Last September, I posted a blog about multi-factor authentication titled “Good Security is inconvenient: Welcome multi-factor” (you can find a link to it here). I was inspired to put it up based on some changes we were making internally at NetData and also due to rising attacks on online accounts. It got me to thinking – relying on passwords just isn’t enough.
As we saw in my last post about Passwords (you can find it here), complex passwords and passphrases are great, but they can only do so much.
It is inconvenient (notice the theme?) to periodically change passwords, make sure they are sufficiently complex and remember them for each account. Password managers help, and can do a lot to minimize the pain, but they too are only one way of identifying yourself.
If one is good, two must be better!
A great defense against a stolen or weak password is to require another piece of information to verify your identity. If a user name and password are good, wouldn’t additional factors be better?
What is multi-factor authentication?
Multi-factor authentication (MFA, also sometimes referred to as 2 Factor Authentication – 2FA) means using two – or more – methods to make sure you are you. The goal of multi-factor authentication is to tie different ‘things’ to you that only you know or have.
Multi-factor is a combination of ‘something you have’ and ‘something only you know.’ A good example of multi-factor you already use is your bank card and PIN. The bank card is something you have; the PIN is something you know.
The problem is, in this example, both can be stolen and used without your knowledge because while the PIN is ‘secret,’ it isn’t something only you can provide.
In the online world, MFA comes in a variety of flavors. The first layer of authentication is pretty standard – usually your username and password. As many of us have learned, that single layer of protection isn’t enough. By adding a second layer, we gain a big advantage over the would-be thieves.
The second layer is where the variety comes in, but they all share the same feature: they are something that only you, and not someone else, can provide.
Directed challenge and response
Many years ago, RSA (rsa.com) brought the notion of a second form of authentication to the business world. Through a small key fob-like device, RSA would generate a new six-digit number every sixty seconds. This fob was linked to the authentication system you were connecting to and as long as the six-digit code matched, you were granted access.
This was an early form of MFA. The system wasn’t perfect, but it did help lay the ground work for other MFA technologies. If someone stole the token and knew your login name, they had the proverbial keys to the castle.
In today’s world, the directed response can be in the form of a text, a pop-up from a vendor-supplied authenticator app, or through a 3rd party app. Biometrics, like thumbprint and iris/facial recognition, are another way to add a layer of protection.
These forms or directed response are great because each one is tied either to your cell phone, PC or your physical body. It’s very hard for an online hacker to swipe their thumbprint on their cell phone to complete a purchase.
So multi-factor in “neat”, but why is it important?
Yes, MFA is neat and cool and all those other things. Here’s why it is so effective. Username and password combinations are a standalone security pair. They are not tied to anything unique. Anyone that can type can access your account with this information.
By adding a second form of authentication, specifically one that is tied to you, a hacker is stopped.
Here’s an example: I have my credit card company Website set up to use MFA. I have my login profile set so that I get a text after successfully entering my username and password. This text contains a six-digit passcode I have to enter at the Website to prove I am the one logging in. After typing in the passcode, I can access the Website.
OK, that’s nice and all, but why is that important? That just seems like a lot of steps do just log in. Here’s a different way to look at our previous example:
What if someone else was able to get your username and password? Maybe a Website you’ve used in the past was compromised and your login info posted to a Dark Web Website? (Hint – this really happens).
Without MFA, the hacker can simply log in as you, there is nothing to stop them. With MFA in place, they do not have the passcode the Website text directly to you. Unless they’ve stolen your cell phone too, they are effectively blocked from logging in. And by your receiving the passcode, you know someone was trying to log in as you, so you better go change your password.
Anything is better than nothing
Not all Websites and services employ MFA. Good security is inconvenient – it takes time, effort and money for Websites to provide this security measure. Maybe it’s time we started picking and choosing who we connect with based on how important they value our online security.
Coming up in my next installment of The Security Series, I’m going to give you some specific examples of how to set up MFA and where you can use it.