When you log on to a computer with your username and password, your password is a single factor used to authenticate you. But that’s not enough to be secure. Passwords can be guessed. Or, if you re-use a password on another site and that website gets compromised, then your hacked password will provide access to other sites. So requiring a second factor or even perhaps three factors to authenticate you is vital.
Definition of Multi-Factor Authentication
Multi-factor authentication (MFA) requires one factor, such as a password, to be combined with another factor such as a code texted to your mobile phone, or biometrics, such as your fingerprint or voiceprint identification or retina scan to gain access to your account. Multiple factors are generally: (a) something you know (password), (b) something you have (phone), or (c) something you are (biometrics).
Long passwords are still important even if MFA is enabled. A 20-character password can sound daunting, but if you use a phrase, multiple words that you might use together, that can be very strong, yet easy to remember. Computers can attempt ‘brute force’ to try to break into your account, which involves guessing. The longer your password is, the harder it is to guess, because a computer must try more combinations to guess your password.
But even a strong password can be compromised. You might go to a website that you think is legitimate, but it’s not. If you enter your password on such a site, now it has been compromised.
The general theme with strong security is layers — having multiple ways to authenticate you is important. There’s no such thing as perfect security, but stronger security generally means having multiple layers that a hacker must get through.
Protect Your Email Account
One of the most important accounts to protect is your email. Someone could hack into your Office 365 account and send mail as you and that would be bad. What is potentially even more damaging is what might happen to your other accounts. Remember that password reset procedures are often built around the concept of emailing you a link to reset your password. If someone has compromised your inbox, they might potentially reset passwords on all of your accounts!
With two-factor authentication (2FA) enabled on your email account, someone would generally need to have your phone to get into your email. With this extra step, even if your password is weak, your email is probably not going to get hacked. It is always best to have a strong password AND 2FA or MFA enabled, though.
If your phone is stolen, hopefully you have protection on your phone, such as a PIN and a fingerprint. Once again, it’s about layers. Be thoughtful about your risk management. Consider the likelihood of something happening and what the damage would be if it did. There is a higher likelihood of attacks that can be launched over the internet because such an attack (like logging into your email) can be automated. Take protective steps accordingly.
The Different Means of Two-Factor Authentication
Two factor authentication can be accomplished by a text message to your phone. This is a solid approach. However, be aware there are ways that this can be spoofed. When someone fraudulently sends you an SMS text message that tries to get you to do something, that’s been called ‘smishing.’
For an even more secure approach, you can use an app on your phone or a physical key like YubiKey, which is a USB key you can keep on your key chain along with your house and car keys. Receiving a text message on your phone is easy and is reasonably secure, but taking it to the next step with an actual app on the phone or physical device makes it even stronger.
There are free and paid options for phone applications. Google Authenticator is probably the most popular free app. Microsoft’s authenticator is another free app.
Two-Factor for Business Accounts
If you think you’re not a target because your firm is small, guess again. It is far more common for small firms to be breached than larger ones simply because there are more small firms out there. If you are using Office 365 or Google G Suite, require two-factor authentication for your employees to log in. You will not generally have to go through a two-factor process every time you access your account. However, if you are logging in for the first time from a different device, expect a second factor to be required. You want your systems to be sure that it is really you and not a hacker pretending to be you. MFA will require extra validation here and there, but the impact should be small. It is not something that’s going to change the way you or your employees live. What will change the way you live is if you get hacked. Then your life can get really turned upside down and it’s not a risk worth taking. With this in mind, MFA is a lot easier than you may think.
Use a Good Password Manager
Lastly, you are never supposed to reuse a password between multiple sites. You may ask yourself, I’m a mere mortal, how can I possibly remember a different password for every site? Don’t try to remember all these passwords. Use a password manager to remember your different passwords at different sites. There are many to choose from. Have a strong, long password to protect your password manager and, of course, require MFA.
A good password manager and MFA to secure it goes a long way to protect your accounts.