Introducing Multi-Factor Authentication
With an ever-increasing number of malicious attackers in the cyber world, industry standards and recommendations change more frequently than ever. Both corporate and consumer businesses need to look deeper into securing their data, that’s where Multi-Factor Authentication (referred to as MFA onwards) comes into action. MFA is a set of measures enabled to help users protect their accounts whether it be for banking accounts or documents or anything of value. A common form of MFA is a text message with a code sent to a mobile number which can then be entered on a computer or mobile device to confirm a login attempt. Other common methods are time-based codes for each account shown through an app (known as an authenticator app). Alternatively, biometrics such as fingerprints or voice/face recognition can also be used. A helpful feature of MFA is that, within a short period of time, using MFA once will allow the user to log in to valuable apps and documents without the need to use MFA every time. However, this will only work for a short period of time and eventually, the user will need to confirm a login attempt with MFA.
MFA is important
Nowadays the majority of people use passwords or PIN combinations to guard their phones, computers or data. Whilst this provides security by narrowing access to people who know the password or PIN this often proves to be insufficient. Frequently people be will use either a single or handful of passwords that they can remember across all their accounts. Security-wise this is a danger by itself as it would only take one or two accounts to be breached to get access to potentially everything that a user has access to. By enabling MFA there is always an additional factor for security.
Let’s say that a password is found out by a malicious actor and they attempt to log in, if text message codes were enabled, the owner of the account would receive a code on their phone. By seeing the code appear whilst knowing that no login attempt was made by them, it is a safe assumption that the password was compromised and should be changed. In the same scenario, if prompted to scan a fingerprint then the only way for the bad actor to gain access would be with the consent and participation of the account owner.
What we recommend
It is always highly advisable to prioritise password length over complexity, the more letters and characters in place, the more secure the password. With all that said there’s always a potential inconvenience to users when their usual behaviour of passwords with rememberable words or events is changed to lengthy and ambiguous characters. Increasing password length is always a good way to go, however, it is still a single line of defence, if it becomes known there are no other means of preventing access.
MFA helps end-users by providing more flexible criteria for creating passwords. They can use something they can reasonably remember and only have to spend a little more than a handful of seconds on going through the first login steps. With an example of time-based codes from an app, the user would just type their rememberable password of 12 or more characters, take their phone, open an authenticator app (e.g. Google Authenticator) and enter a short 6-8 digit code. As a result of spreading the login process across at least two methods of authentication, the user can use relatable passwords which they are a lot less likely to forget and can keep their accounts secure.
This blog was written by Flynn Liepins, our IT Support Apprentice.