Lately, cyber-security professionals have been advising anyone who will listen (and some who won’t) to adopt Multifactor Authentication (MFA), also known as Two Factor Authentication (2FA). The reason that they are so eager that everyone use MFA is that it is an added safety measure to protect your online accounts, email, bank, financial, social media, etc., from being taken over by a hacker or an identity thief.
With almost all online accounts, we set them up with a
username and a password (this is one factor). But this method of proving who we
are to the service our account belongs to, is proving not to be perfect in protecting
an outsider from seeing what is in the account or from taking the account over.
More and more services are encouraging their
users/customers/followers to adopt MFA when setting up their accounts. Some
services will probably start to force use of MFA to protect their users from
account takeover. Google has already started. Google says that so far it has
successfully “auto-enrolled” over 150 million people into its 2-Step
Verification (2SV) program. 2SV is similar to MFA. It recently announced that as
a result of auto-enrolling those 150 million people it has “…seen a 50% decrease
in accounts being compromised among those users.”
So how does Multifactor Authentication work? MFA
authenticates more than one “factor” to ensure that you are you.
Factors can be:
·
Something you know- your password or a
PIN.
·
Something you have- your smartphone, a
secure USB key, or a smart card.
·
Something you are- your fingerprint, or your
face.
When you enter your username and password, or you
enter a PIN, you are entering something you know. But someone else can know
that information also, either because you gave it to them, or they bought it on
the dark web, or they stole it in a phishing attack.
MFA uses a second factor to verify that you have a
right to access the account. That second factor can be something that you have
such as your smartphone. The way this works is: after you enter your username
and password the service might send you a text message with a code. The text
message is sent to something you have, your smartphone. Then, you enter the
code in the text message, and you are in your account.
However, text messages can be intercepted. A more
secure method is to install an authenticator app on your smartphone such as Microsoft
Authenticator or Google Authenticator. Authenticator apps are a more secure way
to communicate between your smartphone and the service.
With an authenticator app a code will show on the app,
then you can enter the code in the dialog on your PC or laptop. The codes are
short term codes which last only 30 second or so. This helps ensure security,
making it harder for identity thieves to break into your account.
While this is an additional step, it is quick and easy.
The process usually only occurs when you first get into your account, when you try
to enter your account from a different device than you normally use, or if you
have not been in the account for a long time.
With Multifactor Authentication, you are more
protected from someone taking over your online account and causing havoc to
your real life. Set up MFA for every account that you can, but especially on
your email, social media, financial, or other sensitive online accounts that
you might have.
Google:
https://blog.google/technology/safety-security/reducing-account-hijacking/
Microsoft:
https://www.cisa.gov/sites/default/files/publications/MFA-Fact-Sheet-Jan22-508.pdf
Cybersecurity & Infrastructure Security Agency:
https://www.cisa.gov/sites/default/files/publications/MFA-Fact-Sheet-Jan22-508.pdf
Wikipedia:
https://en.m.wikipedia.org/wiki/Multi-factor_authentication
