Multi-factor Authentication: What is it, How do you Enable it for Email, and How Does it Protect you?

Updated in Jan 24th, 2023
Password security is often a hot topic among security professionals. If you use the same password everywhere, and one site gets hacked, then you are vulnerable everywhere. Whenever a big website is compromised, hackers will often try stolen login credentials on sites like PayPal, Gmail, Amazon, etc. By having a unique password, you only have one compromised login vs hundreds of potential passwords floating around the internet. There is another way to increase security that all security professionals recommend. It’s called Multi-factor Authentication and it’s recommended for every website you use that supports it. In a sense, it combines something you know (your password) and something you have (an app that generates a two-factor authentication code).

What is Multi-factor Authentication?

Multi-factor authentication, also known as two-step or two-factor authentication provides an extra layer of security when logging in to online accounts. It requires users to enter a code or verify their login from a seperate device, in addition to entering their username and password.

There are multiple apps that support this. Popular ones are Google Authenticator (iPhone and Android), Authy (iPhone and Android), and 1Password (iPhone and Android). While they look and act differently, they all use the same technology to generate the codes. Some websites might even mention they work with Google Authenticator, but this doesn’t mean it’s the only app that will work.

When you log in to a platform that supports Multi-factor Authentication, you’ll be prompted to enter your secondary code. As mentioned above, these codes rotate frequently, so you’ll need to grab it quickly. One benefit here is that it works offline so you don’t have to worry about receiving an SMS message.

SMS is an Insecure Way to Use Multi-factor Authentication

One thing to note is that SMS is not a secure way to use Multi-factor Authentication. SMS communication is not very secure compared to the one-time-based passcode solutions. T-Mobile’s recent data breach should also concern customers who are using SMS for Two-factor Authentication. The attack reportedly leaked IMEI information which compromises the security of SMS-based Two-factor Authentication solutions.

Hackers use inexpensive mirroring solutions to monitor SMS activity and grab SMS Two-factor Authentication codes without users knowing. Users that sync SMS messages with their Mac or PC also increase their risks if a computer is stolen by a hacker who can easily access these SMS two-factor codes.

Which Email Solutions Offer Multi-factor Authentication?

How do you Enable Google Workspace and Gmail Multi-factor Authentication?

Google recommends using prompts from the Google app for iPhone and Android, but you can use your own authentication app.

How do you Enable iCloud Multi-factor Authentication?

Apple uses a custom protocol for Multi-factor Authentication with verified devices. A trusted device is an iOS device iOS 9 or later, or a Mac with OS X El Capitan or later that you’ve already signed in to iCloud using Apple’s Two-factor Authentication. If it’s a device Apple knows is yours, it can be used to verify your identity by displaying a verification code from Apple when you sign in on a different device or to iCloud.com in a web browser. An Apple Watch running watchOS 6 or later can receive verification codes when you sign in with your Apple ID, but cannot act as a trusted device for resetting your password.

Apple does allow you to use a trusted phone number as a backup method. Apple requires you to verify at least one trusted phone number to enroll in Two-factor Authentication.

How to Enable Yahoo! Multi-factor Authentication

How to Enable Outlook Multi-factor Authentication

How to Enable FastMail Multi-factor Authentication

How do Email Clients Work with Multi-factor Authentication?

For as long as desktop email clients have been around, the way they integrate with email hosting providers has changed a lot. Before the rise of OAuth technology, adding your email account to an email client required you to input your password directly into the app. With OAuth, your email client never receives your password but rather a token that can be easily revoked in the future. Not only does this process increase security, but it also makes it much easier to add your email address to a client as you don’t need to tinker with the IMAP or SMTP settings.

Through this OAuth process, your email solution will ask for a multi-factor code which will be generated by a known device (an existing device that’s logged in, Google Authenticator, etc) and inputted into your the OAuth login window.

Spike’s secure email app natively integrates your email accounts using OAuth technology. When you add your Gmail, Outlook, or Yahoo! account to Spike, you’ll be prompted to enter your multi-factor authentication password. When setting up iCloud with Spike, you’ll need to create and enter an app-specific password.

Summary

Multi-factor Authentication might seem like a scary process, but modern email clients have made it much easier. New apps have made managing your multi-factor codes even easier. Spike recommends that you enable Multi-factor Authentication on all of your email accounts that support it.