2FA vs MFA: What’s the difference?

Introduction

2FA (two-factor authentication) and MFA (multi-factor authentication) refer to additional security steps that you and your business can use to prevent hacking, phishing, data breaches and ransomware attacks. But what’s the difference between 2FA and MFA? When do you need to use them? And what’s the best implementation to protect your personal and business accounts?

What is 2FA?

2FA refers to two-factor authentication. “Two factors” means two pieces of evidence (or two steps) that users must provide to gain access to a website or application.

For example entering a password is one piece of evidence (or one step). Additional steps can take many forms including entering a one-time security token (either from an authenticator app or sent to a user via SMS) or providing a physical usb key that holds security tokens.

Most often the second step after entering a password requires users to receive a text with a unique one-time token or alternatively users are required to use an authenticator app to generate the token.

What are factors of authentication?

Taking a broader conceptual view of MFA there are 4 types of authentication.

  • Knowledge: Something only the user knows. E.g. a password or answer to a secret question (E.g. your mother’s maiden name).

  • Possession: Something only the user has. E.g. a security token on a physical device, or a software token such as one generated by Google Authenticator.

  • Inherent: Something that only the user is. E.g. biometrics such as fingerprinting or voice recognition.

  • Location: Verified location is increasingly being used. For example if a user is on a secured network then this can count as a form of authentication.

For most non-security professionals researching 2FA or MFA, the first two factors will be what they are looking to implement. Authenticating by possession of a one-time security token is most common form of 2FA which is implemented either by using a web-based 2FA app such as a third party app (Google Authenticator, Authy) via an SMS service, or by using a physical USB key such as a Yubikey.

What’s the difference between 2FA vs MFA?

2FA (two-factor authentication) refers to the use of two steps, while MFA (multi-factor authentication) refers to using two or more steps. Adding further steps of authentication can provide a greater degree of security in some cases.

For example, logging into online banking often requires three factors of authentication, making this an example of multi-factor authentication:

  • 1st factor: Entering a password,

  • 2nd factor: Answering a security question,

  • 3rd factor: Using your banking app to generate a single-use security token.

On the other hand, logging into a Google account typically requires two steps: Entering a password, followed by authenticating via a Google service using a separate device. This is an example of 2FA.

Adding more layers of security will often lead to greater protection, but there is a balance to be struck between security and convenience. That being said, having at least one additional factor of authentication is considered best practice in many cases where there may be a risk to your personal data or your business.

What are security risks with 2FA and MFA?

Multiple factors of authentication are widely considered to be far more secure than just using a password. This is because it is more difficult for hackers to obtain both pieces of information needed to access your account.

But there are still vulnerabilities present when using 2FA.

For example, SMS tokens can be intercepted by hackers. This recently happened when Coinbase users 2FA tokens were intercepted and 6000 accounts were hacked. The likely cause was a weakness in cellphone technology which allowed spoofing and redirecting of the SMS messages.

Another vulnerability when relying on a smartphone authenticator is that the device can be stolen, requiring you to remotely disable access to the tokens.

If you are using 2FA across a team or organisation then it can be difficult to manage MFA tokens and ensure that they are not being shared or that employees are not retaining access after they leave a company.

When do I need to use 2FA or MFA?

The following personal and business applications are typically secured with at least 2FA to avoid theft, data breaches, blackmail and phishing attacks:

Banking and finance: Typically finance apps require 2FA and have dedicated authentication services, however some still rely on SMS based authentication.

Crypto wallets: Crypto wallets and services are increasingly being targeted by hackers due to lower standards of security. Using an authenticator-app-based 2FA is recommended.

Shared workspaces (e.g. Google Workspace): Business cloud and document drives typically force users to use 2FA but in some cases it can be turned off for convenience. In many cases this leaves your business wide open to hugely costly data breaches.

Email accounts: Again, many enterprise solutions will require 2FA. Google Workspace and Gmail recently changed their policy to require 2FA for example. However many email solutions may not require it, in which case it is recommended you enable 2FA for both personal and your business email client.

CRM software: Customer Relations Management software is filled with your customers’ personal data. Without 2FA your employees accounts could be susceptible to hacking leading to a GDPR breach or worse.

Social media accounts: Facebook recently started forcing certain accounts to use 2FA login. This is a recognition that passwords alone are not safe for users, and adding an extra step of security is preferable to the convenience of single step sign in.

SAAS: Many businesses are now using a wide range of specialist SAAS (software as a service) solutions. This increases possible security breaches, especially when businesses do not require 2FA across these services.

Can multiple users share 2FA tokens?

Yes, it is possible for multiple users to share 2FA tokens across a team. For example if a team uses a shared account with a single log in, it would be better to have a shared 2FA token than to disable 2FA completely.

Daito’s web-based 2FA service allows teams to safely share and manage 2FA tokens like this across a team.