Multi-Factor Authentication

Most of the time, using an online service – checking email, shopping, and using social media – requires users to log into an account with a password. As we covered in the Password-based Authentication article, passwords are “something known,” so they can be leaked. And security breaches happen often. Recently, LastPass had its second security breach in three months from the same group. You can see if any of your accounts were involved in a breach at Have I Been Pwned. Fortunately, there is a simple and effective step we can take to further secure our valuable accounts: multi-factor authentication.

Are passwords not enough?

Even if you use a long, random password, hackers have measures to steal or guess them anyway.

  1. Phishing attacks can trick someone into giving up their credentials. If you receive a “phishy” email, please protect yourself and others by using the Phish Alert Button.
  2. Hackers can purchase credentials from a data breach and log in using those credentials. If you discover that your account information may have been exposed in a breach, immediately change your password.
  3. If you use the same password in more than one account, a hacker may be able to reuse your stolen password for your other accounts. Never reuse the same password.
  4. If your password is simple or one of the most common passwords, then it can take a computer minutes or even seconds to guess your password.

The best first step in defending your account from hackers is to harden your password. If you see fit to change your WUSTL Key password, you can read the guide at How do I Change my WUSTL Key Password – Information Technology. After strengthening your password, the best way to protect an account is to use multi-factor authentication.

Authentication Factors

If you have been following our authentication series, then you may remember that authentication falls into three categories:

  • Something you know – like a password, Personal Identification Number (PIN), or the answer to a security question.
  • Something you have – tokens like a smart card, memory card, or even a one-time verification code.
  • Something you are – biometrics like your fingerprint, face, or retina.

An account with only one authentication factor is not nearly as secure as an account that uses a combination of factors. Calling back to an earlier example, an ATM at Chase Bank requires customers to provide their debit card and their personal identification number (PIN). This way, if a thief steals or duplicates someone’s bank card, they cannot withdraw money without the second factor: the account’s PIN.

Common Multi-factor Authentication Offerings

There are three popular authentication methods provided by websites and applications, and one of them is much less secure than the others.

One-time passcode via text message or email

Receiving a passcode by text message is simple and only requires a user to have a phone that can receive texts. Unfortunately, hackers can employ the SIM swap scam to get the verification codes sent to your number.

If you receive verification codes over email, then be sure to use a strong password and multi-factor authentication on this email account. Doing so will better protect you from someone stealing your one-time passcodes.

Phishing attackers may try to trick you into sending them your verification codes. No matter what, do not share your verification codes if you did not initiate contact.

Some accounts only offer one-time passcodes by text or email. It is better than no multi-factor authentication; however, it is much safer to instead use the following methods.

Authentication Application

Popular authentication apps are Google Authenticator, Microsoft Authenticator, and Duo – the app for WUSTL Key accounts. Authentication apps often generate a one-time verification passcode in a way that is not vulnerable to the SIM swap scam or email hacking. Alternatively, authentication apps may allow you to receive a push notification on a login attempt which you can accept or deny. We recommend that members of WashU enable push-based notifications by default in Duo for convenience and visibility.

Physical Security Keys

Physical keys, like the YubiKey, use encryption to confirm that a key is associated with your account. Some physical security keys plug into a USB port, and others use near-field communication with your device. Like any other physical token, physical security keys can be misplaced, more expensive, and potentially inconvenient to carry around. On the bright side, these devices are phishing-resistant.

Enabling Multi-factor Authentication

As time goes on, more websites and applications will offer multi-factor authentication, but it might not be turned on by default. Here are some guides on how to enable it for popular services:


ATM 101. ATM Basics | Helpful Tips | (n.d.). Retrieved December 5, 2022, from

Hebert, A., Hernandez, A., Perkins, R., & Puig, A. (2022, September 16). Use Two-factor authentication to protect your accounts. Consumer Advice. Retrieved December 5, 2022, from