Last week, in honor of Cybersecurity Awareness Month we talked about passwords/passphrases and highlighted what you can do to craft strong passphrases and how you can manage them. This week I want to show you how to build on that base and focus in on what I feel is the most important thing YOU can do to secure your life online: implement and use multi-factor authentication (MFA). Doing so, on top of your newly christened veteran password crafting skills, will put you in a much more secure place online.
What is Multi-factor Authentication?
Let’s start by making sure we are all on the same page and define Multi-factor Authentication (MFA). I’ll save you the time and embarrassment from Googling it and getting the Urban Dictionary result—as Obi-wan would say: “This is not the MFA you are looking for.” Multi-factor authentication, sometimes referred to as two-factor authentication, is a technique that requires you as a user of a website, application, or security system to provide at least two factors to prove you are who you say you are.
So, what is a “factor” you ask? Great question! In short, think of a factor as a way to prove you are who you say you are. When we talk about MFA, we typically talk about three types of factors:
Something You Know
We talked extensively about this factor last week—your password—something you know. This could also be a PIN number, like you use with a debit card, or an answer to a security question, like your favorite food or high school mascot. (Quick sidebar: Security questions are often prone to social engineering attacks. Instead of choosing the correct answer, it’s recommended you select an incorrect response. Everyone that knows me knows what my favorite food is, so that’s a bad security practice.)
This is the most used factor and one you will typically always use.
Something You Are
You have probably used this one too even if you don’t work for the CIA or at a nuclear facility. Something you are refers to biometrics. This may be a fingerprint, retina scan, vocal match, the palm scan you may be used to at the doctor’s office, or facial recognition many of us now use with our smart phones.
Something You Have
I’d wager this factor is one you have used before as well. How many of you have an access badge you scan to get into your office building (back when everyone went into the office)? That is something you have! It could also be a secure token that generates random numbers or an app on your phone that provides an approval prompt when you access a website or application.
Why is MFA important?
As I talked about in our last time together, we are bad at passwords. Is it our fault? Yes and no. Can we be better than we are? Unequivocally yes, as we discussed last week. However, we are also beholden to an antiquated system and way of thinking about security, which has not kept up with the times. Eight-to-12-character passwords with a mix of letters and cases, character substitution, numbers and special characters are no longer sufficient. Most of the websites, applications, and companies we use online direct us into this path every day. Suffice to say, we can all do better.
Even if you have the best password in the world (which if you are wondering is MichaelIsAllowed2GolfEverydayWithoutException), it isn’t safe. As of June 2022, 24 billion username and passwords were exposed online. We aren’t just talking about your logins to websites and applications you use at work—these are services you use in your personal life as well. It is inevitable that a website or service you use will be compromised and your credentials could be exposed and usable to a hacker. I’d wager every one of you reading right now has already experienced this whether you know it or not. You can visit this website to check to see if you have.
It’s on the world’s IT teams to design, implement, and integrate better authentication systems to catch up to where we need to be. In the meantime, our best line of defense to secure our lives online is to control what we can (e.g. our password creation) and implement MFA everywhere we are able. By doing so, you can mitigate the ability for a hacker to utilize your credentials if they are able to obtain them.
What would that actually look like? Let’s look at a simple quick scenario.
Let’s say your Microsoft Office 365 credentials are exposed. Without MFA in place a hacker could access your Office 365 account just by entering in your username and password.
However, with MFA in place, when the hacker goes to utilize the compromised username and password they are presented with another hurdle: a second authentication factor, in this case the Microsoft Authenticator App icon pictured (something you have). This should be something that the hacker doesn’t have.
The hacker would be unable to access the account. In fact, Microsoft has said that 99.9% of account compromise cases they deal with could have been blocked by a MFA solution.
What you can do:
- Utilize an MFA/Two-Factor app
- Not all MFA solutions are created equal. If given the choice I would recommend you utilize an MFA application on your smart phone like Duo Mobile, Google Authenticator, or Microsoft Authenticator. Do this in lieu of text messaging, phone calls, or especially email as a more secure option.
- Your phone can help satisfy the “something you have” (the phone and app integration) and “something you are” (facial recognition) with one of these authenticator apps.
- Turn on MFA for your email accounts
- In your personal life, your email account is the homerun for hackers. Think about how you reset a password if you forget it. The request goes to your email address most of the time, doesn’t it? If a hacker can get your email address, they can make your life painful very quickly.
- Turn on any MFA that supports your payment information
- Have you ever had to deal with fraud on your debit or credit card? Even though there are consumer fraud protections in place, it is still difficult to deal with. Employing an MFA solution on payments may be tedious, but it offers you additional protections. Even more troublesome for a hacker!
- Educate yourself
- Pay attention to when you should be getting an authentication prompt. If you are not actively logging into a website or application and you are receiving an MFA prompt, guess what? Something isn’t right.
- Never approve an authentication prompt if you aren’t actively logging in.
I hope this information and these tips are helpful for you. If you aren’t already doing some of these things, please look into implementing them to help better protect your digital life. We may not be living in Zuckerburg’s Metaverse yet, but we are certainly living in a digital world and we need to do everything we can to protect ourselves.
Next week we will shed some light on how hackers try to and succeed in stealing our information and credentials. We’ll also discuss social engineering and how we can continue to better protect ourselves and “See Ourselves in Cyber.”
About Sharonview Federal Credit Union
Sharonview Federal Credit Union, voted in 2018 the No.1 credit union in South Carolina by Forbes, is headquartered in Fort Mill, South Carolina, and has been serving its members since 1955. Today, Sharonview serves over 100,000 members nationwide, has assets totaling more than $1.7 billion and operates 19 branches in North Carolina, South Carolina and New Jersey. It is also ranked as one of the top 200 credit unions in the country, proving its dedication to providing its members with a full array of value-added financial services, all of which are backed by the United States government and federally insured by the National Credit Union Administration. Sharonview currently stands above the crowd in delivering the personal touch, providing loans with fewer restrictions, flexible terms and lower rates. For over 60 years, Sharonview has promised exceptional value and delivered financial services members can trust, with us it’s personal.
Questions from the Media
Journalists, please note Sharonview Federal Credit Union's public relations agency of record is By George Communications, LLC.
The following contact information is for members of the media only. Other inquiries will not be returned or forwarded.
Marketing and Advertising Opportunities and Questions
Have advertising inquires, proposals and opportunities? Please contact us.