A few weeks ago I posted an article about password vigilance and why it’s important to maintain a healthy portfolio of different and complex passwords for your various accounts. That way if one system was hacked and usernames/passwords were stolen then only that system’s data would be at risk. In the event of a compromised password you can easily change it and not worry about other accounts that perhaps share that same username. Simply update the account and your password manager. Case closed. Move on.
I also mentioned that you should use two factor authentication if an application offers it. But why? What does two factor authentication offer that makes a complex password not good enough? In a nutshell – validation via multiple vectors. Passwords are still a single barrier between an intruder and your data. Having a second (or third, fourth, etc) factor to inform the system you are trying to access that you can prove however which way that you are you is important.
Multi-Factor Authentication, or MFA or 2FA, has become common enough that most enterprise cloud solutions and personal social media sites now support it. Go ahead and pause reading this and enable it on all of your accounts right now – because it is THAT important. Go ahead – I’ll wait.
MFA comes in several flavors. The easiest and least expensive for developers to implement and support are additional questions that the user simply needs to answer besides to the usual username/password combo. Some sites have convoluted designs/processes that users follow where you enter your username and then you are prompted with a passphrase or an image and you need to submit a matching response – rest assured that it is some form of MFA. As security professionals we encourage you to not answer questions about your high school mascot or street you grew up on with legit answers. Just like passwords, these too should be long complex responses (and managed within the aforementioned password manager).
Many businesses leverage a physical token system for managing access to VPN into their networks. These MFA tokens produce a pseudo-random key which aligns to a user-unique algorithm maintained within the security stack. When this code and the MFA system are paired at a user’s request for access the system is reassured that you can be trusted and then grants you access. These services are not cheap and require a dedicated IT team for support and maintenance. Another form of physical MFA are plug-in keys (usually USB tokens although I’ve seen legacy systems that used the RS-232 protocol as the bus-du-jour). I’ve seen these used heavily in the CAD and media industries. These have fallen out of popularity recently because suitable software app ‘cracks’ can be developed and when that happens the architecture design is compromised negating the need for the physical device thus destroying the value of the MFA.
Recently there has been a rise in biometric scanners in our mobile tech. These solutions mostly leverage fingerprints as they are unique to users and it only is natural to use your hand because you are already holding your mobile device. The tech is coming down in price so it makes it an attractive option for big tech companies given the current push for personal security. If your phone supports it – set it up and use it. I will caveat this by saying that in the event you are summoned by the authorities to unlock your phone, technically you don’t have to provide your ‘memorized’ passcode, however if you have biometric authentication enabled you can be forced to authenticate physically. There are some gray laws (and I’m certainly NOT a lawyer) around this but if you are really concerned don’t enable it.
This only scratches the surface of MFA and really doesn’t get into the technical nitty-gritty of how it works. If there is something to take away from this article, it is that MFA exists to provide those with strong reason to protect access to a system a way to query requesters to that system for multiple credentials to prove they are who they say they are. This is not trivial and if you are given the option to enable MFA – DO IT! Thank the system owner because they take security serious-enough to invest in this technology for their and your protection. Maybe even give them a hug for their efforts.