What is multi-factor authentication?

Multi-factor authentication (MFA) is a security measure for a login or transaction that requires multiple types of authentication to verify a user’s identity.  The College recommends that you enable MFA whenever possible

There are three main types of authentication.

• Something you know – This category of authentication includes items that you memorize or remember. This includes most of what you typically think of for authentication, like your password / passphrase or a personal identification number (PIN) that you use at the ATM; however, this also includes your username.
• Something you have – This category encompasses something separate that you possess. It could be software based, like an authenticator app you install on your phone, or a separate hardware authentication device you carry with you, like a Yubikey or Smart Card.
• Something you are – This category includes something related to you, and only you, as a person. It could be your fingerprint or facial recognition.

Not all multi-factor authentication options are created equal

Generally, any form of MFA will be much more secure than not using MFA at all. With that said, certain forms of MFA have been proven to be more secure than others.

• Email-based MFA adds a layer of security by sending a verification code or a link to the user’s email account, which they must click or enter to proceed with the login process. However, this method’s effectiveness is closely tied to the email account’s security. Vulnerabilities such as email account breaches and phishing attacks significantly compromise its reliability. If an attacker gains access to the email account, they can easily bypass this MFA layer.
• SMS-based (text message) MFA method sends a verification code to the user’s mobile phone, which they then enter to access their account. While more convenient than email verification, it’s susceptible to risks like SIM swapping, and exposes users to potential unauthorized access.
• Call-based MFA works by making an automated voice call to the user’s phone number to provide a verification code. Like SMS, this method is vulnerable to interception and social engineering attacks like MFA fatigue, where an attacker repeatedly sends MFA requests to the victim’s phone.
• Authenticator apps, like Microsoft Authenticator, push a login confirmation to the app to acknowledge or may generate a time-based, one-time use codes on a user’s device. These codes refresh every 30 seconds, providing a more secure alternative to email, SMS or calling MFA.
• Hardware Authentication Device, such as a smart card, or a device like those offered by Yubico, represent the strongest form of MFA. These devices facilitate secure direct authentication by requiring the user to physically insert the key into a computer, tap it with NFC, or connect it to a mobile device. They are designed to be immune to phishing, as the key must be physically present to gain access, and they support advanced security protocols.

Have Questions? Contact the SPC Technical Support Center at support@spcollege.edu or call 727-791-2795 (Mon.- Sun. 7:00 a.m. - 12:00 a.m. Eastern). Chat: Live Chat with Support