Last month we reviewed how good passwords and a password manager are great steps to preventing unauthorized access. But that is only one piece of the strong authentication puzzle.
To take your authentication game to the next level, combine those measures with multifactor authentication (MFA).
MFA combines your user ID and password (together they are one factor) with one or more other forms of authentication to prove you are the person who should have access. That way if someone obtains your password through a breach, guesses your password, or cracks it, they will face another obstacle to accessing your account.
What are these factors? Typically, they involve something you know, something you have, or something you are. They can be just one additional factor added after your username and password login (typically referred to as 2FA – two factor authentication), or they can be layered on top of one another for even more security.
Examples of these additional factors can be a response to a security question, a secret PIN, a phone call, a one-time code by text message, a code from an authenticator application on your phone (Google Authenticator, Duo, LastPass, MS Authenticator, etc.), a notification/approval message from an authenticator application, a code from a special USB or Bluetooth device (YubiKey, Titan Security Key, etc.), or even biometrics (thumbprint, iris scan, facial recognition, or maybe one day a DNA sample as in the 90’s film GATTACA). But be careful! There are growing privacy regulations for the collection and use of biometrics and severe consequences for improper collection, improper use, or compromise in a data breach.
Also, not all factors are created equal. For instance, most security question answers can be determined by a quick search of social media. Also, check out publications such as KnowBe4.com’s 12+ Ways to Hack Multi-Factor Authentication for some additional considerations. But since technology is refined quickly, what may be limited today could be secure tomorrow, and many limitations from yesterday may already be resolved.
As an added benefit, some MFA solutions can alert you to compromised passwords. If someone tries logging into your account and you receive notifications as part of your MFA process, you can identify sign-in attempts with your password in real time. This is a clear sign you should change your password right away and some platforms even allow you to actively block or reject the sign-in attempt.
The key with any MFA solution is to choose one that balances security and convenience. MFA, like many security measures, will be ineffective if it is so difficult to use that people give up on it or try to find a work-around.
There is some more great news – setting up MFA is free on most platforms. So, go ahead and try it out, starting with your most sensitive accounts and moving to your least sensitive. However, if you use it in only one place, be sure it is enabled on your password manager! Next month we will explore ways to engage and empower your colleagues and begin to create a culture of security within your organization.
About the Author
Patrick is the Vice President of Enterprise and Operational Risk Management at Lawyers Mutual as well as filling the roles of Corporate Secretary and Director of Information Security. He is an NCSB board certified specialist in Privacy & Information Security Law and has been designated a Fellow of Information Privacy and a Privacy Law Specialist by the IAPP. He is always happy to talk about his collection of tinfoil hats or to discuss risk management advice and resources that you may find helpful - you may reach him at 800.662.8843 or firstname.lastname@example.org.