information and accounts. Even if they managed to unlock your device, using MFA (and a variety of MFA options) on all your important apps would stop them in their tracks. 

For example, combining biometric authentication for your phone and authenticator app, whilst using OTP authentication used on other apps would prove difficult to break down. 

Account takeover attacks 

Account takeover attacks occur when attackers gain unauthorised access to a user's account. MFA is highly effective in stopping such attacks, as, even if an attacker somehow obtains your password, they won’t be able to get any further without your second factor. 

Setting up MFA for your emails 

Now that we’ve gone through the explanations and use cases, it’s time we explained how to set up MFA – starting with the most commonly used service of all: email. 

All manner of information can be found in your emails, so keeping them private and secure should be a priority. 

Setting up MFA for Outlook 

1. Go to myaccount.microsoft.com and sign in with your Outlook/Microsoft account. 

   

2. Select “Security info” from the navigation menu to continue. 

 3. In this page, you can choose the type of MFA you’d like to use by clicking ‘Add sign-in method’ and picking from the dropdown menu. 

 4. Choose the MFA method that you’d like to use and follow the instructions on screen to complete the setup.  

Setting up MFA for Gmail 

1.  Go to google.com and either sign in, or, if you are already signed in, click the profile icon in the top right-hand corner. 

2.  From here, you will then be able to select ‘Manage your Google Account’. 

 3. Select ‘Security’ in the navigation menu. 

 4. Click ‘2-Step Verification’. 

 5. Follow the instructions on screen to setup SMS (text message) MFA. Once this is done, you’ll also be able to add MFA methods such as an authenticator app.

 6. To configure more advanced security features, including an authenticator app, return to the ‘Security’ tab and look for the text that reads ‘You can add more sign-in options.’ There are multiple options you can choose to heighten your security. 

Using MFA at Allica Bank 

At Allica, we ask customers to set up multi-factor authentication when they create an account as an extra layer of security when they log in. As well as asking users to register their email address and select a password, we’ll also ask for a phone number as a secondary layer of security.  

When users then login with their email address and password, they may well be sent a message to their phone with further instructions to verify their identification. This is MFA – multi-factor authentication. 

Taking security a step further, our mobile app uses biometric verification such as facial recognition or fingerprint analysis as a second layer of security to the PIN codes that customers choose when first setting up their accounts.  

Furthermore, for any higher-risk activities such as adding a new payee in online banking, we will also ask users to confirm their identity within the Allica Bank app. This will look like a text message notification at the top of your screen. Simply click on it and accept it to continue with the action.  

At Allica, we are committed to having the most robust and adaptable security measures to offer customers a safe and secure banking experience. 

Beyond this specific security measure, it’s well worth checking our dedicated customer security webpage. It features lots of helpful guidance about protecting your information and identity online, especially as it relates to your account(s) with Allica Bank. 

A final disclaimer 

While MFA will greatly improve your security, it's not foolproof and it’s not guaranteed. Advanced attackers may employ more sophisticated methods to bypass MFA and there are still ways that very determined criminals could access your accounts via social engineering. 

Despite that, MFA remains a highly effective defence against many common and less sophisticated cyberattacks. It’s much safer to use MFA to protect your data than a simple, single password. 

Disclaimer: None of the products or services mentioned in this article are to be taken as recommendations by Allica Bank.