Why You Need Multi-Factor Authentication (MFA) Now
Contact the author, Scott Bilyou, on LinkedIn! https://www.linkedin.com/in/scott-bilyou-cybersecurity/
Multi-Factor authentication (MFA), or Two-factor authentication(2FA), is a method that proves you are who you say you are as an added layer of security beyond your username and password. The ordinary username and password combination, your “credentials”, alone isn’t enough to protect access to your sensitive information and accounts. Today you need more than that, due to the high frequency and effectiveness of phishing and ransomware. If your credentials are compromised, bad actors can access your accounts and information including banking, financial, health, personally identifiable information (PII) such as Social Security numbers, full name, address or phone number, other personally sensitive information, proprietary business information, etc. Once captured, they can use this information for their own purposes and sell it on the dark web.
You mean I need more than just my username and password?
Don’t get anxious about that, MFA is a solution that increases your security and the security of the company you work for. Several types of MFA are available. The two most common tools use a verification code or a biometric identifier such as a fingerprint or facial recognition, the kinds that you’ve probably been using for your phone for years now. You can also get a verification code in a text message, an email, or an authenticator app that generates a “soft security token”. This kind of token is generated in an authenticator app, such as Microsoft Authenticator, Google Authenticator, Authy, LastPass or others. The verification codes generated are only valid for 30-60 seconds.
The most common biometric identifiers are facial recognition and fingerprint scans. Facial recognition uses the different patterns and features of your face, which stores that as numerical information in a database. When a person tries to login, the verification actions compare the database values to the values read on the face of the person attempting to login. If your credential login is compromised, MFA can prevent access because you must have the device with the authenticator app, the device registered for SMS verification or have access to the associated email account. Although they may try with the tools of their trade, bad actors will be unable to get access unless they have been authenticated with your MFA code.
The three standards for authentication are: something you know, something you have, and something you are. Something you know could be a password, date of birth, etc, or an answer to any security question that only you would know. Something you have can be the phone that you receive SMS verification or that contains your MFA authenticator app, a USB connected “hard token”, or certificate stored on your device. Something you are can be your fingerprint, your face, your retina or iris. An incorrect response will prevent the user from successfully logging in to a system.
MFA is a good cybersecurity practice for your personal accounts but it’s crucial to secure business. Bad actors who exploit login account credentials that are MFA enabled, can ruin your business and in some cases result in regulatory non-compliance fines. Businesses must protect access to their information, apps, and certain processes to remain competitive or even just to stay in business. Using MFA in business even prevents insider threats to your organization and ensures all actions on your systems are traceable to each user.
So, whether for your personal security or for your business, start enabling MFA on your accounts that now only rely upon username and password credentials. It’s an easy step you can take to avoid being the “low hanging fruit” that bad actors easily exploit.
References for Multi-Factor Authentication:
https://www.okta.com/identity-101/why-mfa-is-everywhere/
https://www.crowdstrike.com/cybersecurity-101/multifactor-authentication-mfa/
https://jumpcloud.com/blog/biometric-totp-2fa
https://www.onelogin.com/learn/biometric-authentication
Microsoft Authenticator https://www.microsoft.com/en-us/security/mobile-authenticator-app
Google Authenticator for Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_US
For iOS: https://apps.apple.com/us/app/google-authenticator/id388497605
Authy: https://authy.com/
LastPass: https://www.lastpass.com/