Chase Alumni Association

This month's article aims to cover the basics of Multi-Factor Authentication (MFA), explain its critical role in protecting sensitive accounts and information, and to tell you how it works and how to enable it. Over the last few years, almost all financial institutions, including JPMC, have forcefully enabled MFA as an added security measure, and while some may find this feature inconvenient, it’s largely in the best interest of both you and the institution to have it enabled.

Please feel free to submit feedback and suggestions via our survey.

What is multi-factor authentication (MFA)?

Multi-factor authentication is a security process that requires more than one method to verify your identity before granting you access to an account or system. It combines something only you know (like a password) with something you have (like a code sent to your phone) or something you are (like biometric data, i.e fingerprint or face recognition).

How does MFA work?

When you try to log in to an account or system that uses MFA, you'll first enter your username and password as usual. Then, you'll be prompted for a second form of verification, like entering a code texted to your cell phone or using a biometric factor like a fingerprint scan or facial recognition, which has become a standard feature on most modern smart devices. Only after providing both forms of authentication will you be granted access to the website or app.

At the bottom of this article, we’ll dive into the technical specifics of how a code is generated and recognized by the authentication system.

Why is MFA important?

MFA adds an extra layer of security to your accounts and personal information. Even if someone manages to steal or guess your password, they won't be able to access your account without the second factor of authentication. This helps protect you from identity theft, financial fraud and other cyber threats. Microsoft reported over 300 million fraudulent sign-in attempts to their cloud services each day from hackers who are looking to probe accounts with weak passwords and/or that are MFA-disabled. Those with MFA enabled had 99.9 percent of all attacks successfully blocked.

MFA has become increasingly important in recent years. Passwords are easier to guess than most people realize, partially because many do not have strong enough passwords to begin with, re-use passwords among multiple websites or use common passwords such as ‘password1’ or ‘12346’. It’s also becoming increasingly easy for bad actors to perform brute-force login attempts (using a computer to try many, many passwords or keys to gain unauthorized access to an account or system). Using MFA acts as a second line of defense if your password is compromised for any reason.

Where is MFA used?

MFA is becoming increasingly common in such various areas as:

- Online banking and financial accounts

- Email and social media accounts

- Corporate networks and internal systems (for employees)

- Healthcare portals and medical records

- Online shopping and e-commerce sites.

Generally speaking, any website or app that contains sensitive information should have MFA enabled on it. There are many areas that will enable it on your behalf (healthcare, financial services, etc) and other areas where it will be a choice (online forums, basic websites, etc).

Is MFA difficult to use?

While MFA adds an extra step to the login process, it's generally straightforward and user-friendly. Many services offer options like receiving a code via text message or email, using an authenticator app or even using a physical security key. The added security and peace of mind are worth the minor inconvenience.

How can I enable MFA?

Below are the typical steps to enable MFA on an online account; these are general steps and not geared toward one specific website or app.

1. Check if MFA is offered by the service. Look in the account security or login settings for an option to set up multi-factor or two-factor authentication.
2. Choose an authentication method. Common MFA options include receiving codes via text/SMS, authenticator apps like Google Authenticator, physical security keys or using biometrics like fingerprint.
3. Set up the authentication app or method following the service's instructions. This usually involves verifying your email, phone number or biometric data.
4. After setup, you'll be prompted for an additional verification code from the authentication app or method anytime you log in from an unrecognized device.

The exact steps can vary a bit by service or provider.

How are MFA codes generated?

Users like you and me don’t have to worry about this, as all the legwork is handled by the provider. For the curious minded: Multi-factor authentication codes are typically generated using Time-based One-Time Passwords (TOTP). TOTP codes are based on the current time and a shared protected secret key between the authentication server and the user's device (e.g., mobile app, computer, hardware token). Your secret key is specific to your account and is typically automatically generated when you first create your account with a website or institution. It’s almost impossible to guess and never, ever shared with anyone. The MFA code is generated using a cryptographic algorithm that takes the current time and the secret key as inputs as a seed to generate a random number or string. The codes are valid for a short period of time (usually a few minutes) and you can request a new code if the previous one expires.

As a reward for making it to the bottom of our not-so-thinly veiled PSA on the importance of MFA, here’s a riddle for a future Tech Corner column:

My portrait stares back, a founding father's face,

Crisscrossed with lines, a complex design to trace.

Though simple in value, my secrets run deep,

What lies beneath the surface, can you help me keep?

Thanks, ChatGPT!