Multi-Factor Authentication (MFA)
If passwords leak so easily, what should we add?
- Explain what MFA is and why it works
- Compare SMS codes, authenticator apps and hardware keys
- Set up MFA on a demo account and store recovery codes safely
Overview
Multi-factor authentication (MFA) requires more than one factor to log in — usually 'something you know' plus 'something you have'. Even if attackers steal your password, they still need the second factor. MFA is the single most effective personal security measure available, and most major services now offer it for free.
How MFA Works
After you enter a password, the service asks for a second proof: a 6-digit code from an app, a tap on a hardware key, or a fingerprint scan.
SMS vs App vs Hardware
SMS codes can be intercepted through SIM swap; still better than nothing. Authenticator apps (Google Authenticator, Authy) are stronger. Hardware keys are strongest — the code never leaves the device.
Recovery Codes
When you enable MFA, save the recovery codes offline. Losing your phone without codes can lock you out permanently.
MFA Setup Walk-through
- Set up MFA on a demo Gmail account provided by the teacher.
- Scan the QR code with an authenticator app.
- Download and safely store the recovery codes.
- Why is an authenticator app safer than SMS codes?
Reveal answer
Codes are generated on the device and cannot be intercepted by SIM swap.
- What is a recovery code used for?
Reveal answer
To log in when the second factor (phone) is lost or unavailable.
- Give one reason MFA blocks most account takeovers.
Reveal answer
Even a stolen password is useless without the second factor.
Turn on MFA for one of your personal accounts (with a parent/guardian). Write 3 sentences about the process.