In addition to having a strong password, multi-factor authentication (or MFA) is now considered a necessity to keep the bad guys out of your accounts.
Often referred as 2FA (Two Factor Authentication), it is now more commonly referred as MFA just in case you want more than two identification confirmations. In this post I hope to give you a basic understanding of MFA and how you should use it.
Multi Factor Authentication has been around for a long time. The main goal of MFA is to ensure that only the right people log into a system.
Back in the 90s I remember some people having a small key fob on their car keyring which had a number on it that changed every 60 seconds. To log into their network, they needed their username, password, and the current number displayed on their key fob. This ensured that those with a fob couldn’t share passwords, hackers couldn’t guess passwords, and had the added bonus of extra motivation to not lose their car keys. Fast forward 25 years, and MFA is not just reserved for those who work at big organizations. It is now a necessary tool to hold cyber criminals at bay. In addition, the internet has now reached every corner of the globe. The simple fact is that Americans are a target for every cyber criminal in every country.
I’m sure you are wondering, “what should be setup to use MFA for security?”
The answer is pretty much everything. Online banking, investments, shopping accounts, social media accounts, dating profiles, and especially access to your work data should all have an MFA option. Pretty much everything you access via the internet should be MFA enabled.
Next, you should know what kinds of MFA factors are available. The most common way people get started with Multi Factor Authentication is with a text confirmation sent to a cell phone. Basically, after you enter your password into a website, like your bank account, you will receive a text with a code to enter on the website. If you don’t have your cell phone, then you are not getting in. This is a good way to prevent basic attacks on your passwords. However, it is also the least secure way to handle MFA.
The problem with using text for Multi Factor Authentication is actually with your cell phone company.
If a cybercriminal is targeting you specifically, and they already have some basic information about you, they can call your cell phone company and are sometimes successful in adding a new phone to your cell number. While this seems farfetched, it has happened before. Then the cybercriminal is able to receive your texts and the MFA codes. However, this should only apply if you are being targeted specifically. Most instances I have seen with people getting hacked did not have any MFA in use. The most important aspect of security is that you don’t want to be the lowest hanging fruit!
The next most common option is an Multi Factor Authentication program. These are apps that run on your cell phone. There are several out there to choose from, and the one that you choose should be the one that is supported by the majority of the websites that you wish to access. Just like the key fobs of the 90s, these apps have a number that changes every 30 to 60 seconds for each site that you access. Some of these apps even transfer to your smart watch from your phone, which I find is easier to access when I need a code. Setup of a new code in the app is usually pretty easy. You follow the instructions on the website where you are enabling MFA, then you scan a QR code into your phone from the app, and voila, you have a new MFA-secured login. Some apps, like Duo, will also allow you to link to other providers like Google Authenticator inside their app so that you don’t have to have several apps on your phone. Using an application on your cell phone is currently the preferred method for MFA.
The last option I’d like to mention is a bit more obscure, but it is worth mentioning. If you use Office 365 from Microsoft for your email, it is extremely important that you enable MFA, but you might be thinking that you don’t want to have to type in a code every time you access your email. However, there is a way around this. Every cell phone has unique identifying information built in so that the phone company can manage it. This unique information can be used as your extra factor in addition to your password. It is basically saved on the server as an approved device for your account and then all you need is the username and password. The same also works for Outlook Web Access. The first time you login, you need your MFA code, but unless you change computers, fly across the country, or upgrade your computer, Microsoft won’t ask for your MFA code again for quite a while.
In the end Multi Factor Authentication requires more work to login where you need to go, but the price is small compared to being hacked.
I have gone full MFA for everything I log into, and eventually it has become second nature. The best perk was that I immediately slept better at night knowing that I was less likely to get hacked. It takes some time getting adjusted to MFA, but the reward is great.