Multi-factor authentication (MFA) is the bedrock of modern digital security. Its principle is simple and powerful. As Wikipedia defines it, MFA is:
an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.
The key phrase here is distinct types of evidence. These factors are typically categorized as something you know (a password), something you have (a device), and something you are (a biometric). Any financial institution worth its salt implements MFA. Having opened many bank accounts in Switzerland, I’ve seen the full spectrum of authentication methods that are used here. They generally fall into one of these categories:
Mobile-only banking apps with phone biometrics SMS-based tokens Authenticator app without additional user interaction (simple push) Authenticator app with additional user interaction (number matching, biometrics) Separate hardware device or a physical code list Passkeys
Unfortunately, the relentless drive for a “seamless user experience” has created a convenience trap. Many of these methods, while appearing distinct, collapse onto a single device: your smartphone. This consolidation fundamentally undermines the security promise of MFA, often degrading true two-factor authentication (2FA) into a fragile single-factor authentication (1FA).
Let’s analyze these methods against realistic threats that the average user faces:
Password Theft: An attacker obtains your login credentials, for instance because a site is breached.
An attacker obtains your login credentials, for instance because a site is breached. Phishing: An attacker tricks you into authenticating on a malicious site.
An attacker tricks you into authenticating on a malicious site. Device Theft: An attacker physically steals your smartphone.
An attacker physically steals your smartphone. Malware: Your primary computer is compromised.
... continue reading