What is MFA?
Multi-factor Authentication (MFA) or two-factor authentication (2FA) is simply more than a password. It is a security method of proving to a site, or software, you are an individual who has the authority to access an account. According to the federal agency, Cybersecurity and Infrastructure Security Agency (CISA), implementing MFA can make you 99% less likely to be hacked versus one single sign-in method.
The most common forms of MFA are knowledge, possession, and biometrics. In other words, something you know, something you have, or something that is a part of you.
Knowledge as an MFA Method
Knowledge as an MFA method is something you know such as a passcode or PIN. Passcodes should be complex and stored in a password manager app versus a computer document, web browser password vault, or in print. Of course, we recommend complex passwords that are at least fourteen characters long. Check out Microsoft’s recommendations for creating passwords.
Possession as an MFA Method
Possession as an MFA method is something you have. Having a smartphone or key fob with a changing code is an example of how possession serves as a layer of MFA. Using an authenticator app creates a random six-digit code or pushes a notification requiring the user’s approval. A criminal may be able to get your password, but with MFA setup they would also need to have access to your smartphone.
An example of using multi-factor authentication is arriving at work and sitting down at your desk. To start working you must first login with your password. After entering the correct password, a push notification is sent to your authenticator app. You must then choose to accept the push notification so your computer can be unlocked.
MFA to Prevent Cyber Attacks
One example of how MFA can be helpful with preventing criminal hackers is a criminal attempting to gain access to your email account. The criminal has been able to acquire your password. However, because your MSP (Managed Service Provider or IT provider) company has set up MFA, you receive a text message with a code to sign in. As a result of MFA being set up, you know someone is trying to hack into your account and you notify your IT company of the attempted login immediately. From there your IT company can look further into the issue and take additional steps to secure your account. If you did not expect an MFA notification, contact your IT immediately.
Biometrics as an MFA Method
Biometrics (or inherence) as an MFA uses something that is a part of who you are. Your individual fingerprint, voice recognition, retinal recognition, or facial recognition are all examples of biometrics. The most common biometric being fingerprints as iPhone users commonly use fingerprints to unlock their devices throughout the day.
Biometrics is more convenient than a password as it is a part of your DNA and therefore always with you. While it may be challenging for a criminal to obtain your biometrics, it technically isn’t impossible. The most likely scenario for most of us for biometrics being used without your consent is your child picking up your phone and the phone recognizes your face and unlocks.
MFA Government Recommendations
MFA is highly encouraged; the United States government now requires MFA to be used for all federal agency staff.
The criminal element knows MFA is becoming the new standard and they are looking for ways to get around this. Be wary of sites asking for your password and MFA. If you are not expecting to enter this information do not do so. Alert your Cyber Security provider. Also, if your smartphone goes to SOS mode and you are in a good service area reboot your phone. If it is still doing this a criminal may have ported your number to a new phone. They are doing this to bypass text message MFA. Alert your cell phone company and Cyber Security provider immediately.
To learn more about the importance of MFA, watch a video by CISA, Director Jen Easterly discussing why MFA is essential for individuals and companies.
Additionally, our techs at 4BIS Cyber Security use MFA on a daily basis and are well versed in how MFA works. If you are not using MFA in your office setting, contact us. We would love to discuss what security strategies would work best for your company. MFA is just a part of a larger Cyber Security posture. There is no single method to fight cyber-crime. It takes a layered approach.