What to know about multi-factor authentication (MFA)

Chances are, when you log into your email, banking portal or other secure websites you’ll need some additional information – a code or a piece of information or a fingerprint. This is multi-factor authentication, and it's an additional safeguard to help protect your accounts from cyber attacks.

Multi-factor verification is a security best practice that requires a user to provide additional information along with a username and password in order to log into accounts.

This approach increases security because even if a password is hacked, there are additional steps that are likely out of the hacker’s reach.

The Cybersecurity and Infrastructure Security Agency classifies the types of MFA as being one of the following:

• Something you know, like a PIN or password
• Something you have, like an authenticator or text on your phone
• Something you are, like a fingerprint or face scan

These additional pieces of identifying information are generally set up when you register an account on a website or app. You can also often add them later through the site or app’s user security settings.

One of the more common forms of MFA is six-digit verification codes. You’ll usually be sent these codes via either email or text. You can also sometimes request a phone call with the code.

Scammers know they need those codes to get into your accounts – so after they’ve acquired your password, they may pose as someone you trust, such as a representative from your bank or utility company, and ask for the code. If you give them the code, they can log in and access your personal information or money.

Verification code scams can also happen on social media. BBB has warned in the past about a scam on Facebook Marketplace where scammers posed as buyers and requested a seller’s phone number and six-digit code to “verify the seller is real.” The scammers were likely using the phone numbers to set up Google Voice accounts, which they then went on to use for other schemes or to commit identity fraud. 

How to use verification codes safely:

• Use the code right away and delete it from your texts or emails after you log in to your account.
  
  
• Never give a verification code to a stranger. No one should ever ask you for a six-digit verification code – not a stranger on social media, not tech support, not even your bank. If someone does, end the conversation and block their number.
  
  
• Don’t give in to pressure. It’s a red flag if someone insists you need give to them a code immediately, says that something is wrong with your account or threatens that something bad will happen if you don’t give them the code.
  
  
• Contact customer service directly if you think there’s a problem with one of your accounts. Use a phone number you trust, such as the number on a past statement or a verified number from your phone's address book. Beware of unsolicited messages claiming something’s wrong with your account.
  
  
• Don’t share your phone number with strangers. Most social media sites and online marketplaces have built-in messaging, so you shouldn’t need to give a stranger your phone number to have a conversation or make a sale. Never share your phone number in a public social media post.
  
  
• Know scam protection policies. Most websites or apps that allow you to talk to strangers (like dating apps, online marketplaces or vacation booking sites) have fraud prevention policies – but you lose that protection if you take the conversation elsewhere. Be cautious if someone you just met insists on messaging you through another platform.
  
  
• Report it. If someone asks you for a verification code, report the conversation to BBB Scam Tracker. If you think someone is impersonating your bank or another organization, contact them using a phone number you trust to let them know. If you run into a scammer on social media or your account has been compromised, you can report it to the social media platform.