Password security is one of the most fundamental steps to effective end-user security policy. However, over the years, advice on how to keep passwords and access to them secure have undergone several revisions and updates, which has left people and businesses confused as to best practices. We are going to look at the latest recommendations and understand a core component of the new “password paradigm,” namely Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA).
Back when I was in high school, around 20 years ago, everyone in the tech industry thought a good password was complicated, contained not only letters and numbers but also symbols, and didn’t spell anything obvious. Basically, the adage was to make your password so hard not even you can remember it.
How many times did this backfire on me? How many times did I have to hit that password reset button and force myself to come up with something else? How many of you have a spreadsheet on your desktop where you’ve pasted all these passwords in an effort to keep track of them? Do you have a secure password to unlock your computer? How about to open the spreadsheet to read your passwords?
With this situation of a single password for each log-in, your passwords are only as secure as the weakest link to get to them. It doesn’t matter how varied and complex the passwords are if the list of them is easy to find, or one can access that list on your PC, or even in your home. While experts always recommended having a separate, unique password for each login you create, most people ended up using the same password for pretty much everything. As you can imagine, the problem here is if someone found out that one password, they would be able to access everything. Not good.
There has been so much fear driven into people around the concept of password security; most of us ended up just sticking our heads in the sand and hoping no one stole our passwords. That was my parents, that was my coworkers, and, yes, that was me.
That was also in the day where we had only one internet-connected device: the computer. These days, almost everyone has at least two devices: a smartphone and another device (tablet, laptop, desktop, smart-TV, etc.). Some of these devices also have fancy biometric technology, such as face or fingerprint scanners built in.
As such, our ability to prove our identity has improved significantly, and experts have updated their password security recommendations. Authentication methods are now divided into three main categories: 1) Something you “know;” 2) something you “have;” and 3) something you “are.” Since it is highly unlikely that an attacker would have gained access to more than one of these, experts now recommend using at least two of these items to authenticate with; hence 2FA or Two Factor Authentication.
Multi-Factor Authentication (MFA) is the industry term that means just that, using more than one of these three categories to prove your identity. When you call your bank and they ask you for the last 4 of your Social Security number, they are taking what you “have,” which is the phone number you’re calling from, and testing it against what you “know” – the Social Security number you provided. If one of these two doesn’t match what they have on file, then it’s not enough for them to verify your identity (or at least it shouldn’t be).
What you “are” comes into play these days primarily with biometrics (fingerprints, face scans, etc). MFA in this instance is used mostly when setting up the biometric login function, in that you would use methods from the other two categories to prove that the face or fingerprint being presented does in fact belong to the person logging in. Once it’s set up, due to the level of uniqueness of the biometric, other factors typically are not necessary for passing authentication.
When it comes to web logins, MFA has developed into a fairly streamlined, if not obviously simple, process. You put in your password (what you “know”), then a box comes up asking for a code (what you “have”). Sometimes this code is sent to your phone in a text message or in an email, sometimes you have to download a specific app that connects with website login systems and auto-generates codes every 30 seconds or so.
Configuring these authentication apps can be somewhat confusing, but they generally break down into a few basic steps when you are logging onto a website that requires MFA: 1) Download the app onto your device, say your smartphone, and log in, if necessary; 2) Use the app to read a QR code displayed on the screen; and 3) Enter the code that appears on your phone onto the page on your computer. Once this is set up, the next time you sign into the website you just open the app on your phone and the code is there waiting for you.
The biggest pitfall of this authentication method is if something happens to your smartphone (i.e., it’s lost, stolen or just dies outright). If you suddenly don’t “have” the thing you had used to prove yourself, then your only option is to reach out to the support of the company that you’re trying to log into and see if they can reset your MFA settings on the back end so you can set up another device.
This happened to me earlier this year, when my phone fell and then refused to turn back on. I got a new phone quickly enough, got my phone number transferred over, restored my iCloud backup and got all my apps back. At first, all seemed good. Then I opened my authentication code app to get logged into work the next day and . . . it was empty. After a minor panic attack, I reached out to the necessary admins, and they were able to reset the system so I could create a new MFA link to my new phone. When this happens to you (and it will, especially considering how frequently people replace their phones these days), don’t panic! If you don’t know who to call, call us at Vermont Panurgy and we’ll help you get pointed in the right direction to get your new MFA setup complete.