Multi-Factor Authentication
To expand on our discussion about secure passwords from last week, let’s look at multi-factor authentication. Multifactor has only been around for about twenty years, but that's a good chunk of the fifty years that personal computers have existed. However, the idea of multifactor has been around far longer. It exists in the everyday world. When you have to bring two forms of identification to the DMV or your employer, that's multi-factor in the physical world. Only recently has it become a huge part of our digital world as employers and universities have begun implementing multifactor authentication requirements for their systems.
What is multi-factor authentication?
Multifactor authentication is the process of verifying a user's identity by at least two factors of identity. The first step is normally your username and password information. From there the system would request another step of identification which is the MFA step. Basically, MFA exists to confirm multiple factors of the user’s identity before allowing them into the system. It wants to confirm who you are, where you are, and when you are. In other words, it is looking for something you know, something you have, and something you are. Once these things, or at least a combination of two of them, are confirmed then you are considered authenticated. There are several types of authentication ranging from biometric authentication to a one-time password, so let’s go through them.
One-time Password
A one-time password is a verification code sent to you by the system you are trying to access. For example, when trying to reset a password, you are often sent an email or text verification to ensure that you are the user attached to the account you are trying to access. Most of the time this is a string of four or five numbers. By confirming that you have access to the account’s attached email or phone number, the system is verifying that you are who you say you are. This authentication also includes SMS which is Short Message Service or the verification code you receive over text for authentication purposes. Some one-time passwords can even be pre-computed and saved in a secure location in case you ever need to authenticate but can’t receive new codes. This feature is particularly helpful if you find yourself having technical difficulties or without a signal to receive codes.
Biometric
Biometric authentication includes a physical confirmation of identity. The most common examples are your phone’s face ID or thumbprint that is used to open your phone. However, while this is biometric, it is not multi-factor because it is only requiring one step to log in. It would become multi-factor if you were asked for your password first, then your face ID. Other forms of biometric authentication include fingerprints, retinal scans, and voice recognition.
Authentication Apps
Authentication apps are an easy and fairly reliable way to verify the user. The process starts with a password step that then redirects you to the authentication app on your phone. The message for authentication will include the time, date, and location of the user trying to log into your account. You verify the information and approve the login in your app. Many universities and workplaces, including Purdue University, use an authentication app because it is so straightforward and easy to access. Authentication apps are considered more secure than some one-time password implementations because of the risk of an email account being compromised, or the SMS service to your phone being hi-jacked in an attack called SIM Swapping.
Smartcard Pins
You have probably been using multifactor authentication quite often without even realizing it. The pin that your debit or credit card requires to make purchases can be a form of multifactor authentication. First the system verifies your card and account information, then it will ask you for your card’s pin to further ensure that the card’s owner is the one making the purchase.
Passkeys
Passkeys are a digital way to sign into a website or app without a password. They come in a variety of forms but the most common include fingerprints, face recognition, and screen lock pins. They are considered the most resistant to threat activity because they are inherently unique to you and your device. This option is both strong and easy to manage but it can be tedious to set up and it eliminates password sharing. There are two types of passkeys, single device and multi device. Single device passkeys are bound to a single device, which means that the passkeys can only be verified on the device it was created on. Multi device passkeys can be synced between devices for higher usability. Either way, if you have the option of using passkeys, you should take advantage of it.
Why MFA
Multifactor authentication is a great way to further secure your account, beyond just a strong password. MFA helps mitigate risk further than a password alone is able to. Microsoft conducted a recent study that found that 99.99% of compromised accounts didn’t have MFA enabled. That number tells us just how effective MFA can be. If an app offers multifactor, it's a good idea to go ahead and turn it on, especially if your account holds sensitive information like your credit card information or other personal data. You can typically find the option for multifactor in your account settings. Here at cyberTAP we strongly recommend that you take a look at your multifactor authentication options to better secure your personal data.