Carnegie Mellon University


October 28, 2020

NCSAM Week 3: Protect Your Accounts with Multifactor Authentication

Have you noticed how often security breaches, stolen data, and identity theft are consistently front-page news these days? The National Security Agency (NSA) reports [1] that password compromise is a primary cause of these crimes and recommends multifactor authentication (MFA) as mitigation. MFA may already be familiar to you, as many banking and financial institutions require both a password and one-time code that’s shared via a phone call, email, or text message. By applying MFA to more of your personal accounts, such as email, social media, and more, you can better secure your information and identity online!

What is it?

Multifactor Authentication (MFA) is defined as a security process that requires more than one method of authentication from independent sources to verify the user’s identity. In other words, a person wishing to use the system is given access only after providing two or more pieces of information which uniquely identifies that person.

How it works

There are three categories of credentials: something you know, have, or are. In order to gain access, your credentials must come from at least two different categories.

Something you know:

  • Password/Passphrase
  • PIN Number
  • Security Question

Something you have:

  • Security Token or App
  • Verification Text, Call, Email
  • Smart Card

Something you are:

  • Fingerprint
  • Facial Recognition
  • Voice Recognition

When it should be used

MFA should be used to add an addtional layer of security around sites containing sensitive information, or whenever enhanced security is desirable. MFA makes it more difficult for unauthorized people to log in as the account holder. According to the National Institute of Standards and Technology (NIST) [2] MFA should be used whenever possible, especially when it comes to your most sensitive data—like your primary Andrew email account, financial accounts, and health records. Some businesses will require you to use MFA; with others it is optional. If you have the option to enable it, you should take the initiative to do so to protect your data and your identity.

Activate MFA on your accounts right away

To learn how to register for DUO two-factor authentication on your Andrew account, head to Register to Use Two-Factor Authentication site, which is the MFA security solution for Carnegie Mellon University students, staff, and faculty. If any of your other accounts have MFA available, consider implementing it right away! By using multifactor authentication, you can protect these accounts and reduce the risk of fraud and identify theft. 



[1] National Security Agency Cybersecurity Information: Transition to Multi-Factor Authentication (2019, Aug). Retrieved October 28, 2020. From

[2] Malloy, D. “What’s multi-factor authentication- and why should I care”. NIST Cybersecurity Insights Blog (2016, June 16), Retrieved October 27, 2020. From