It’s a fact. Ignoring Two-Factor Authentication Is A Simple Mistake.
A large number of people and businesses are missing out on a simple, effective online security solution by ignoring two-factor authentication (2FA/MFA). Two-Factor Authentication, also commonly known as Multi-Factor Authentication is a very simple, yet effective protection process. The only requirement is to enter a code or press a button on a separate device from the one being used, yet for many, that effort seems too great. The small amount of effort you need to put in to understand 2FA authenticators will save you huge security headaches down the line. There are many, simple, options for setting up MFA. Google’s tried its hardest to make it as simple for anyone and everyone to use. Most of the time all you have to do is scan a QR code and your set.
Why Reducing Risk Gets Ignored
With the current trend towards usability, the idea of having to learn something new when a system already seemingly works is a major stumbling block. Digital security measures such as 2FA apps or encryption software that stand in the way of hackers and other criminals are never absolute and cannot guarantee 100% safety, but, what they can do is help people and organizations ensure all reasonable steps have been taken to safeguard the privacy of confidential information. By implementing two-factor authentication, an additional, less crackable layer of security is added.
Understandably, many people don’t see the MFA as a necessity and more of an inconvenience. Yeah, it’s another step to do to log in, but with the increase of cyberattacks, identity theft, and ransomware attacks, it’s a no-brainer. Taking the extra three seconds could literally save you from all of those potential risks.
How Do I Implement MFA?
Start by looking at the security settings on your most-used accounts. You may see options to enable MFA listed as “Two Factor Authentication,” “Multi-Factor Authentication,” or “Two Step Factor Authentication.”
There are many ways you may be asked to provide a second form of authentication:
- Text Message (SMS) or Email: Every time you log in to an account, you’ll be asked to provide a code sent to you by text message or email. Of note, this is actually the weakest form of MFA and you should only use it if none of the other options is available.
- Authenticator App: An authenticator app is an app that generates MFA login codes on your phone. When prompted for your MFA code, you launch the app and read the applicable number. These codes often expire every 30 or 60 seconds.
- Push notification: Instead of using a numeric code, the service “pushes” a request to your phone to ask if it should let you in. You see a pop-up and can confirm the login request, or deny it if you were not initiating the authentication request.
- FIDO Key: FIDO stands for “Fast IDentity Online” and is considered the gold standard of multi-factor authentication. The FIDO protocol is built into all major browsers and phones. It can use secure biometric authentication mechanisms – like facial recognition, a fingerprint, or voice recognition – and is built on a foundation of strong cryptography. Often it uses a physical device – a key – essentially an encrypted version of a key to your house.
Why Should Your Organization Enable MFA?
Implementing MFA makes it more difficult for a threat actor to gain access to information systems, such as remote access technology, email, and billing systems, even if passwords are compromised through phishing attacks or other means.
Adversaries are increasingly capable of guessing or harvesting passwords to gain illicit access. Password cracking techniques are becoming more sophisticated and high-powered computing is increasingly affordable. In addition, adversaries harvest credentials through phishing emails or by identifying passwords reused from other systems. MFA adds strong protection against account takeover by greatly increasing the level of difficulty for adversaries.
Are you an organization that needs help getting started implementing MFA? Here’s a guide provided by cisa.gov.
Winsor Consulting Group requires MFA on all of our devices, it is also something we help businesses like yours implicate and utilize to ensure maximum security. Reach out to our team to learn more!