Passwords used to be the be-all and end-all of account protection. As long as your password was long enough, unique enough, and complicated enough with a good mix of upper and lower case letters, numbers, and symbols, it was practically crack-proof. Those days, however, are long gone. That’s because hackers, unfortunately, have many methods of stealing or obtaining passwords at their disposal. One method is brute force, which is a time-consuming but aggressive tactic for determining passwords using application programs that go through all possible combinations of letters, numbers, and symbols to find a password
. Clever cyber thieves who prefer to let the victims themselves do some of the work employ social engineering attacks
like phishing emails
, which are disguised as messages from familiar sources like a bank and ask the user to update his account or make a payment with a provided link. The link, however, takes a victim to a fake website that acquires the victim’s username and password once he enters his credentials on what he thinks is his bank account website.Internet technologies have been a two-edged sword that has allowed users to do so much online while creating gateways for cyber criminals to infiltrate networks and devices to steal data and compromise organizations. As a result, IT and cybersecurity professionals have created a method for users and organizations to use that does not totally wipe out account attacks but makes them harder to pull off: multi-factor authentication. Virtually every type of application providing accounts, from email and bank apps to social media sites, provides its users with the option of using multi-factor authentication (MFA), also called two-factor authentication (2FA), to log into their accounts. Some vigilant users who come across this authentication option take advantage of it, but others glance at it and ignore it, assuming that it’s an extra time-consuming step that they don’t have time to do. However, MFA doesn’t necessarily make the login process more complicated; it can actually make it quicker and easier, in addition to making it safer. Keep reading for an explanation on how multi-factor authentication works and the benefits it offers both individual users and organizations.
How Multi-Factor Authentication Works
is based on the fact that the MFA process grants a user access to an account by verifying at least two of three types of factors related to the user:
- A piece of information that the user knows, such as a password or PIN code
- Something that the user has in his possession, e.g., a smartphone or an email account
- A characteristic of the user’s identity, such as a fingerprint, retina scan, or voice or facial recognition
For example, if a person logs into his bank account using a bank app on his smartphone, if he has MFA enabled on that app, then he will be prompted for a six-digit passcode after entering his password. The app will give him the option of having the passcode sent to his phone via SMS or text message or through a message sent to an email account he has on file in with the bank. The user will then retrieve this code from either a text message or his email, enter it into the designated field in the app, and then he will gain access to his account. These passcodes are typically time-sensitive; they usually must be entered into the app within 15 minutes of being sent. Otherwise, the login session will time out and the user will have to enter his password again. Therefore, with MFA, users have an extra level of security that deters cyber thieves from trying to steal from them. To break into an account with multi-factor authentication, a thief would have to acquire at least two pieces of information. One piece, usually the password, may be relatively easy for a hacker to get, but the second piece, a time-sensitive passcode sent to a mobile device, would be more difficult to obtain because it would either require the thief getting his hands on the victim’s physical phone or somehow intercepting the text message to grab the code within the allotted time frame. Getting this second piece of information would be way more time-consuming and could be risky, so hackers are more likely to pass on a potential victim with MFA and look for targets who do not have any high-level security barriers set up on their accounts.
Why Multi-Factor Authentication is Useful
Another core concept with multi-factor authentication is the understanding that no individual factor on its own provides sufficient protection for an individual’s account. As explained earlier, there are long-standing methods that thieves use to crack passwords of accounts, but the other MFA factors can also be compromised. For instance, when it comes to the MFA factor of something the user possesses like a mobile phone, not only can thieves intercept the one-time passcodes sent via SMS, but they can also steal phone numbers that are used to send these messages through SIM swap scams. Even the third factor related to a unique feature of a user’s identity, or biometric data, can be stolen; fingerprints, for example, can be replicated. Another disadvantage with biometric data is that once it has been compromised, it can never be used again for authentication. Therefore, by being used together, the multiple factors create a level of complexity in which one factor’s strengths compensate for another factor’s vulnerabilities, reducing the overall chances of a cyber thief successfully hacking into a user’s account.Although these multiple factors of authentication make the account login process more elaborate by nature with the extra steps, MFA can actually make the login process easy through capabilities like single sign-on (SSO). Service providers like Google and RingCentral offer SSO that allows users to log into multiple related or linked applications in one centralized location so that once they go through the authentication process one time for one account, they do not have to repeat the process for other accounts. Therefore, although MFA requires more steps than the traditional password login process, it can actually provide convenience and save time for users by being used simultaneously to access more than one account.
Stay Informed on Cybersecurity Issues
As important as security measures like multi-factor authentication are, what’s just as critical, if not more, is security knowledge of cyber attacks and trends on the Internet. If cybersecurity is a totally unfamiliar topic to you, or maybe it’s not unfamiliar but you’ve been out of touch with what’s going on the cyber world, build or rebuild your knowledge with courses from Cybrary.