01 logo

How Not to Click “forgot password” Anymore, Once and for All — Advanced

Why and how to use Multi-Factors Authentication (MFA)

By Z3n Ch4nPublished 3 years ago 7 min read
How Not to Click “forgot password” Anymore, Once and for All — Advanced
Photo by Kushagra Kevat on Unsplash

To continue my previous article, I mentioned how to create passwords that are easy to remember and guess-resistance in nature. If you followed Zen’s password rules, what you should do this time would further enhance your account security.

The weakness of Password Authentication

Using a strong password for authentication is a useful measure to safeguard your account. But the password alone is not enough as there are disadvantages.

  • Security is entirely based on confidentiality and the password (This one is catered in the previous article).
  • Does not provide a strong identity check (only based on the password).

Before getting into other measures, it is better to mention what methods we can apply for identification and authentication.

What is MFA?

According to (ISC)² CBK | Common Body of Knowledge — ISC2, authentication is when the user provides a credential to the system to prove the identity. Authentication factor can be of the following types:

  • Something you ARE
  • Something you HAVE
  • Something you KNOW

Using a password is an example of Something you HAVE. It is a mechanism of having one factor of authentication. Multi-factor authentication (MFA), on the other hand, is the mechanism of using more than one factor to prove the identity. A simple mistake is thinking a double password is a type of MFA, but it is not! Doing one factor twice do not equal to authenticate with two factors. MFA means using more than one factor instead of a factor for multiple times.

It is proved that MFA is more challenging to be compromised than single-factor authentication. The most common example is ATM. You need to make a cash withdrawal that would require the ATM card (Something you HAVE) and your pin (Something you KNOW). If someone stole your wallet and obtained your ATM card, they still need your pin to steal your money from the bank.

Using MFA sometimes is easier than you think. It does not necessarily mean adding one more factor despite the password. It is now a trend in the enterprise to try getting rid of the password by what we called “Password-less Authentication.” Although this would involve the re-design of infrastructure, the benefits outweigh the cost.

How to use MFA?

There are several ways to implement MFA. I will illustrate the most typical types below. The easiest way is to compliment the password (Something you KNOW) with the other two factors.

1# Proof of Ownership

The most popular adopted design is proofing your ownership of personal items (Something you HAVE).

Hardware Token

CC-BY-2.0 | Flickr images reviewed by FlickreviewR 2 | Photographs by Tony Webster

A hardware security key for secure second-factor or multi-factor authentication is a dongle linked to an account by the user to use it in future events. Various types of hardware dongles are available in the market, such as USB, USB-C, or wireless types, i.e., Bluetooth or NFC.

Users are required to pre-activate/ match the dongle to user credentials before usage. Some platforms may pre-activate a device for users to simplify the process. The market-ready dongles ordinarily require users to do it with 2–3 steps. There is a button on the dongle as it requires you to press it while logging in to prove your ownership.

SMS/ Mobile device code

Multiple online services provide the options to send code directly to your device via app or SMS if a phone number is provided. This is a way to show that the subject has a procession of the device that received the code when logging in. Online payment would possibly have these means as a step-up authentication while you are making a purchase.

Time-based Response Challenge Code

Another typical usage of proof of ownership is by a token. A token for login, no matter hardware or software token, contains a seed for code generation. To use token authentication, you need to obtain a token from the system you will authenticate. This is often done in person or by proofing your identity by other means such as SMS for once.

Most compliances require the banking systems to implement this kind of measure to prove you have the token (Something you HAVE) by typing in the code. An easy explanation of how it works is that the token uses the seed and generates distinctive codes. That is why the code would change and become invalid after a short while.

2# Biometrics

Image by Pete Linforth from Pixabay

Biometrics authentication is proofing your identity by human characteristics (Something you ARE). It becomes popular after mobile devices are embedded with Fingerprint Scanner.

Other than fingerprint scanners, Facial Recognition becomes familiar nowadays since camera technology can detect more facial features and 3D images. With a supported camera, you can unlock devices and authorize payment by looking at the mobile device.

