This is part 2 of Don’t Make it Easy on Them – Your Password is Your First Line of Defense. As we learned in part 1, strong, unique passwords are the first and foremost way to keep yourself secure. However, there is another step we recommend taking when it comes to password security: Multi-Factor Authentication (MFA). The basic idea of MFA is that there are 2 things required to login, usually your password and a second factor. This second factor can be something you have (ID card, token or hardware key), or something you are (a fingerprint, handprint, eye scan). These are just a few examples, but the idea should be apparent. The “something you know” is typically your password or a PIN code. The “something you have, or are” can be a variety of things.
Multi-Factor Authentication guards against compromised passwords
Typically account passwords are compromised in one of two major ways: a system or service breach that exposes a database of user accounts, or phishing attacks. Without going into the details of these attacks, in both instances the victim typically is not immediately aware that the account has been compromised. During this time the attacker will attempt to use your credentials to login to other services. For example, if your email password gets compromised, hackers will then test that password on Amazon, Facebook, your bank, and other accounts based on what they find in your inbox. When you have MFA enabled, hackers cannot log in to your accounts, even if they have a valid password.
Multi-Factor Authentication can provide early warnings
Even if you are meticulous about using unique passwords, MFA can still provide early warning of an account compromise. Sometimes even the best of us have a password compromised. With MFA enabled, that password alone will not let the attacker log in to your account. If they try, you should get notified of login failures. Note that not all systems do this, but most do, providing a critical first sign that action needs to be taken on that account. If you use the same or similar passwords across many accounts, you have a lot of passwords to change.
Good and Bad Multi-Factor Authentication
First off, even bad MFA is better than none. Good MFA is largely a matter of opinion or particular needs. There are MFA services like Duo and Yubi which allow you to manage MFA across multiple users and accounts, there are mobile apps that generate codes for you, and there are less desirable methods such as phone calls and text messages.
My personal preference is mobile apps that generate the codes based on time. These time based codes are just that, based on time, so they do not require a cell signal or internet connection to generate the codes. Common apps for this are Google Authenticator, Authy and FreeOTP.
Next are MFA services like Duo, which provide the same time based code functionality but also offer push notifications to a mobile app where you can approve the signing via the app. These require an internet connection on that device, but offer the time based solution as a backup. There are also hardware tokens that utilize your USB port (such as Yubi Keys), but those are not as widely supported, even though they are arguably more secure.
Least desirable are voice and SMS codes sent to your phone number. There are a variety of methods for redirecting SMS messages or phone calls to an attackers phone. Phone companies are notoriously bad at authenticating users and there are troves of examples of these attacks being successful. This method of MFA is largely used to accommodate less technical users, and again is better than nothing, but is less than ideal. For services where I must use this type of MFA, I prefer routing those calls to a Google Voice account or some other cloud-based phone system where I can control the phone account from a control panel. This makes it harder for an attacker to call your phone provider and pretend to be you to make changes to an account.
In the end, the importance of password protection and security has never been higher. Most of us log in using a password to a dozen or more accounts on a daily basis, and unauthorized access to these accounts could be detrimental. Strong, unique passwords are a great first step, but using them alongside an MFA tool equips you with the best protection against a litany of malicious attacks and hacks.
Lark Security is here to help make sure your personal, business, and customer information stays secure and protected. As HITRUST certified assessors, we’re experts in cyber security and compliance, with decades of hands-on experience as CISOs and CTOs. We offer industry leading vulnerability scanning and penetration testing to see where you stand, along with gap analysis and remediation reports to provide complete visibility into your security operations. Contact Us to learn more.