Multi-Factor Authentication and why it’s important; even more than you think. Link to heading
What is Multi-Factor Authentication? Link to heading
Multi-Factor Authentication (MFA), also known as 2-Factor Authentication (2FA) (before we added more than two factors), is the concept of requiring more than just a secret (your password) and username when you log in.
Typical examples are receiving a text message or using an app on your phone to receive a special code during login.
Why do we need it? Link to heading
Essentially, it protects your account from the flaws of passwords. Adding layers and complexity to the security of your accounts.
The Flaws of Passwords Link to heading
While it may seem the password has served as a trusty form of authorisation since its inception within computing circa 19601, in reality it outlived its purpose on day two. Password authentication comes with a range of human and computing problems such as:
- Simple passwords are easy to crack, but complicated passwords are hard to remember!
- Passwords are leaked in data breaches all the time, and even when encrypted there is a risk they will be cracked given enough time.
- Network interception can leak passwords in transit.
- Software vulnerabilities can expose passwords during login or even bypass them entirely.
- Passwords expose us to human error, like writing them down or sharing them with other people.
In contrast, MFA methods are designed so that they can’t be stolen beforehand and can’t be re-used afterwards. A typical authenticator app will change codes every 30 seconds.
These characteristics make stealing your account credentials much more difficult. MFA is all about adding layers of security. With a password, all an attacker needs is your public username or email address, and then your secret password. With MFA, suddenly an attacker now also needs to steal your phone or token or clone your SIM card; all actions that increase the complexity of an attack, opening the attacker to risks and expenses that will hopefully deter them.
No authentication method is bullet-proof, but by combining them you create a wall that’s exponentially more difficult to scale.
The flaws of password resets Link to heading
You might be thinking to yourself:
I’m savvy, I use a password wallet. All of my passwords are unique and ridiculously long. There’s no chance someone’s going to guess it.
Unfortunately, it’s not always your fault, you need to consider one of the primary weakness of every password: its ability to be reset.
Most online accounts follow a fairly reasonable scenario of allowing you to change your password by sending an email. So, what happens if your email account is compromised?
Before you know it, none of your account passwords work and your mother is calling to ask about this strange email you just sent her.
Your email account can be compromised for a range of reasons that aren’t your fault, and you realistically had no chance to ever combat, such as:
- The email provider’s password database is leaked. 23
- An exploit allows anyone to reset passwords on your behalf. 4
- Someone harvested enough data about you online to guess your Security Questions.
If nothing else, you should protect your email with MFA, to protect all of your other accounts from yourself.
-
https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/ ↩︎
-
https://money.cnn.com/2014/09/10/technology/security/gmail-hack/index.html ↩︎
-
https://finance.yahoo.com/news/yahoo-confirms-massive-data-breach-001200853.html ↩︎
-
https://www.securityweek.com/gitlab-patches-critical-password-reset-vulnerability/ ↩︎