Understanding MFA
Multi-factor authentication (MFA) may sound complex but it’s not, it’s just a way of 'double-checking' that you’re really the person you’re claiming to be when you log in to your online accounts, such as banking, email, or social media.
MFA helps protect your accounts from being compromised by scammers as it requires you to enter additional information (on top of your password) to gain access to your account.
Why MFA is so important
Passwords are everywhere and offer a simple solution to restrict access to accounts. However, passwords alone are no longer considered enough to keep scammers at bay, due largely to the shortcuts we’re often tempted to take.
The problem with passwords is we are expected to use them for most of the services we access online. They create annoying friction as we transact, and even though we know we shouldn’t pick weak passwords or reuse them, we do so anyway.
Scammers know that password shortcuts are weak, making their efforts to gain access to our accounts easy. When a password is short, easily guessed, or popular (for example, ‘password’, ‘welcome’ or ‘12345’), an account is vulnerable to basic password attacks.
Using the same passwords across multiple sites is equally problematic. When we use the same password across many different sites, we allow scammers to access any sites protected by the same password.
Therefore MFA, when implemented correctly, can be an effective tool to prevent someone armed with your password from getting access to your network or accounts.
What you need to know about MFA
There are three things, or ‘factors’, you can use to authenticate yourself to a service:
- Something you know (for example a password, four-digit PIN, or answer to a secret question)
- Something you have (for example security token, trusted mobile app)
- Something you are (for example fingerprint or facial recognition)
When a combination of two or more of these factors is used to access a service, it is considered MFA. MFA reduces the risk of unauthorised account access because even if an attacker has one factor – like a password – they cannot complete the authentication process without the second factor.
The most common MFA implementations generally involve the use of a unique login name or email and password and one of these:
- One-time passcode
- Biometric such as your thumbprint or face scan
- Trusted mobile app
- Short Message Service (SMS) message or email
- Physical token
What you can do to stay safe
We're working every day to help keep you secure online, however it's also your responsibility to keep yourself safe. To help you, here are some suggestions of simple steps you can take to further improve your level of security.
- Activate additional security by using the MFA option whenever it is offered, including Personal & Business banking
- Never share passwords, PINs, user IDs or one-time passcodes with anyone - even Bendigo Bank – we’ll never ask you for your one-time passcode
- Do not use your banking passwords/PINs for other purposes for example, having the same password for internet banking and email
- Set up your mobile device security with an automatic screen lock, PIN and/or biometric (fingerprint/face/voice) detection
- Securely store devices, such as security tokens, when not in use to prevent someone else getting hold of them
Where is MFA available?
Many services use MFA, from social media to email, shopping, popular business tools and many government accounts you may have. You have most likely used it when logging into your accounts or changing personal information online.
What is changing
Today at Bendigo Bank you likely use a security token (MFA) such as our e-tokens or physical tokens. We are enhancing e-banking security by replacing traditional security tokens with more modern multi-factor authentication technology, for all our customers. In the future, to ensure you have the highest level of security enabled, we’ll require all our customers to use MFA. We’ll provide you with more information on how you can upgrade to the new e-banking security in the coming months.
Does MFA guarantee my account won’t be hacked?
It’s impossible to guarantee 100% security, however MFA offers overwhelmingly better protection than a password alone and is considered by the Australian Cyber Security Centre (ACSC) to be an important strategy to mitigate cyber security incidents. https://www.cyber.gov.au/mfa
Things to remember
You should never provide your one-time passcode to anyone, whether online, in person, or over the phone (even if you know them). And always remember:
- Bendigo Bank will never ask for your personal information, such as your PIN or your password;
- We’ll never ask you to click on a link in an SMS text message; and
- We’ll never ask you to log in to e-banking from an email or SMS.