Improve security with Multi Factor Authentication
A lot has been written about cyber security these days, and it is a very complex issue, but there are small steps you could take to improve your security quite dramatically.
There is a phrase going around that says that companies are divided in two groups, the ones that have been hacked, and the ones that don’t know they have been hacked. I’m not sure the situation is that dramatic, but if you are not doing much over security, you are just making yourself an easy target.
It is important to have your environment, network, applications, etc looked at by an expert, in a holistic way. There is no point in doing this if your staff is not minimally trained for instance. You can have the biggest padlocks in the world for your warehouse, but if the staff leaves the doors open to get the breeze, your investment is useless.
There is not guarantee a fail safe environment, but small steps can go a long way. Stronger passwords, and different from any other ones you need will help, as if one site is compromised and your password stolen, it won’t affect everything else you do online. Before you think this is crazy with the myriad of passwords to remember all around, there are very good tools that can help you, such as Lastpass, Dashlane and lots of others.
But passwords alone are not a great way to secure your accounts these days, as more sophisticated attacks and cyber criminals can still get through if they really want to, and if they get ahold of your username and password, it’s game over. There is a lot of information we put about ourselves on the internet, and it wouldn’t be too difficult for an attacker to find your date of birth, your mother’s maiden name, and other data that can help them go further into your data or accounts.
One other step you can take to help you secure your accounts is to enable Multi Factor Authentication, or MFA.
What is MFA?
Multi factor authentication, or two step authentication, is simply the process of using more than one step to confirm that you are who you say you are. There are several types of MFA described below
The first type is based on knowledge. This means the second part of your authentication is based on you knowing additional information that only you would remember. This in my opinion is the weakest of them all, as if one of some of the options as mentioned previously is your mother’s maiden name or date of birth, it is very likely that info could be found online somewhere. Alternatively you might have to remember a pin or code. I don’t like this much as I don’t think it adds a huge degree of security, and it relies on memory in some cases, which is not great for everybody.
The possession type of MFA relies on having on you a device that generates something (a pin, a code) that can only come from you. Years ago this was done with key fobs, or card readers (banks use this method still to verify new payees, etc). These days the most common approach to this is using your smart phone to generate the code, and this can take two ways, either you are sent a single use text message to your mobile phone that you can use for a limited amount of time (Linkedin does this for instance), or you can use an app like Google Authenticator, Microsoft Authenticator, or others. Most of these will be useful for several websites, so you don’t need a myriad of authenticators in your phone.
An interesting third way that is popping up more and more is for the website to simply ask via an app on your phone if it is you that is trying to login. Google is doing this for their Gsuite and Gmail. In this case, rather than a code to type you are presented with a yes/no question. Is it you trying to login from so and so? If it is, press yes, and hey presto!, you’re in.
Yahoo mail got rid of the standard password altogether and is now using your phone to ask if it’s you trying to login on a device, followed by a single use password code issued on your phone.
Most serious websites these days are implementing this, and you shouldn’t ignore it.
Last, but not least is biometrics. This means using your own personal characteristics to validate it is you logging in. Fingerprints, very commonly used these days to unlock your phone, iris or retina scan (most commonly left to high security environments), but also voice or face recognition. Microsoft uses face recognition in Windows 10, as Apple is now also doing with their latest iPhones.
How to implement it
Implementing MFA is very easy, there are millions of websites that already do it, some examples I gave above, and it would be impossible for me to list them, but in general, if you go to the profile or security settings of the website you want to secure, there will be an option there to do so and step by step instructions on how to do this safely so you are not left without being able to login if for instance your device you used is lost or stolen.
It is important to highlight that implementing MFA will not guarantee your safety 100%, but that it will improve your security quite dramatically. There are pros and cons to all the options described, with text messaging probably being the weakest of the lot, as text messages are not encrypted and can be intercepted, but putting the most barriers for a criminal is the key, to make yourself a less attractive target.
© CIO on Demand UK
The original post is here