This is profoundly recommended as biometric means are unique and cannot be forged easily. Biometric authentication apparently is a more direct method to prove your identity as you are who you are. It also highly reduce the risk of a Man-in-the-middle Attack than using Something you HAVE or KNOW.

Where can you use MFA?

You may be using MFA without realizing it. If you have an e-banking account that requires SMS code input, or when you log in to your Google account with a notification, push on your mobile device to click the “yes” button. Those are examples of MFA.

Using MFA normally requires the platform's support, but nowadays, most systems allow MFA activation. The below section will introduce different types of systems that are commonly adopted.

1# Operating Systems



Microsoft supports MFA in Windows 10, so if you are using a laptop with a fingerprint scanner or Windows Hello supported camera, you can log in to your account with or without typing your password. There are multiple methods to activate it.

Mac OSX and iOS


Apple provides a step-by-step guide in the link above, so I am not going to repeat it. To summarize, it can use MFA for the protection of your Apple ID. It can use in online or offline mode and also provide App Store level protection.

2# Social Media


I did not put android in the OS section as Google put MFA into protecting your google account overall, not OS authentication. Google provides multiple services, including the commonly used Gmail, Google Drive, and Google Photos. It is, therefore, a good practice to enhance the security of your google account.




Facebook and Instagram also support MFA. It would be easy to enable it with the use of a mobile device and an authentication app.



It is another common use but the most hacked social media platform. The basic setup support I mentioned in factor 1# (Something you HAVE).

3# Online Applications

There are other popular online services that worth mentioning. Especially those contain payment functions and credit card information.



The basic setup support I mentioned in factor 1# (Something you HAVE). You can choose to click “yes” by pop-up of the Amazon app on your mobile devices to simplify the process.



A third-party company powers one key point to mention about the 2-step authentication on Paypal — Braintree, acquired by Paypal in 2013.



In order for two-step verification to work correctly, you’ll need a mobile device capable of receiving text messages or running a compatible mobile authenticator app.

Here are some TOTP apps that we suggest using:

  • Google Authenticator
  • Authy
  • Duo Mobile
  • Authenticator

Last two Zen’s pieces of Advice

One thing that needs to mention is the double-edged sword characteristics of using Biometrics. As mentioned, it isn’t easy to forge the digital characters of fingerprint or retina, so it is a comprehensive identification method.

But if your biometrics credentials are stolen, i.e., the online database of the fingerprint is breached. Because you cannot change your human character, it will be unsafe to use it for further authentication once it is stolen. Be aware of where the credential is stored. I am actively informing my customers about the good and bad of using Biometrics.

  1. As a general rule, it is a great measure to use it locally, such as on the device you own, but not online, i.e., for logging in OS but not online payment.
  2. Also, it is always a good habit to enable login notifications for any accounts. As a result, you will know if someone is trying to use your account or is already pwned.


What is MFA?

It stands for Multi-factor authentication, which involves more than one factor below:

  • Something you ARE
  • Something you HAVE
  • Something you KNOW

How to use MFA?

Adding one more method in conjunction with a username and password.

  1. Proof of Ownership (Hardware Token, SMS/ Mobile device code, Time-based Response Challenge Code)
  2. Biometrics (Fingerprint, Facial Recognition)

Where can you use MFA?

  1. Operating Systems (Windows, Mac OSX, and iOS)
  2. Social Media (Google, Facebook, Twitter)
  3. Online Applications (Amazon, Paypal, Dropbox)

Thank you for reading. Happy reading and Happy MFA.

If you think this article is useful, please share it with your friends.

how to

About the Creator

Z3n Ch4n

Interested in Infosec & Biohacking. Security Consultant. Love reading and running.


Reader insights

Be the first to share your insights about this piece.

How does it work?

Add your insights


There are no comments for this story

Be the first to respond and start the conversation.

Sign in to comment

    Find us on social media

    Miscellaneous links

    • Explore
    • Contact
    • Privacy Policy
    • Terms of Use
    • Support

    © 2024 Creatd, Inc. All Rights Reserved.