Using passwords to enter online accounts has been around for a long time. Using long complex passwords works against brute force attacks. But there have proven to be many attack methods for cybercriminals to use to obtain passwords. For example, phishing attacks use social engineering to trick victims into giving over their passwords. Also, your passwords can be acquired through a data breach.
So, passwords have proven to be more fragile as far as security is concerned. If a cybercriminal can trick you into giving him your password or obtain it by stealing it from a database that you have no control over, then there needs to be a different or added way to ensure that you are who you say you are.
As a result, cybersecurity professionals have come up with a new method to authenticate you as you, Multifactor Authentication (MFA). Also known as Two Factor Authentication, MFA adds a second factor to authenticate you. When you use an ID and password, you are using something that you know to give the holder of your online account. With MFA, you use either something that you have (cell phone) or something that you are (fingerprints or face) to authenticate your identity.
When you sign into your account, you enter your ID and password as usual. But then the service might send you a text message or email with a code that you enter into the sign in form. That way, the service knows that it has the right person.
But text messages and email can be intercepted. So, cybersecurity professionals have developed secure authenticator apps such as Google Authenticator and Microsoft Authenticator. With an authenticator app a code will show on the app, which you can enter the code in the dialog on your PC or laptop. The codes are short-term, lasting only 30 seconds or so. This helps ensure security, making it harder for identity thieves to break into your account.
And you don’t have to use MFA every time you log into an account. Most services will let you in without using MFA as long as you are still on the same computer or device. Some services will give you a choice between never using MFA on your current computer, using MFA periodically, or always using MFA. Based on your settings, you will only need to use MFA if you use a different computer or device, or you change your password. Some services know where you are so they may require MFA if you try to log in if you are away from home.
MFA can be circumvented. Scammers have been known to get into online accounts by fooling the victim. They may convince a victim to give over their ID and password then ask for the code if MFA is instituted. Another method is for the scammer to obtain an ID and password via a data breach or purchase on the dark web. When they try to sign into an account with MFA, the real owner of the online account receives an MFA text or MFA push notice to authenticate the sign in. The scammer might sign in multiple times to send the MFA notice, bombarding the account owner in what is called “MFA fatigue” until the owner approves the sign in request.
If you receive an MFA notification and you are not trying to log into an account, disapprove or do not fill in any information. And do not give anyone your ID and password, or MFA authentication code even if you are talking to them.
Even with the workarounds that cybercriminals may have found, MFA works to protect your online accounts. Both Microsoft and Google have announced that MFA can block up to 99% of most attacks on online accounts.
For any online account that offers it, set up MFA to protect your valuable information.
Norton:
https://us.norton.com/blog/emerging-threats/password-attack
ZDNET:
Ask Leo:
https://askleo.com/two-factor-authentication/
National Cybersecurity Alliance:
https://www.cisa.gov/secure-our-world/turn-mfa
Microsoft:
No comments:
Post a Comment