In today's online environment, the fundamental “username and password” approach to account security can be easily breached by cyber criminals. Many logins can be compromised in a matter of minutes, and private data, such as personal and financial details, is under increasing threat. Wouldn't it be nice if your online accounts let you know when someone new is trying to get into them? Even better, wouldn't it be terrific to make a stolen password useless to others?
Strong web security relies on a variety of tools and policies. It’s important not to rely on any single method for comprehensive protection. Multi-factor Authentication (MFA) adds another layer of account security, supplementing the username and password model with another factor that only the specific user has access to. Whenever possible, users should get into the habit of protecting themselves with the extra layer of security that MFA provides.
What is it?
Multi-Factor Authentication is the use of two or more independent means of evidence (factors) to assert the identity of a user requesting access to an application or service. The most common form of multi-factor authentication is two-factor authentication (2FA), which pairs your first authentication factor (typically something you know like your password) with a second factor of an entirely different kind such as something you have and something you are. The multiple types of authentication factors are as follows:
Something You Know:
- Personal Identification Number (PIN)
- Security Question
Something You Have
- Smart Card/ID Badge
Something You Are
- Retinal Scan
- Voice Pattern
With MFA, a potential compromise of just one of these factors won't unlock the account. So, even if your password is stolen or your phone is lost, the chances of someone else having your second-factor information is highly unlikely. Note that the use of a password in combination with a PIN, for example, is NOT considered two-factor authentication because both pieces of information involve a single factor - "something you know".
How Does it Work?
Whenever MFA has been activated on an account, each time a user attempts to log in from a different device, an authorization check will be sent to the user. The authorization check can be sent in a variety of ways depending on the application and how the user established the MFA. The authorization check can come in the form of a passcode sent to the user's associated email account or through SMS to the user's phone. Another method of authorization is when a push notification is sent to a registered device such as a smart phone. The user will need to enter the code that was sent within the notification or simply select "approve" on the notification, prior to receiving access to the account. Without the approval or current code, a password thief can't get into an account.
Why Should We Use It?
Widespread major data breaches are occurring at an alarming rate affecting millions of people. The information that's stolen, in many cases, includes usernames and passwords that could allow cybercriminals access to user accounts. In addition, passwords alone can frequently be easily guessed or compromised through phishing or hacking. As more personal information finds its way to online applications, privacy and the threat of identity theft is an increasing concern.
MFA should be used whenever possible because it immediately neutralizes the risks associated with compromised passwords by adding an additional layer of security to protect highly sensitive personal information. If a password is hacked, guessed, or phished, a bad actor would still need the required second factor on the account, making the stolen password alone useless.
How to Set Up Multi-Factor Authentication
Using MFA on consumer services like Apple ID, Google, social media accounts, Amazon, Ebay, and banking websites is as simple as turning the service on. Nevertheless, some users skip MFA because it adds extra steps to the login process. An extra 15 seconds to log in is worth it for the security, though. There are many MFA options available. Make it a part of your cyber security policy.
If you need assistance, please do not hesitate to reach out to us at [email protected] or call 561.969.1616.