What is Multi-factor Authentication?

You can protect your online accounts with more than just a password.

 
 
 
Multifactor authentication (MFA) adds another layer of protection—think of it like securing your front door with both a deadbolt and a keypad lock. MFA is a simple, effective way to keep hackers out, even if they manage to get your password. 
 
 

What is multi-factor authentication? 

Multifactor authentication, often called MFA, is a security feature that requires you to verify your identity in multiple ways before accessing an account. You might also hear it called two-factor authentication (2FA) or two-step verification. 
 
Here’s how it works:
When logging in, you provide your username and password as usual, but then you add another step to prove it’s really you. This second step could be a fingerprint, a code sent to your phone, or even a notification from an app. 
 
Why bother?
Because passwords alone can be stolen or guessed, especially if they are short, use common words, and are reused. As a reminder: each password should be unique, at least 16 characters long, and a random string of characters. MFA makes it exponentially harder for cybercriminals to break into your accounts. Even if they know your password, they’ll hit a wall. 

MFA increases the security of an account by 99%

According to guidance by the Cybersecurity and Infrastructure Agency (CISA) and backed up by research from Microsoft, enabling MFA can prevent 99% of automated hacking attacks.  
 
The math makes sense. If you require both a password and another factor like FaceID to increase your protection, the account's security basically doubles! 
 
It's important to remember that these statistics refer to automated attacks. You still need to be on the lookout for social engineering hacks, like phishing, where cybercriminals try to trick you into giving them your password or MFA code. 
 

How does MFA work?

Enabling MFA means tweaking your login process just a bit:
    1. Enter your username and password.
    2. If correct, you verify your identity in a second way.
 
Depending on the account or service, this second step might involve:
    • A text, email, or phone call with a one-time code.
    • A prompt in an authentication app like Google Authenticator, Authy, or Duo. 
    • A biometric scan (e.g., fingerprint or facial recognition).
    • Security questions.
    • A physical security key.
Most MFA systems are quick and seamless, adding between five and 30 seconds to your login time while almost doubling your security. 
 
While any form of MFA is better than no MFA,  authenticator apps, biometrics, or physical security devices are generally recognized as the most secure second factors. Text message codes and security questions are more vulnerable to hacking but are still better than no MFA.   
 

Can MFA be hacked?

While MFA is highly effective, it’s not invincible. Some cybercriminals use social engineering to trick users into granting access. For example, they might flood you with MFA requests, hoping you’ll approve one out of frustration or confusion. 
 
If you receive an MFA request and you aren’t trying to log in, don’t approve it. Instead:
    • Contact the account's platform immediately. 
    • Change your password for the account. 
    • Update any other accounts that use the same password – this is why every password should be unique to the account.  
Also, never provide a one-time passcode that you receive by phone, email, or text to anyone else. As a reminder, MAX will never contact you and ask you to share a code or other sensitive information.
 
Despite rare instances of bypasses, MFA remains one of the strongest defenses against unauthorized access. 

Ready for a change? Make the move to MAX.