You have two locks to get into your house, why should you only have one for your accounts?

A little vignette to get us started:

Even an expert lock picker won’t target your house if they hear the bark of a possibly dangerous dog inside your home. They’ll move on to a house where they aren’t risking “bark and bite”.

When I’m cracking passwords during a penetration test, I have tools that guess passwords and usually find what I’m looking for in a few seconds. It’s too easy! All I need is the proper format for the username which is easy to find or guess. Then I put my cracking tools to work using common passwords from a text file I maintain (this is called a “dictionary attack”). If that doesn’t work, I may have to resort to trying every letter, numeral,  and special character combination possible (a technique known as “brute forcing”), but that can take days, weeks or months. 

In any case, I will be successful eventually, because access to the account relies solely upon something you know. That’s really only one key factor. Security professionals know the strongest security contains three factors: 

1. Something you know (username/password or challenge questions)
2. Something you have (mobile phone, mobile app, hard key fob)
3. Something you are (fingerprint, facial recognition, retina scan)

Using all three or even two of these factors increases the security of your account which eliminates all but the highest skilled hackers from getting access to the information you want to protect. The skills required to mimic a user and gain access to a multi-factor protected account are rare so you’ve taken yourself off the “low hanging fruit” list. It’s the lock picker from our vignette and you’re the home owner with the trusty family dog.

Your Debit or Credit card uses two factor authentication; your card is something you have and your pin is something you know. Many online accounts can also be setup using two factor authentication too. It may be a text or voice call where you validate your identity based on something you have, the phone you’ve associated with that account. It goes like this…

Open the online account page, for our example we’ll use GMAIL. You’re presented with a sign on page where you enter your credentials (username and password). Next thing, the login triggers a choice of phone call or text to the phone number you previously associated with the authentication. You receive the text that contains a set of digits that you’re required to type into the page that pops up. Once you’ve entered the exact code from your text, your GMAIL opens up and you’re off to productivity!

Some accounts can be associated with an app on your mobile device. These apps generate a unique code that refreshes every thirty seconds or so. The account is synchronized with the code refreshes and when you enter the code displayed on the app into the space provided on the account login screen, BOOM! You’re in! 

It’s impossible in 2019 to disrupt that sequence, so your security is very strong using any of these multi-authentication factors on your sensitive online accounts. So, whether you choose a text or voice call, or any of the available authentication apps, you’ll raise the bar on account security using multi-factor authentication. Look for this feature on all of your accounts.