More websites — especially financial institutions and health-care providers — no longer let you log in with just a password. In addition, they require you to respond with a short-lived verification code they send to your phone or email. This double lock on your digital life might feel like a chore, but it is your best defense against modern fraud.
Learn more
Heads Up: Benefits of password managers, by Jason Scuglik
How to be safer online: Passwords, a Money Talk Video with Jason Scuglik
What is Multifactor Authentication (MFA)? Why Use It? from the National Cybersecurity Alliance
Multi-Factor Authentication Fact Sheet, from the Cybersecurity & Infrastructure Security Agency
Personal financial security, a YouTube playlist of Money Talk Videos with Jason Scuglik
Heads Up: Protecting yourself from scams, by Jason Scuglik
History: From key fobs to smartphones
Multifactor authentication (MFA) is older than the internet. It relies on two distinct layers of security: Something you know (your password) and something you have (your phone or other physical device).
- 1980s: The technology began in high-security government and bank offices using small key fobs, with a tiny screen that displayed a code that changed every 60 seconds.
- 2000s: As the internet moved into our homes, banks realized it was easier to send those codes to devices you already owned — like your cell phone or email inbox — rather than expensive plastic fobs.
- Today: Most of us use our smartphones to receive the codes via text or specialized authenticator apps.
Why the change?
Quite simply, passwords are no longer enough.
Hackers have become too skilled at stealing passwords or using computers to “guess” them. If a thief steals your password, they have the key to your digital house. If you use MFA, however, the thief gets stuck at the front door because they don’t have the second key — the code texted or emailed to you.
2 rules for staying safe
- Never share your code. No legitimate bank or tech support agent will ever call you and ask for your MFA code over the phone. If someone asks for it, hang up. It is a scam.
- Only use codes you requested. Enter a code into a website only if you are currently trying to log in. If a code randomly pops up on your phone while you are eating dinner or watching TV, someone else may be trying to access your account.
The “Remember this device” option
Many websites offer a check box that says, “Remember this device.” If you check the box on your home computer, the site won’t ask for a code again for a few weeks or months.
Saving the extra step may be convenient, but use it sparingly. It’s like leaving your front door unlocked because you plan on coming back in 5 minutes: It saves time, but it compromises your security.
Like locking your door, multifactor authentication is little inconvenience compared to getting robbed.
Jason Scuglik is information systems administrator at Landaas & Company, LLC.
(Heads Up is an occasional alert on consumer and investment scams.)