No doubt you’ve seen, heard and experienced 2 Factor Authentication (2FA), or Multi-factor authentication (MFA), and sometimes without realising what it is and what it’s doing.
Last month’s article looked at secure passwords, and how to make passwords secure. Building up from this we consider authentication generally and how you can identify yourself more convincingly when logging into websites.
Have you ever logged into your bank (or another website) and they send you a text message with a code? This is known as ‘Multi-Factor Authentication’. Let’s explore these factors…
We all know that when logging in to a website (or service) you typically have a username and password. Your username is something unique to you, and a way of identifying what information relates to you… eg. You log into your bank; it will show you YOUR bank accounts – you log into eBay and it’ll show you YOUR watch list and orders. Your username can be random numbers and letters, but most commonly on the internet, it’s your email address.
In our Secure Password article, we touched on the importance of securing your email account above all others, because more often than not, your email address is your username, and it’s a method used to reset your passwords should you forget them. Yet, interestingly, we send our username to people multiple times a day/week when we send emails. How many of you will have multiple email accounts? Do you segregate your accounts for different uses/purposes? Probably not. I’m not suggesting you do, but just be mindful of the fact that if someone wanted to guess your Amazon account details, they already know half of the information – your email address, so it adds extra importance to the security of your password.
Now, these factors of authentication. They are typically split into three categories:
– Something You Know
– Something You Have
– Something You Are
Something You Know
This will typically be your password. It’s a combination of words, potentially with numbers and symbols, and only you know it (you hope). I’m sure you already know that you shouldn’t tell people your password, because if you did, they could now log in and pretend to be you. Additionally, criminals are trying to guess people’s passwords, or trying to encourage you to give them your password by creating fake websites, dodgy emails etc. (more on this in another article).
Something You Have
There are a lot of things you can ‘have’ which can be used as another factor of proving yourself. More traditionally, this would have been a phone call to your number, or a text message sent with a code. In businesses you were often given a hardware token of some sort, where you pressed a button and it gave you a code, which changed every 30 seconds. More commonly now, we see Authenticator Apps for your smartphone – which generates a new code every 30 seconds. Some smart-phone apps use push notifications, which rather than generating a code, it just asks you to select ‘Approve’ on your phone or asks you to tap the correct number.
Something You Are
This sounds a bit strange?!?! Again, this is probably something you’ve used many times in the past without thinking about it. This category includes biometric data, so, things like fingerprints, facial recognition, iris recognition – something that identifies you as you in the physical/biological world. Can you think of a better way to prove you are who you say you are?
We’ve explored the three factors of authentication. So, what does 2FA or MFA mean?
Quite simply, this is where you use more than one factor to prove yourself. A secure password is great, but what if it is guessed, what do you do then?
What if, every time you log in somewhere, you enter your password as the first step, then you get a text message/one-time code sent to your personal phone. It’s highly unlikely that any criminal trying to log in as you has stolen your phone also, unless you were the target of a very specific attack.
Passwords are changing in the industry and having a secure password (although still important) is becoming slightly less relevant IF (big IF) you have MFA enabled also. If your password were ‘abcd’ (very weak indeed) but after entering it you also need to scan your fingerprint every time – then your original password isn’t as critical, it’s just another form of proving you have the credentials to access whatever it is you are trying to access.
There’s one other thing we need to consider, and that is convenience. It isn’t very convenient to enter a password, then a code, every time you log into a website. Typically, websites will offer you a way of ‘remembering you’ or ‘your browser’ for a set period of time so that as long as you’re logging into that website on the same computer, using the same browser, from the same place, you only need to use MFA once every 30 days (example). If you were to log in (usually) from Manchester, UK, then one day log in from Paris, France, then it would likely prompt you for MFA because it’s an unusual place for you to log in from, so it wants to double check that is still you.
Implement MFA wherever you can, especially on important accounts that hold personal information about you, credit/debit card information, shopping websites etc. This helps to protect you if your password is ever guessed/hacked. Don’t rely solely on MFA to protect you though. If you get an MFA request that you did not initiate, it’s because someone is trying to log in as you, and it’s likely that they already have your password, so change your password immediately and keep your security levels as high as you can.
Check if your password is in a password dictionary?
(Totally safe to use, I promise)
How long would it take to brute force your password?
(Totally safe to use, I promise)