Secure access to your online accounts- use a strong password plus an additional step of identification

An online account that is protected with just a password is vulnerable to a breach. This is because if that password is stolen,   guessed  or brute forced, someone unauthorised could access the account from anywhere in the world.  Make your accounts more secure – add another step of verification. 

Based on studies conducted by Microsoft, your account is more than 99.9% less likely to be compromised if you use multi-factor authentication.

What is 2FA, 2SV and MFA?

Two-factor authentication, or 2FA as it’s commonly abbreviated to, or 2SV ( two-step verification ) is the same thing. It adds an extra step to your basic log-in procedure for one of your online accounts. Without 2FA, you enter in your username and password, and then you’re done. The password is your single factor of authentication. The second factor or step makes your account more secure. Multi-factor authentication (MFA) is any number of factors more than one.
2FA or MFA requires the user to have two or more types of credentials before being able to access an account. Using two of the same type of authentication is not two factor.

The three types are:

  • Something you know, such as a personal identification number (PIN), password or a security question (what is the name of your first pet?)
  • Something you have, such as an ATM card, phone, or security token (a small security device with built-in authentication)
  • Something you are, such as a fingerprint, retinal pattern, or voice print. These factors are called biometrics.

Why is MFA important?

Stealing personal information such as usernames and passwords, bank account details and credit card numbers is incredibly profitable for criminals. They can send fraudulent emails from your account, make fraudulent purchases from your credit card, use your identity to take out loans and open new accounts and go on to launch other attacks against you. 

The master plan for many cyber criminals is to discover as many passwords as they can in the shortest amount of time and then use computers to try matching passwords and user names on as many accounts as they can at the same time. According to Breach Alarm, 1 million passwords are stolen every week.

Passwords have been the mainstream form of authentication since the earliest days of computing, however, if we consider that 90% of passwords can be cracked in less than six hours and two-thirds of people still use the same password everywhere, they are not as secure as they need to be.

The vulnerability of passwords is the main reason for requiring and using MFA. Implementing multi-factor authentication will prevent hackers from gaining access to your accounts even if your password is guessed or stolen. The extra layer of protection that MFA offers ensures your account is more secure and drastically reduces the chances of fraud, data loss or identity theft.

Organisations are increasingly using cloud services as a way to remotely share access to their company files, with employees accessing data remotely, sometimes from their own devices.  There has been an increasing number of attacks on cloud services, using techniques to steal user’s passwords to access their accounts. Microsoft reports that there are over 300 million fraudulent sign-in attempts to their cloud services every day.

Most data breaches involve weak, default or stolen passwords, so today, it is considered essential to have the extra step of multi-factor authentication (MFA) to configure access to all cloud services. 

 

What type of MFA is acceptable for business use?
Multi-factor authentication requires the user to have two or more types of credentials before being able to access an account.

The National Cyber Security Centre ( NCSC) recommends four types of additional factor that may be considered for businesses:

A trusted device: MFA techniques that use a trusted device can rely on the knowledge that a user possesses a specific device (e.g a company computer) to prove they are who they say they are.  

An application: An authenticator app generates a single-use password that changes every minute. Alternatively, an app can receive push notifications that prompts the user to confirm or deny that they are currently trying to log in to a named service.

A physically separate token: These techniques use the knowledge that a user has a *physical security token, which proves they are who they say they are. Some types will require the user to unlock them before use, others just require proof of possession.
*Examples of physically separate tokens are FIDOuniversal2nd factor authenticators such as YubiKey, Smartcards that are unlocked by a PIN code, and devices such as RSA tokens and chip-and-PIN card readers which generate a single-use code each time a user logs in.

A known trusted account: These techniques send codes to a registered email address or phone number.
The service sends an SMS message containing a single-use code or makes a voice call in which a single-use code is read out to the phone number registered for that user. An SMS message is not the most secure type of MFA, but still offers a huge advantage over not using any MFA. Alternatively, the service will email a single-use code to an email address registered for that user. A code for the user to type in is preferrable to a clickable link, as it is difficult for a user to distinguish between a legitimate email and a phishing email.

MFA will not be necessary every time a user connects to a cloud service, however there will be crucial occasions when there is a need to check the extra factor to fully authenticate a user. 

In summary

MFA is an extra barrier which creates a layer of security that is incredibly difficult for attackers to get past. Whether an attacker acquires your password via a phishing attack, stolen credentials from another breach or manages to crack it using a brute force attack, if you have MFA enabled, this will be your safeguard.