MFA Explained Like You're 5
Multi-factor authentication (MFA) is one of the most effective security measures you can implementโand one of the most misunderstood. Let's fix that.
The Simple Explanation
Imagine your house has a door with a lock. That's your password.
Now imagine you also need to show your face to a camera, AND have a special key fob. Even if someone copies your key, they can't get in without also having your face and the fob.
That's MFA: requiring multiple "factors" to prove you're really you.
The Three Types of Factors
Something You Know
- Password
- PIN
- Security questions
Something You Have
- Phone (for text codes or app codes)
- Hardware token (like a YubiKey)
- Smart card
Something You Are
- Fingerprint
- Face recognition
- Voice recognition
MFA = Using at least two different types.
Why Passwords Alone Aren't Enough
Passwords fail because:
- People reuse them โ One breach exposes multiple accounts
- They get phished โ Fake login pages steal credentials
- They're guessable โ "Password123!" isn't clever
- They're stolen โ Keyloggers, shoulder surfing, data breaches
Even a perfect password can be compromised. MFA provides a backup.
How MFA Stops Attackers
Scenario without MFA:
- Attacker gets your email password from a data breach
- Attacker logs into your email
- Attacker resets passwords to other accounts
- Game over
Scenario with MFA:
- Attacker gets your email password from a data breach
- Attacker tries to log into your email
- System asks for code from your phone
- Attacker doesn't have your phone
- Attack blocked
Types of MFA (From Weakest to Strongest)
SMS Text Codes ๐ฑ
- Better than nothing
- Can be intercepted (SIM swapping)
- Still stops most attacks
Authenticator Apps ๐ฒ
- Google Authenticator, Microsoft Authenticator, Authy
- Generates codes that change every 30 seconds
- Much more secure than SMS
Push Notifications ๐
- "Is this you trying to log in?"
- Convenient and secure
- Watch out for approval fatigue
Hardware Keys ๐
- Physical device you plug in or tap
- YubiKey, Google Titan Key
- Most secure option available
Where You MUST Enable MFA
At minimum, enable MFA on:
- Email โ The master key to your digital life
- Banking โ Obvious reasons
- Cloud storage โ Google Drive, Dropbox, OneDrive
- Business applications โ CRM, accounting, HR systems
- Social media โ Business accounts especially
Common Objections (And Why They're Wrong)
"It's too inconvenient"
Modern MFA is fast. Tap your phone, you're in. The inconvenience of a breach is far worse.
"My employees will complain"
Train them once, they'll adjust. Most people use MFA for personal banking without issue.
"We're too small to need it"
Small businesses are targeted specifically because they skip basic protections like MFA.
"It's too expensive"
Authenticator apps are free. SMS codes are included with most services. Hardware keys start at $25.
Getting Started Today
Personal Accounts
- Go to your email security settings
- Find "Two-factor authentication" or "Two-step verification"
- Follow the setup wizard
- Repeat for other important accounts
Business Rollout
- Start with admin accounts
- Roll out to all employees
- Require MFA for remote access
- Consider hardware keys for high-value targets
The Bottom Line
MFA is like a seatbelt. Yes, it takes an extra second. But when you need it, you'll be incredibly glad it's there.
Enable it everywhere. Today.
Need help rolling out MFA across your organization? Contact us: m1k3@msquarellc.net