In my previous post, The Security Series – Multi-factor, I went through what multi-factor authentication is, how it works, and why it is important. If you haven’t given it a look yet (linked here) I recommend checking it out for some good background information on multi-factor authentication.
Cybercrime is up, and it isn’t going to go away any time soon. John E. Dunn of Forrester reports that cybercrime is expected cost companies worldwide $6 trillion by 2021. When the industry you work in is worth $6 trillion, then you will invest a lot of research and development to maintain and grow that market. Six trillion That is a lot of jellybeans my friends. These bad guys are actively targeting you.
Multi-factor – a quick summary
A quick refresher – Multi-factor authentication (MFA) means using two – or more – methods to make sure you are you. The goal of multi-factor authentication is to tie different ‘things’ to you that only you know or have. My example from my last post
was bank card and PIN – the card is something you personally have and the PIN is something you know.
In the online world, typing a card number and PIN in is the same as presenting your card to a check out person at the grocery store. No true verification. When’s the last time anyone asked for your photo ID when using a credit card?
True multi-factor uses a directed challenge and response method to verify your identity. This challenge is sent to you and to you only. This is done through either your cell phone via text message, a pop-up from a vendor-supplied authenticator app, or through a 3rd party app, like Authy, Google Authenticator or LastPass Authenticator.
Straight to you
This targeted event is important because you are the only one that can respond to it.
A bad guy sitting at his computer overseas typing in your credit card information is stopped dead in his tracks when the Web site says “Please enter your security code to continue.” That code was sent only to you and the bad guy does not have access to it. Credit card fraud prevented.
I hate to mention this, but I will for full disclosure. In my blog post “The Security Series – Passwords” I go on about weak passwords. Here’s the dirty little secret – if you use multi-factor authentication, you can get away with weak passwords.
I want to strongly discourage weak passwords with MFA, as nothing is foolproof. I’m still an advocate for passphrases, but MFA will help keep you safe from yourself – most of the time.
The Apps have it
As I write this up, I just completed setting up MFA for one of the sites we make purchases from. The process is very straightforward. There will be an option on the user account page or security settings page that says something like “enable two-factor authentication” There will be a couple of options for how you want MFA to challenge you. Text, email or authenticator app.
Text and Authenticator App are my personal favorites. Email, to me, isn’t as secure. If someone has gained access to your mail account, they can easily provide the security code. Better to have a text sent to your phone or authenticator app. Just don’t lose your phone!
For my case, I choose to use an Authenticator App. The site then displayed a QR code for me to scan. I opened my app (Authy for me) and told it to add a new account and scanned in the QR code.
To verify the process, during initial set up you have to enter the 6-digit code from the Authenticator app into the Web site. This proves that you’ve presented a valid user name and password and the Authenticator App is synchronized with their system and the codes are valid.
Good security is inconvenient
Remember my theme from earlier posts? Setting up MFA and having to enter a code just to log in to Amazon or PayPal is a pain. Good security isn’t easy; and easy security isn’t good. If it keeps my accounts from being compromised, I’m OK with some extra steps.
So what are your choices for your own Authenticator App? Here is a quick list of five top apps for your Android or iPhone.
Feel free to look each of these apps up – there are a lot of other pages that compare one to another. Bottom line is you need, no must, get multi-factor in place to secure your online self.
What Web sites have multi-factor?
Now that I’ve thoroughly beat multi-factor into your head, you might be surprised that not every site has MFA available.
Why this is, is beyond me. From a technical aspect, there is some server room set up that has to be done. But it isn’t a huge technical hurdle and anyone hosting credit card data should implement it.
It is beyond the scope of this post to list all sites that do or do not have MFA, but when polling colleagues I was surprised by how many sites don’t allow for it. Many bank or credit card sites do not have MFA as an option. In my opinion, these are the first Websites that should have it set up.
Ebay, Amazon, Wish, Yahoo, Google, etc all allow for MFA, but my bank, MY BANK, does not? One of the largest credit card services in the world doesn’t offer MFA (I won’t name names) and that totally shocked me.
Let us help you
By now I hope you’ve gotten a sense of what multi-factor authentication is, how it works and most of all, why it is important. For folks like us at NetData, we deal with this stuff day in, day out, so it makes total sense to us. For our friends out there reading this, it still may be 1-part Voodoo, 1-part magic and 1-part alien technology, all thrown together.
Let us help you understand it and get comfortable with it. That’s what we do. We will help you get MFA set up. We will walk you through the process and make sure you know how to use it. It is critical that everyone takes advantage of these security measures. I don’t want to contribute any of my money to a $6 trillion theft industry. I don’t want you too either.
Please drop us a line at [email protected] or ring us up at 850-837-7638. Anyone here would be happy to talk to you about multi-factor or anything security related.