When you log in to your accounting software, bank website, a password tool, your CRM, Facebook, LogMeIn, or an Amazon account, you have a user name and password. From time to time, or when you’re on an unfamiliar computer, some of these sites also add some security questions to make sure it’s really you. So with all this security, why would anyone need Multi-Factor Authentication? So glad you asked.
Always good to start with a definition. Here’s what Wikipedia says:
“Multi-factor authentication is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence.”
Multi-Factor Authentication (MFA), also referred to as Two-Factor Authentication (2FA) comes down to a double-check that you are who you say you are. If your user name and password have been compromised (or shared), this allows for a second confirmation in a different format. There are three (3) formats available, so any combination of two increases the level of security and safety.
Knowledge—This is where the security questions come in. You are asked specific questions in order to show you have the user’s knowledge. Unfortunately, hackers troll Facebook and similar sites to ‘scrape’ this kind of info that many people freely share on these sites; pet names, vacation home sites, things like that. Also, if your credentials were compromised, information such as your father’s middle name may already be for sale and associated with your user log on. This one is still helpful, but insufficient all by itself.
Possession—This might take the form of a key fob that has been issued to you. The fob might receive a code that you need to enter. It could be a fob that is scanned at a security door. It could be an app that sends a code or a request straight to your cell phone for approval. It might be a text to your cell phone or a call to a previously approved phone number. In each case, the ‘real’ user has to be in possession of something specific in order to authenticate.
Inherence—Facial recognition on a cell phone has been around for a couple of years. You have to scan your face to unlock the phone. Have you heard of the Clear airport security program? They use a retinal scan to identify it’s you, then walk you to the TSA person to get to the security screening. There are a growing number of computers that use fingerprint identification on laptops or security doors. These are more recent and open up new issues for businesses. One of the concerns is when staff leave the organization. If their company cell phone or company computer requires facial recognition or a finger print, how are you going to gain access to the equipment?
A few take a ways:
* In the real world, we have to take our skills of filtering sales calls and apply them to email requests. ‘Be cautious as serpents, yet innocent as doves,’ as the saying goes. There’s no room for naiveté or benefit-of-the-doubt. Be suspicious. Delete if unsure. Call the person to get clarity. Never send money anywhere just because you have an email request. Get serious about this!
* Resign yourself to the MFA/2FA reality—pick your poison when possible. If you have an option to send an authentication request to your phone or a separate key fob, you might choose your phone because you always have it with you (be sure you lock your phone!). If it has to go to an email address, be sure you haven’t shared the password with anyone else and that it’s a strong password. It’s the price of convenience, and it’s a small price to pay to protect your data.
BTW—As we move from our Hosted Exchange email to Microsoft 365, we will roll out MFA. Please keep this article handy. You might even consider sharing it with your team! —CMW