It used to be that protecting your identity took little more than removing your glasses and stepping into a phone booth. But these days, between the lack of phone booths and the savviness of today’s bad guys, protecting your identity and accounts is not only crucial, but getting harder.
Today’s Focus: Using MFA to Help Protect Your Accounts
Having a unique username secured with a complex password was once enough for you to be confident that your accounts were protected. But in today’s world, additional measures should be taken. Enter MFA.
What is MFA?
Multi-factor Authentication (“MFA”) is an authentication method requiring users to provide multiple verification factors to gain access to accounts, applications or other protected areas. Basically, MFA is intended to make you prove you are really you before you’re given access to information.
Is 2FA the same thing as MFA?
This falls into the “all bourbons are whiskeys, but not all whiskeys are bourbons” category. Yes, 2FA (2-factor authentication) is MFA, but it’s only one subset of MFA that requires just two factors to verify authenticity.
How does MFA work?
In a nutshell, MFA works by requiring you to provide additional information to verify that you are authorized for access.
Types of MFA Methods.
Most people are familiar with the one-time password (“OTP”) MFA method: after entering your name and password, you are prompted for a code that is sent to you via email, text, mobile app or code generator. Enter the code and away you go! But there are many other MFA methods that rely on a variety of factors:
- Knowledge: Something you know. Example: Security question asking the name of your favorite pet. (Fluffy!)
- Possession: Something you have. Example: Your smartphone or that annoying token with the ever-changing code your IT department has given you and told you to never, ever lose.
- Inherence: Something inherent to you physically. Example: Your fingerprint.
MFA can also include factors such as location or time, or even what is referred to as adaptive authentication (also called risk-based authentication). In these cases, unusual behavior may trigger requests for additional verification. If you normally log into an account during the day from your home computer, but in a fit of insomnia head to a café and decide to access that same account at 3:00 a.m., additional MFA factors may be required.
Okay, I’ve enabled MFA. I can rest easy, right?
Nope. Don’t let down your defenses! Although MFA improves security, it is not failsafe.
MFA be hacked?
Yes. Today’s bad guys are quick to figure out ways to get around roadblocks. They have many methods of retrieving MFA information and codes, and have even found ways around inherent factors such as fingerprints and facial recognition. According to KnowBe4, a leader in security awareness training, biometric identifiers claiming to be “unforgeable” are often forged in under a day for very little money. Phishing schemes and other more “traditional” social engineering methods are also utilized to hack MFA protections.
So what do we do to protect our accounts and data?
Utilize (and Protect) MFA.
First and foremost, MFA should be used wherever possible. While not a guarantee, it definitely makes things more difficult for the average bad guy. Also, take steps to protect the MFA avenues. For instance, if your bank requires you to answer a security question as an MFA protocol, and everyone knows that your secret crush is Aaron Rodgers, do not choose “My favorite football team” as your question. If your work time system requires an OTP which you receive through Google Authenticator on your phone, don’t leave your phone sitting around Taco Bell unlocked. And if your app store requires your fingerprint to authorize store purchases, be suspicious of your teenager’s claim that she “needs you to touch this glass for the science class’ fingerprint dusting lesson”.
In other words, be aware.
As with all things involving data or account access, maintain security awareness even when utilizing MFA. Question anything seeming odd. Don’t click links in emails or texts. Don’t use repeat or predictable patterns, passwords or codes. And if someone is shoulder surfing you or seems very interested in your computer’s number pad where you’re entering your OTP, don’t finish the authentication.
Take steps to protect devices that are used to generate MFA codes. Require passcodes on phones and consider remote wipe options for company devices. If Joe in accounting loses his phone, having the ability to remotely wipe it could relieve you of middle-of-the-night “what if the bad guys can now access our company data because Joe always uses 1234 as a password” sweats. Joe might be annoyed he lost pictures of his toy poodle wearing a bow tie, but you’ll breathe easier.
Protect Yourself: With MFA and Street Smarts
Although not impenetrable, MFA is a good step toward protecting your accounts and data. Enable it whenever possible, just don’t allow it to give you a false sense of security. Take steps to protect your authentication tools and information and always be conscious of when and where you are accessing your data. And if something seems suspicious, be suspicious. Better safe than sorry.