As we start 2025, one cyber-security resolution we suggest for you and your family to increase your security online is to enable Multi-Factor Authentication (MFA) for all your important accounts. This will help protect your account even if your password is compromised.
Unfortunately, not every service offers MFA, but the most important places to enable this extra security are with the following services:
Where to implement MFA:
- Banks and other financial organizations
- Email accounts
- Healthcare portals
- Online stores
- Social media sites
The three primary methods of MFA:
- SMS text messages to a cell phone (least secure)
- Authenticator Apps
- USB Security Keys (most secure)
SMS can be vulnerable to SIM Swapping and other attacks, so while very much an improvement over just passwords, it is better to use the other two options when possible.
Authenticator Apps are security apps you can install on your phone or tablet. The two most common apps are Google Authenticator and Microsoft Authenticator.
You typically enroll in the app by going to a website’s security section and scanning a unique QR code that the website will generate. The apps can work with a number of sites, but you have to enroll with each account. With that step completed, the app will generate unique one-time codes for each service, and since the website also has a copy of your secret code, it can generate the same code. Each code only lasts for about 30 seconds, so as shown in the screenshot below, there is a pie chart or counter to the right of the code that shows approximately how much time you have left to use the current codes. (If there is just a sliver left, you can wait for the next code to be generated before attempting to type it in.)
The Google Authenticator generally works with more services and is also capable of being backed up to a Google account online, so if you accidentally break your phone, you can get a new one, log in, and restore all of your MFA accounts without having to re-enroll. However, since you will have to log in to your Google account with MFA to restore your backup, it is important to have an additional method of MFA, either having the app installed on a tablet or 2nd device or having a USB Security Key.
Google Authenticator
If you have a Microsoft account (e.g., a paid version of Microsoft Office or an Outlook email address), you will need to use the Microsoft Authenticator App to secure it. You can have both the Microsoft Authenticator app and the Google Authenticator app on the same phone or device.
Microsoft Authenticator
USB Security Keys include devices such as Google’s Titan Security Key and Yubico’s YubiKey products, which are built on the FIDO® open standards. As of January 2025, the three products recommended for most users are listed below.
Titan USB-C/NFC Security Key
https://store.google.com/product/titan_security_key
Yubico YubiKey 5C NFC
https://www.yubico.com/product/yubikey-5-series/yubikey-5c-nfc/
Yubico YubiKey 5C (USB-C only, no NFC)
https://www.yubico.com/product/yubikey-5-series/yubikey-5c/
In our testing, Google’s services work with any of the keys at all levels. Microsoft support for USB Security keys is not quite universal yet. It works well on websites, and also for most of Microsoft’s applications if you are running Windows, but we have found that Microsoft Office for Apple and phone apps such as Outlook for iPhone still require the Microsoft Authenticator App. So, be sure to use both methods for MFA for your Microsoft account.
Sometimes, a security key is mistaken for a USB keyboard, especially on Apple devices. If you plug in a Security Key and see a keyboard connection wizard pop up, close it.
If you choose to use a Security Key, you will also need to set a PIN. One example of a use case for the PIN is to prevent a college student’s roommate from using your key while you are asleep. Most people can use the same PIN they use for their ATM card, but they should write it down somewhere safe just in case they forget it. (The physical security of the key is the important factor, not a four-digit PIN.)
CISA’s guide to Multifactor Authentication
https://www.cisa.gov/MFA
Disclaimer: This article’s technical tips are meant to provide helpful alerts and general awareness of the issues raised in this article. We cannot be held liable for any issues that may arise from following our recommendations. We recommend that each group find a skilled technical team to advise and help in a manner tailored to individual needs and circumstances.