Reading Time: 3 minutes

3 MINUTE READ

Multi-Factor Authentication: Why Passwords Aren’t Enough

Background of locks connected by lines with a computer and phone icon on top

Cyberattacks are increasing in sophistication and frequency. You need more than a password to secure your accounts.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is an added layer of protection to help secure your accounts. MFA goes beyond a password to add another step to the login process. The common industry language for how we can secure accounts includes:

  • Something You Know – like a password
  • Something You Have – like your phone
  • Something You Are – like your fingerprint

MFA includes your ID and passwords as the things you know. It then adds something you have which can be an app on your phone that prompts you when you try to login; a text message with a code; or a secure token with digits that change at regular intervals.

Not All Second Layers of Protection are Equal

When setting up MFA, should I use…

Keywords and security questions?

No. MFA requires the addition of something you have. Entering a unique word or answering a set of security questions is not something physical. The answers to these questions or the keyword you use to validate your identity is likely stored in the same system as your user ID and password. If a service is breached, you can assume this information will be compromised with your credentials.

My primary email address?

No, unless it’s the only option available. This can be tempting because we live in our email and have frequently established access from many different devices. However, email is also the most commonly breached service. If someone gets into your email, they are likely to look for emails associated with authentication requests from other services. If they find one, they can typically reset your password to the service (most “Forgot My Password” tools will send you an email) and then watch your email for the code to confirm a login attempt. Smart attackers can accomplish this while hiding all evidence that they are working their way into a system you want to protect. Consequently, email should be your last choice for MFA if given options and you should request that the service be disabled if other mechanisms are available.

Text Messaging?

Maybe. Text Messaging or SMS is a common option for MFA. It is popular because it only requires a phone which most of us keep close. However, SMS MFA has been successfully exploited. If an attacker breaches a service and gets your user ID and password, they are also likely to get your phone number. They can then duplicate that phone number on a device they control to intercept the SMS containing the verification code required to log in. This is not a simple attack and requires some unique information about your phone and service, but it has been done. Like email, SMS is a better option than no MFA at all but should only be used if other more secure options are not available.

Mobile Applications?

Yes! Many services offer the use of a mobile application on your smartphone to support MFA. Many 3rd party applications work with other services. The most common of these apps include Google Auth, Microsoft’s DUO, and Authy. These applications create a secure link between your physical device and the service you are protecting. You log in with your ID and password as normal, but then either need to provide a code from one of these services, or some will even simply send you a prompt to confirm the login attempt. Some will even allow you to use your fingerprint or facial recognition on devices that support such technologies. Thankfully, this is convenient and secure. The secure link between your device and the application is established when the app is installed. Even a cloned phone with the same number will not be able to substitute for your device. This is the most secure and convenient option.

A key fob or token?

Yes! Not as convenient as a phone as it requires carrying around another device, however, they are typically small and can attach to your key chain.  These devices have a constant set of rotating numbers that are used as your multi-factor code.  Very secure and a great option for someone who does not want to install an application on his or her personal phone. 

Be cautious of any request to “remember” a device or a location.

Many services will prompt you to “remember” a device or location when you log in. The idea is to offer the user the convenience of forgoing MFA on subsequent logins from that same location or device. Unfortunately, security is rarely convenient. We recommend you do not “remember” devices.

Don’t Wait. Start Using MFA Now.

Thankfully, many online services now include an option to enable MFA at no additional cost. Some, like many banks, force you to use MFA. MFA is so important for cybersecurity. We recommend it to anyone and everyone.

Questions?

If you’d like to learn more about MFA or other cybersecurity services, we’d love to chat. Fill out the form below to schedule a 30-minute call. We’ll review your current cybersecurity posture and discuss next steps.