Author - Scott Lavergne

Multi Factor Authentication, MFA, Two Factor Authentication, 2FA, hackers, MFA codes, passwords

Multi Factor Authentication

In addition to having a strong password, multi-factor authentication (or MFA) is now considered a necessity to keep the bad guys out of your accounts.

Often referred as 2FA (Two Factor Authentication), it is now more commonly referred as MFA just in case you want more than two identification confirmations. In this post I hope to give you a basic understanding of MFA and how you should use it.   

Multi Factor Authentication has been around for a long time. The main goal of MFA is to ensure that only the right people log into a system.

Back in the 90s I remember some people having a small key fob on their car keyring which had a number on it that changed every 60 seconds. To log into their network, they needed their username, password, and the current number displayed on their key fob. This ensured that those with a fob couldn’t share passwords, hackers couldn’t guess passwords, and had the added bonus of extra motivation to not lose their car keys. Fast forward 25 years, and MFA is not just reserved for those who work at big organizations. It is now a necessary tool to hold cyber criminals at bay. In addition, the internet has now reached every corner of the globe. The simple fact is that Americans are a target for every cyber criminal in every country.  

I’m sure you are wondering, “what should be setup to use MFA for security?”

The answer is pretty much everything. Online banking, investments, shopping accounts, social media accounts, dating profiles, and especially access to your work data should all have an MFA option. Pretty much everything you access via the internet should be MFA enabled. 

Next, you should know what kinds of MFA factors are available. The most common way people get started with Multi Factor Authentication is with a text confirmation sent to a cell phone. Basically, after you enter your password into a website, like your bank account, you will receive a text with a code to enter on the website. If you don’t have your cell phone, then you are not getting in. This is a good way to prevent basic attacks on your passwords. However, it is also the least secure way to handle MFA. 

The problem with using text for Multi Factor Authentication is actually with your cell phone company.

If a cybercriminal is targeting you specifically, and they already have some basic information about you, they can call your cell phone company and are sometimes successful in adding a new phone to your cell number. While this seems farfetched, it has happened before. Then the cybercriminal is able to receive your texts and the MFA codes. However, this should only apply if you are being targeted specifically. Most instances I have seen with people getting hacked did not have any MFA in use. The most important aspect of security is that you don’t want to be the lowest hanging fruit! 

The next most common option is an Multi Factor Authentication program. These are apps that run on your cell phone. There are several out there to choose from, and the one that you choose should be the one that is supported by the majority of the websites that you wish to access. Just like the key fobs of the 90s, these apps have a number that changes every 30 to 60 seconds for each site that you access. Some of these apps even transfer to your smart watch from your phone, which I find is easier to access when I need a code. Setup of a new code in the app is usually pretty easy. You follow the instructions on the website where you are enabling MFA, then you scan a QR code into your phone from the app, and voila, you have a new MFA-secured login. Some apps, like Duo, will also allow you to link to other providers like Google Authenticator inside their app so that you don’t have to have several apps on your phone. Using an application on your cell phone is currently the preferred method for MFA. 

The last option I’d like to mention is a bit more obscure, but it is worth mentioning. If you use Office 365 from Microsoft for your email, it is extremely important that you enable MFA, but you might be thinking that you don’t want to have to type in a code every time you access your email. However, there is a way around this. Every cell phone has unique identifying information built in so that the phone company can manage it. This unique information can be used as your extra factor in addition to your password. It is basically saved on the server as an approved device for your account and then all you need is the username and password. The same also works for Outlook Web Access. The first time you login, you need your MFA code, but unless you change computers, fly across the country, or upgrade your computer, Microsoft won’t ask for your MFA code again for quite a while. 

In the end Multi Factor Authentication requires more work to login where you need to go, but the price is small compared to being hacked.

I have gone full MFA for everything I log into, and eventually it has become second nature. The best perk was that I immediately slept better at night knowing that I was less likely to get hacked. It takes some time getting adjusted to MFA, but the reward is great.

“Password Health” blog.

Password Health

Nobody likes the added work it takes to make your technology secure.

Changing your password at regular intervals, adding multi factor authentication, and implementing regular security patching are just a few things that hinder our productivity. However as annoying good security habits are, getting hacked is far more painful. I’ve never spoken to somebody after they were hacked who was glad that they cut corners on security. 

So how do we make it better?

The most basic and fundamental aspect of security is our passwords, so we should start there. Passwords should be complex, not reused, and changed on a regular basis. This takes a lot of work, but there is software to help us.  

If you haven’t already, you should be using a password manager.

People often ask if putting all your passwords in one place is a good idea, and for this I’ll defer to Andrew Carnegie when he said, “Put all your eggs in one basket and then watch that basket.” Any software company selling a password manager would be destroyed by a single breach, so you know they are highly motivated to protect your passwords. They also are experts at security, so do a little research and pick a reputable company. For my final plea, I will point out that if you are reusing passwords online, a password manager will certainly be safer. 

PC Magazine’s editor’s choices for 2021 are Keeper, LastPass, and Dashlane. You could use the password manager built into your web browser, but there are drawbacks. While the password manager built into your computer makes it easier to have unique passwords for every website, it is hard to access those passwords across devices. Also, some of these built-in managers have poor security. I have seen a virus access every password that you have stored on the computer. This specific vulnerability doesn’t impact the online password managers.  

Of PC Magazine’s top picks overall, LastPass is the only one of these that has a free option for personal use. It has web browser plug-ins, apps for your phone, and a webpage where you can login to get your passwords. It prompts you to save your password as you login to a new site and has a security review of your passwords to let you know if you have any weak or reused passwords. I started using LastPass’ family plan this year. The family plan allows you to give access to specific folders or everything to someone else. This makes it easy to share things like your Amazon and Netflix password with your spouse or kids. 

Once you have a password manager, begin by changing every password on every website. You should always use a unique password for each website. This is very important. If a website has their own weak security and is hacked, your username and password could make it to the dark web. From here, bad guys pay for databases of compromised login credentials. They then use these credentials to attempt to login to accounts that have the same username and password. So, you are weakening your security with every password reuse. 

Next your password should be complex.

This is pretty simple. Password managers will suggest complex passwords which look like your cat typed them out as he walked over your keyboard. These complex passwords make it hard for hackers to find your password with software that tries guessing millions of possible passwords. A complex password contains uppercase, lower case, numbers and symbols. It should also be longer than 10 characters. In the event a website doesn’t allow something like special characters, you can adjust the settings in most password managers, or you can just grab the cat. 

Finally, you should change your password regularly.

With a password manager and unique passwords, once a year is probably sufficient for individual website passwords. Personally, I’d only focus on the website I want to protect. My login to a forum on Ford Mustangs isn’t that important to me, so I won’t bother changing this password regularly. However, my credit cards will get an annual password makeover.  

Most importantly, you cannot neglect your password that you use to access your password manager. I would recommend changing this password at least quarterly and never save it to your browser. I cannot stress this enough. That will weaken your security tremendously. In addition, don’t log onto your password manager from computers you don’t know. They could have a keylogger that could swipe your most important password. The last step should be to turn on multifactor authentication on your password manager. This will make it much harder for the bad guys to hack your account.  

If you just improve your password behavior, you will improve your security immensely. While you are busy resetting passwords, motivate yourself by thinking about how much of a pain it would be if your bank information were being sold on the dark web. Or consider the pain of having thousands of dollars transferred out of your accounts. These things happen to thousands of people daily, and if you have bad password hygiene, then eventually it will happen to you.