Skip to main content
  • Cybersecurity

What is multi-factor authentication and why do you need it?

By Spencer Callaghan
Director, Brand & Communications

Like using a deadbolt, doorbell camera and motion sensors to protect your home, rather than just one lock, multi-factor authentication adds extra security.

So much of our lives are online and what we store there is so valuable, including accounts related to our finances, health and employment. Strong, unique passwords are essential for protecting this important information. But we recommend you go even further with multi-factor authentication.

Like using a deadbolt, doorbell camera and motion sensors to protect your home, rather than just one lock, multi-factor authentication adds extra security beyond the standard username and password.

How multi-factor authentication works

You know when your bank texts a code to your smartphone so you can log in to your account? That’s multi-factor authentication. Multi-factor means you need more than one form of verification to confirm your identity.

These factors are usually something:

  • You know (a password or PIN)
  • You have (a token, email or SMS text code)
  • You are (a fingerprint or face scan)

Sometimes called two-factor, 2FA or MFA, multi-factor authentication isn’t really new to you. When you use your bank card to withdraw money from an ATM or buy groceries, you are using something you have (a bank card) and something you know (your PIN). You need both these factors to access your bank account.

Benefits of multi-factor authentication

While a password can be used anywhere, factors like a fingerprint are something only you have. So, even if a cyber-criminal gets your password, they still don’t have everything they need to get into your account. Just adding that extra step to the login process, especially using something that is not generally reproducible, makes your accounts and devices that much more secure.

Types of multi-factor authentication

While any extra protection is a good idea, some forms of multi-factor authentication are more secure than others. We have listed them below from least to most secure.

Text message or email

Two-step verification using a text message is the most common form of multi-factor authentication, but is not very secure. These messages are often visible on your phone’s lock screen. There has also been a rise in hackers attacking phones, phone numbers or messaging centres within mobile networks, enabling access to a phone’s apps, messages and more. Email is even less secure. With this method, you could be vulnerable to a phishing attack if your account has already been compromised. This is where a criminal tricks you into giving personal information by sending you an email that looks legitimate.

Authenticator apps

A more secure form of authentication is token-based, which creates a single-use login code. Popular apps include Authy, Google Authenticator and Microsoft Authenticator, which generate a one-time code every 30 seconds. Some password managers, like 1Password, also offer the service. These are more secure, as it is less likely for a hacker to get onto your device and generate a code than to access your online accounts.

Physical tokens

Hardware tokens are physical devices that look like a USB or keychain. You plug it in to your computer to generate a one-time passcode. This is a more secure choice, as the passcode is not sent over the internet.


Biometrics are biological measurements or physical characteristics, such as a fingerprint, speech patterns or facial structure, which can be used to identify an individual. While using biometrics may seem like something Tom Cruise would do in one of the 17 Mission Impossible movies, their use is becoming more common. Some banks use voice recognition to verify your identity when you call them, analyzing aspects like your accent and rhythm. When you use your thumbprint to open your smartphone, that is biometrics too. It is very difficult for hackers to interfere with biometric forms of authentication.

Take our free course: Cybersecurity for remote workers

We’re offering a free online course that covers cybersecurity basics while working remotely.

You may also be interested in learning more about CIRA Cybersecurity Services that are helping protect Canadians against cyber threats, including Canadian Shieldand atraining program and platform for businesses and organizations.

About the author
Spencer Callaghan

Spencer Callaghan is the senior manager, brand & communications at CIRA. He is a writer, former journalist, and has experience in technology, non-profit, and agency environments throughout his career. His areas of expertise include content marketing, social media, branding, and public relations.