Old McDonald Had a Password, M, F, M, F, A.

The fourth in an occasional series. If you’re new here I’d recommend starting with Part 1 and working through. It’s not that long, I promise.

In my preamble to Part 3 I posited that:

“Whatever we come up with the solution is likely to be a password plus [something else] because, realistically, passwords aren’t going away in the near future.”

“Something else”? What’s that then?

Say you’re a member of a secret society. You knock on the door, they ask “what’s the password?” you reply “Ken sent me” and you’re in. That’s clearly poor gatekeeping because it would be trivial for someone else to have told you the code, or even for you to just eavesdrop someone else gaining entry. But, what if the guard on the door is expected to recognise you? Or you need to be wearing an exclusive sigil ring issued by the society? Enter MFA.

MFA stands for “multi-factor authentication,” which is a nerdy way of saying “more than one thing.” It goes by different names, you may see “2FA” or various other initialisms but they all broadly mean the same thing: a password plus some other check.

There are many forms this can take, and it’s wholly dependent on whatever website or system you’re trying to access as to what they will support. We can categorise these forms broadly as “something you know; something you have; something you are.” Something you know is – do keep up, 007 – perhaps a password; something you have, maybe your phone; something you are, essentially biometrics.

MFA comprises of checks from at least two different categories. Typically these checks may include an SMS to your phone, a notification on an app, a single-use link sent to your email account, facial recognition or a fingerprint, and more. All of these have pros and cons (which is a topic for another article) but everything I have written to date in this little series leads us to this one sentence:


Seriously, it’s impossible to understate the significance of this. Microsoft estimates that 80% of modern-day hacks start with a password breach (personally I’m surprised it’s that low). They also claim that MFA would have “reduced the risk of compromise by 99.9%” Just pause for a moment and read that again. That is a colossal figure, it’s a thousand-fold reduction.

If you’ve set up your PC using a Microsoft account then your Windows login might be a PIN number,* which counterintuitively may seem less secure than a long password. But this is MFA in action and you probably didn’t even notice – you’re supplying a PIN and the ID of the device you’re logging into, that PIN won’t work anywhere else. A hacker wanting to break into your account using that PIN would first need your laptop in their possession.

Wait. Hold the front page.

We have a PIN (something you know) tied to a physical device (something you have) and MS Hello face recognition (something you are). So remind me again…

…why do we still need passwords at all?

Hang tight for Part 5 where we dive into why all MFA offerings are not equal.

(* – yes yes, RAS Syndrome, I know. Quiet at the back. I know your mum.)

Leave a comment

Your email address will not be published. Required fields are marked *