Recent Blogs

Multi-factor Authentication


Here we are at the beginning of 2020 where users and organizations still don’t understand the importance of multi-factor authentication and the associated risks of neglecting to implement it. The ignorance could be for one of a million different reasons. Improperly trained IT staff, application limitations, laziness, user experience, et al. I’m not going to list them all because if I did, I would never finish this article.

What Is Multi-Factor Authentication?

Let’s start with defining multi-factor authentication (MFA). MFA requires two of the following three items to authenticate to an application or service: something you know, something you are, or something you have. Something you know is a username and password. Something you are is typically biometrics (fingerprint, palm, or retina). Something you have is a hardware token, or a mobile application with similar functionality. There is a plethora of solutions to meet the something you have category of MFA: Hardware key fobs, Duo, Authy, AuthPoint, Microsoft Authenticator, Google Authenticator, and some applications or services offer text messaging. I’m not a fan of the text messaging since it can be easily exploited, but it’s better than nothing.

Why Use MFA?

MFA provides an additional step to logging into an application or service. Even if something you know (credentials) becomes compromised, it’s not likely the threat actor also has the “something you are” or “something you have” components to complete the authentication process. This is critical to ensuring that only the authorized user is accessing the application or service. There are some ways that you can still be compromised, but the probability is significantly reduced when MFA is enabled.

What Else Can You Do?

The best thing you can do for yourself is enable MFA on all accounts that support it. I’m surprised on a regular basis of the number of applications and services that do not support this functionality. The next best thing you can do is to not use the same credentials across different applications and services. The reason you don’t want to credential share across applications is because when those credentials are compromised you will have multiple accounts affected and may not be able to remediate all of them before damage is done. This could be banking, social media, and other business applications. You can also sign up for a credential monitoring service. Credential monitoring services are inexpensive and work by you providing them the emails of which you want monitored. They will monitor the darkest parts of the internet and look for the provided addresses, and then you will be alerted when they find them so you can act in a timely manner. Lastly, remember that credentials are the number one most targeted item by threat actors. There’s no need to attempt to hack anything when you can find the keys to the front door and walk right in.

Final Thoughts

Don’t trust a third-party to keep your credentials safe. The breaches of major companies that result in compromised credentials are in the news almost weekly. Do what you can to protect yourself and YOUR data. Take cyber security seriously and on the forefront of your mind because everyone is susceptible to the threats. Lastly, ignorance is not an excuse in the age of information.

If you’re still here, thank you for reading. P.S. – MFA can also be implemented to protect logons to systems.

Author – Todd Painter, CISSP