Multi-Factor Authentication, What Is It?
Multi-factor authentication is a digital security feature used on websites and apps that does exactly as it sounds, it brings several factors to the authentication process—bringing more to your digital security than a simple password. This is often described as “something you know, something you have, or something you are.”
Something you know
This is the element we are all familiar with, this is your password. You must know your password as one of the elements that proves you are who you say you are, and have permission to proceed.
Something you have
This is the second most popular element of multi-factor. This can include things such as, key fobs, cell phones, USB drives, or software running on another computer. The device will create a unique randomized code that will only be effective for a short period of time. You must have this code to be authenticated.
Something you are
This is the least popular, but slowly becoming more popular with things like fingerprint scanners, and face ID. This technology takes some unique feature about you, such as your fingerprint, or your face, and uses that unique feature to prove you are who you say you are.
That’s great, but WHY is Multi-Factor Authentication important for me?
Let's start with all the ways we use passwords. If you follow the link https://haveibeenpwned.com/, and check your email address against the ‘pwned’ database, you may be surprised by the number places your password has been compromised.
From Dropbox, to video games, your passwords likely have been compromised dozens of times. This means that you should truly consider your password to be ‘public domain.’ In other words, over time, consistently our passwords will become known to the world. Beyond that passwords are an inherently weak way to protect an asset.
The reasons for this are multitudinous:
- Passwords can become discovered. Don’t believe me? Visit https://haveibeenpwned.com/ and check to see if your password is publicly available.
- Passwords, to be effective, must be long. Long passwords are...long. They are hard to type and easy to forget.
- The very technology that is used to transmit passwords can become outdated.
- Passwords can be changed simply by having access to the password reset tool. This tool is usually someone's email account, and when was the last time you typed a password to check your email account? So, the thing that protects your bank account, is the very thing that you so rarely type in your password that you have forgotten the password.
The question becomes, how do we protect ourselves, if the very thing that we’ve developed to protect us, is so weak? This is where multi-factor authentication comes in.
With multi-factor authentication, you use two of the three items above for authentication. That way when your password is compromised, your assets (email, bank account, business data) are protected.
Where do I go from here?
We recommend implementing multi-factor authentication in as many ways as possible. Talk to all of your software vendors, and see if they have a multifactor authentication available. Go to your bank and ensure you have multi-factor authentication enabled. If you are in regulated industries, such as national defense, banking, financial services, or healthcare, you should dig deep into what type of authentication protocols are necessary to fulfill your obligations.
A Word of Warning
Many software vendors will use a one-time token, emailed or texted to you for the second authentication. While more secure than having nothing, this form of multifactor is actually weak.
Texting a single-use code
This form of multi-factor authentication is weak, simply for the fact that it doesn’t truly verify that you HAVE anything.
“But” your query, “I have to have my phone to get the text, don’t I?” This is true, however as the following article from cnet states, hackers are stealing phone numbers in order to gain access to those incoming texts. This means your thing you ‘have’ is portable, and can be taken without you even knowing it.
Even weaker than texting is your email account. Let's think about all the ways you access your email. Your phone, your computer at work, your computer at home, your tablet, your old cell phone that you gave to your child, the ‘kids’ computer down in the basement. Do you really HAVE anything, if that thing is readily available in so many easy to access ways?
Also, historically, Email is not considered a secure medium. The odds are, the code being sent is unsecured plain text—for the entire internet to read. My favorite saying about email is, don’t email anything, unless you're comfortable putting that email on a billboard.
We recommend implementing multi-factor authentication in as many aspects of your digital world as possible. It is an important tool in protecting you and your business. If you need help implementing or managing your security, feel free to ask, we love to help!