Do you find it annoying to have to deal with Multi-Factor Authentication?
Multi-factor authentication (MFA) is that extra log-in step that cyber experts, including Microsoft and the FBI, say will stop 95 percent of attacks. (Some say 99 percent!)
We will stipulate: It can be annoying to have to stop and provide that extra credential. Likely you must reach for your phone, unlock it, and get that code. Oops, wait, where did I leave my phone?
However, the Internet has made information and communication much easier than prior generations experienced. We forget that, perhaps, when we feel a frisson of annoyance having to take an additional step.
But it works. You need to do it. On every account.
Some multi-factor methods are better than others, but all are better than nothing. Plus most MFA solutions are free.
The recent breach of Uber gave us a new cybersecurity term: MFA Fatigue. This is when a hacker bombards a user with numerous approval requests. The user succumbs and approves a request, letting the hacker in.
Reports suggest the Uber hacker sent notifications that simply asked, “Approve this request? Yes/No.”
More secure multifactor apps require you to type in numbers from your phone or a device screen. They can be the six-digit codes texted to you or the six-digit codes provided by an authenticator app you’ve linked to particular log-in accounts.
The Microsoft Authenticator app uses a system where you must be on a screen logging in to get a two-digit number. You must type in the Authenticator app on your phone to log in.
This approach would have thwarted the Uber hacker from sending the blizzard of approval requests.
Currently, the most secure multifactor method is a physical device that attaches to your computer or other devices. However, they are small, and if you are prone to misplace your phone, losing this device would be a nightmare, as you would be locked out unless you had a second device (and knew where it was.)
What about biometrics? That is a secure method but be advised that it’s possible to build a database of fingerprints and retinal scans from hacked devices. Law enforcement agencies aren’t the only ones with biometric databases.
Thus, unless you are an employee of the National Security Agency or CIA, MFA will involve typing in numbers for the foreseeable future.
And if you continue feeling annoyed, our guess is you’re just not used to it. You don’t get annoyed when you lock your doors, right?
The U.S. Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security has more information about multifactor authentication and other important cyber measures everyone needs to follow.
And if your organization needs help implementing an enterprise multi-factor authentication program, contact us – we may be able to help!