Multi-Factor Authentication (MFA) – How genuine is that MFA request?

Chris McKinley

I’ll get onto that, but first…

Most of us are aware of Multi-Factor Authentication (MFA) by now and everyone should have it enabled across as many accounts and services as possible to keep our data secure and prevent fraud.

What is Multi-Factor Authentication?

As a refresher, here are the key points around Multi-Factor Authentication:

A ‘factor’ is something that can be used to prove who you are – such as a password.

Multi-factor implies that just using a password (i.e. one ‘factor’) is simply not secure enough and you need something else (i.e. another ‘factor’) such as a smartphone app, SMS confirmation, fingerprint or facial recognition in addition to your password, in order to access your data, accounts, apps or files.

What’s wrong with just using a password?

“8ditR!AKP$c53Nhw?N” is a pretty secure and super complex looking password, isn’t it? And it would be…but now it’s on the internet it is as useless as just using ‘password1’. 

Hacking into accounts is not a case of brute force. Hackers will typically first try common passwords, such as password1 or qwerty. If you are guilty of reusing your super complex password across multiple sites and one of them suddenly experiences a data breach and your password is leaked – then your super complex password becomes useless as it will be added to a list of known passwords used by hackers. 

Rest assured; I’m not going to get technical about rainbow tables and the like, but REUSING PASSWORDS IS BAD – even the complex ones. And don’t get me started on social engineering, using meaningful but memorable passwords, such as pets’ names, university names and relevant birth dates! Of the 10,000 bank PINs you could use, how many of you reading this blog currently use a ‘significant’ number to access your bank account? A memorable date or geeky maths number like 3141?

Multi-Factor Authentication to the rescue

I may have just successfully guessed your PIN, but I still need your card to withdraw money from the cash machine – that’s a second factor. So, for now, your money is secure…

But this is the bit people don’t always talk about – MFA is only as good as the rest of your digital hygiene. MFA is also open to human error or social engineering. If you receive a phone call or a ping on your authenticator app – you need to be 100% sure that it was you that initiated it – otherwise you’re might as well leave your bank card next to the ATM for me to pick up after knowing your PIN. 

Are you confident that MFA request just sent to your mobile is genuine? You should only approve MFA requests that you are expecting. Never use a ‘shared’ authentication method, such as a shared laptop in the library or shared phone which multiple people could answer and approve.

Remember: Only approve MFA requests that you initiated (did I say that already?!)

As part of your digital hygiene of having unique passwords for each service (using secure browsers such as Edge to remember your passwords), you should also check your MFA settings to ascertain whether the devices, email addresses and contact numbers you are using are still up-to-date and correct.

You can check your MFA settings at

I would ALWAYS recommend having more than one method – just in case you can’t access one of them. MFA is VERY good at stopping you getting in if you can’t prove authentication!

At AspiraCloud, we recommend the use of MFA on all accounts and apps. MFA adds a layer of protection to the sign-in process to reduce the risk of fraud and unauthorised access. If that’s inconvenient for some users, we can help you with things like conditional access where rules can be configured that trust certain places and scenarios… but that’s a post for another day.

How to keep your data secure

  • Do not reuse passwords
  • Use MFA
  • Setup more than one MFA methods (such as authenticator app and a phone number)
  • Never share any kind of authentication.

If you want to talk more about account security, MFA and security best practices just say