Give Cyber Threats a One-Two Punch
In recent years many of us have become so accustomed to the ever-present threat of internet gangsters that we sometimes take our security less seriously. Convenience is sometimes prioritized over protection, but this is a mistake. I’ve personally had my identity stolen, and I can testify that it’s a certifiable mess when it happens. Heed Gandalf’s advice and keep those passwords secret and safe. Enhancing your personal, online security is fairly simple to accomplish and absolutely worth it.
- Create super-secret, complex passwords
- Use hard-to-crack security questions
- Utilize multi-factor authentication whenever available
Luckily, many companies make the decision to implement MFA for you, and you must authenticate your identity to access your accounts.
Multi-factor authentication is a wonderful tool with a few different names.1 The most common names beyond multi-factor authentication (MFA) are two-step authentication and two-factor authentication. All three of these mean the same thing—a two-step process for verifying your identity when logging into your account. Utilizing MFA is a key step to staying safe online. MFAs play such a pivotal role in online security, in fact, federal agencies have been directed “to focus on adopting MFA” according to Jen Easterly the director of the Cybersecurity & Infrastructure Security Agency (CISA).2
How Does Multi-Factor Authentication Work?
When you log into your online accounts, you may have noticed that the process has evolved beyond simply entering your password. The first time I encountered multi-factor authentication, I thought it was a little annoying. I just wanted to log into my account and not complete a series of questions and tasks that felt like a test rather than a security measure. It’s hard enough for me to keep up with my ever-changing passwords, but a separate app? A face scan when I’m wearing my glasses or worse when I’m not wearing any makeup and my phone thinks I’m a different person? No thanks, I thought. What does this even do?
Turns out, multi-factor authentication is one of the tools employed to keep customers safer by security teams like our fantastic team at TitleMax. “Authentication” is just another way to say “verify” or “confirm.” When you authenticate your identity, you’re confirming, or verifying, that you are the user and not a bad actor trying to hack your account. MFAs require at least two forms of authentication. Typically this is a password plus an authentication code, fingerprint, or face id.1 While it may feel a little frustrating to spend a few extra moments proving that it really is you trying to log into your accounts, in the long run those minutes can save you hours of headaches, and in some instances hundreds or even thousands of dollars.
Two common MFA examples are:
- SMS, Phone Call, or Email Delivery—codes are either sent by text or via phone call to help customers verify their identities
- Third Party Applications—utilize a third-party application that will generate a code which can be entered to confirm your identity.
When possible, security experts agree that opting into multifactor authentication is a viable way to enhance protection for your identity and personal information. If you already consider yourself cyber savvy, you may be asking, “ok, but what about Phishing? Can the bad actors (internet actors, not the ones you met in your acting class) hack my phone or email to get these codes?” Phishing Resistant MFAs have entered the chat room, and they’d like a word with the cybercriminals.
What is a Phishing Resistant MFA?
Phishing is a Social Engineering tactic used by cybercriminals to gain access to the information needed to hack your accounts. Like wildlife fishing, bad actors use bait—such as impersonating an IT professional—to extract the info needed to gain access to your passwords and even bypass MFA security measures. The Cybersecurity & Infrastructure Security Agency (CISA.gov) considers phishing resistant MFAs to be the best of the best.1 Currently, not everyone is implementing this type of MFA, but it seems the future of MFAs is likely phishing resistant.
Successful phishing can result in an attacker gaining entry to your most personal information and accounts by gaining access to not just your password but your MFA code. Phishing resistant MFAs were created to sidestep this danger by utilizing harder to crack authentication methods such as FIDO security keys and smartcards.3 Think of these are harder to beat, sophisticated MFAs. Larger organizations are utilizing FIDO security keys more frequently. The harder it is for the bad actors on the internet to access private information and systems, the better.
When should MFAs be enabled?
MFAs are available for most sensitive account types such as banking or money related accounts, social media accounts, and some streaming platforms. When in doubt, ask! If you are regularly logging into an account that does not currently ask for a second step for authenticating your identity, reach out to the company if you can’t find the answer on their website. Ask about enabling an MFA for your account to help keep you protected.1
Cyber criminals are savvy, and their methods are becoming increasingly sophisticated, so play defense to protect yourself. Social media, unfortunately, gives criminals a lot of information about us that can be used to hack into our accounts. We’re all too familiar with the frustration of coming up with passwords that aren’t easy to guess. MFAs help relieve some of that pressure by creating an extra line of defense beyond a password that might be easily guessed by a criminal researching us online. Your dog’s name plus the year you were born can be easily guessed, but adding an MFA makes it that much harder to hack your account.
Are MFAs Optional?
Sometimes, yes, but many companies now require multi-factor authentication. When the option is given, it’s important to remember that choosing to utilize multi-factor authentication can provide an extra layer of protection. Some companies will not allow you to opt out of MFA which, frankly, is a good thing. Yes, taking a few extra moments to verify your identity can be a little bit of a hassle, especially for those of us who grew up in a world where cyberspace was new territory. We were pioneers! Quite literally for those of us who played Oregon Trail on green screen computers in the corner of our history class, huddled around whoever got to “press the buttons” squealing with delight every time we forged a river. The hassle of an MFA is similarly worth it, so forge ahead. Unlike playing Oregon Trail and losing players to mysterious disease, we know exactly what causes malware infections and opens us up to internet hackers: lack of digital security. Since MFAs are paramount to enhancing internet security, for me, signing up is a no brainer. We can beat cybercriminals by playing defense every time we go online.
Sources:
1. Cybersecurity & Infrastructure Security Agency More than a Password Retrieved from: https://www.cisa.gov/MFA
2. Easterly, Jen (2022, Oct 18). Next Level MFA: FIDO Authentication Retrieved from: https://www.cisa.gov/news-events/news/next-level-mfa-fido-authentication
3. Lord, Bob (2023, Apr 12). Phishing Resistant MFA is Key to Peace of Mind Retrieved from: https://www.cisa.gov/news-events/news/phishing-resistant-mfa-key-peace-mind